密码策略
select * from pg_user
select * from pg_settings;
show password_encryption;
show shared_preload_libraries;
alter username postgres valid until '2024-05-11';
日志审计
select name,setting from pg_settings where name='logging_collector' or name='log_line_prefix' or name='log_statement' or name='log_filename' or name='log_rotation_age';
show logging_collector;
show log_statement;
show log_rotation_age;
show log_filename;
show log_line_prefix;
安全连接
tail -10 /home/pgsql13/postgresql/data/pg_hba.conf|grep hostssl
hostssl all all 127.0.0.1/32 trust
hostssl all all 172.26.0.0/20 scram-sha-256
hostssl all all 10.43.92.0/22 scram-sha-256
数据完整性
#检查ssl相关配置
show ssl;
select name,setting from pg_settings where name like '%ssl%';
#检查SSL/TLS 连接
select pg_ssl.pid, pg_ssl.ssl, pg_ssl.version,
pg_sa.backend_type, pg_sa.usename, pg_sa.client_addr
from pg_stat_ssl pg_ssl
join pg_stat_activity pg_sa
on pg_ssl.pid = pg_sa.pid;
空闲超时
select * from pg_settings ps where ps.name like '%timeout%';
三权划分
select * from pg_settings;
select * from pg_roles;
#系统管理员
CREATE USER sysadmin WITH LOGIN NOSUPERUSER CREATEDB INHERIT REPLICATION NOBYPASSRLS VALID UNTIL '2024-05-10' CONNECTION LIMIT -1 ENCRYPTED PASSWORD 'BBzN_05Xd6g1%mUc';
#安全管理员
CREATE USER safeadmin WITH LOGIN NOSUPERUSER NOCREATEDB CREATEROLE INHERIT NOREPLICATION BYPASSRLS VALID UNTIL '2024-05-10' CONNECTION LIMIT -1 ENCRYPTED PASSWORD 'LxS@k4y8LBDQX>vK';
#审计管理员
CREATE USER auditadmin VALID UNTIL '2024-05-10' CONNECTION LIMIT -1 ENCRYPTED PASSWORD 'QxQJh3RTN_6f*rod';
ALTER USER auditadmin SET default_transaction_read_only=on;
GRANT USAGE ON SCHEMA public to auditadmin;
select* from pg_shadow;