Docker Image Scan results for pachyderm/postgresql
Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI
Summary
29 Total failed checks. 6 High / 2 Medium / 21 Low.
Details
Rule identifier | Severity | Documentation |
---|---|---|
postgres_enable_ssl_traffic | 5 | The communication to the database should always be encrypted. Remediation: Set the ssl directive to on .Source: https://www.postgresql.org/docs/current/ssl-tcp.html |
postgres_allowed_connections_only_ssl | 5 | The pg_hba file is defining the different connection and authentication processes for a specific Postgres instance. It should never be possible to log in to Postgres without having SSL enabled. Remediation: Set the connection type in each line to either local or hostssl . |
postgres_allowed_connections_only_ssl | 5 | The pg_hba file is defining the different connection and authentication processes for a specific Postgres instance. It should never be possible to log in to Postgres without having SSL enabled. Remediation: Set the connection type in each line to either local or hostssl . |
postgres_do_not_allow_trust_auth | 5 | The pg_hba file is defining the different connection and authentication processes for a specific Postgres instance. One should always need to authenticate, i.e. the method for authentication should never be trust . |
postgres_enable_archive_mode | 4 | In order to perform point in time recovery, the archive mode in Postgres needs to be set to be on. Remediation: Set the directive archive_mode to on .Source: https://wiki.postgresql.org/wiki/Simple_Configuration_Recommendation |
postgres_enable_archive_mode | 4 | In order to perform point in time recovery, the archive mode in Postgres needs to be set to be on. Remediation: Set the directive archive_mode to on .Source: https://wiki.postgresql.org/wiki/Simple_Configuration_Recommendation |
postgres_pg_hba_lines_mutually_exclusive | 3 | According to the documentation https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html, there is a first-match-only policy in Postgres for authentication. Hence, it is possible to create authentication lines which are never possible to be reached. If this check fails, you have such authentication lines in your pg_hba.conf file. Remediation: In your pg_hba.conf file, ensure that each lines address space or mask do not intersect.Source: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html |
dockerfile_create_volume_for_var_log | 3 | In linux systems, important operating system logs are stored in the /var/log subfolder. This folder should always be made available to the host through a volume, so that log tracking and log analysis systems can capture them. Remediation: In every Dockerfile, there should be a VOLUME directive which has /var/log as an argument.Source: https://docs.docker.com/engine/reference/builder/ |
postgres_enable_logging_connections | 2 | Postgresql offers a mechanism to log connections to the database. This is recommended to be turned on, as it enables the system administrator to analyze these logs and detect anomalies. Remediation: Set the directive log_connections to on .Source: https://wiki.postgresql.org/wiki/Simple_Configuration_Recommendation |
postgres_enable_logging_connections | 2 | Postgresql offers a mechanism to log connections to the database. This is recommended to be turned on, as it enables the system administrator to analyze these logs and detect anomalies. Remediation: Set the directive log_connections to on .Source: https://wiki.postgresql.org/wiki/Simple_Configuration_Recommendation |
postgres_enable_logging_disconnections | 2 | Postgresql offers a mechanism to log ends of sessions, including the duration of sessions. This is recommended to be turned on, as it enables the system administrator to analyze these logs and detect anomalies. Remediation: Set log_disconnections to on Source: https://www.postgresql.org/docs/9.1/runtime-config-logging.html |
postgres_enable_logging_disconnections | 2 | Postgresql offers a mechanism to log ends of sessions, including the duration of sessions. This is recommended to be turned on, as it enables the system administrator to analyze these logs and detect anomalies. Remediation: Set log_disconnections to on Source: https://www.postgresql.org/docs/9.1/runtime-config-logging.html |
dockerfile_shell_check_on_run_commands | 2 | Run commands in the Dockerfile are, generally speaking, shell scripts. It is best practice to lint them and do a shell-check on them for common, shell-script related errors, which can be quite subtle. Remediation: Ensure that all RUN command lines would pass a run through the shellcheck database of common shell scripting errors. Source: https://www.shellcheck.net/wiki/ |
dockerfile_copy_command_more_than_two_arguments_slash | 2 | The COPY directive allows the copying of one or more files on the host machine into the image that is being built. If there is more than one file copied, it is apparent that the destination is a folder, and hence has to end with / . Remediation: Ensure that every COPY instruction with more than two arguments has the last argument ending with / Source: https://docs.docker.com/engine/reference/builder/#copy |
postgres_ensure_log_directory_is_set | 2 | Postgres allows you to set your own log directory, which in turn ensures that the user as which Postgresql is run is allowed to write into that directory. It is recommended to set this directory specifically. Remediation: Set log_directory to a value of your choice.Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_ensure_log_directory_is_set | 2 | Postgres allows you to set your own log directory, which in turn ensures that the user as which Postgresql is run is allowed to write into that directory. It is recommended to set this directory specifically. Remediation: Set log_directory to a value of your choice.Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_ensure_log_rotation_size_not_disabled | 2 | Log file rotation by by size is part of logging best practices. It is important to have a value set there that follows your companie's policies Remediation: Set the parameter log_rotation_size to any value other than 0 Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_ensure_log_rotation_size_not_disabled | 2 | Log file rotation by by size is part of logging best practices. It is important to have a value set there that follows your companie's policies Remediation: Set the parameter log_rotation_size to any value other than 0 Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_do_not_use_standard_port | 2 | Using the standard port makes it easier for intruders to scan for the service from the outside Remediation: Set the parameter port to any other value than 5432 |
postgres_do_not_use_standard_port | 2 | Using the standard port makes it easier for intruders to scan for the service from the outside Remediation: Set the parameter port to any other value than 5432 |
postgres_log_timezone_utc | 2 | Working in different timezones is a great area of error. For logging, it is generally recommended to use UTC time, and convert in visual tools to local times as needed. By default, Postgres uses the operating system's timezone setting as its timezone for logging. It is best to set it to UTC to avoid confusion, or to your organization's standard time zone setting. Remediation: Set the parameter log_timezone to UTC Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_log_timezone_utc | 2 | Working in different timezones is a great area of error. For logging, it is generally recommended to use UTC time, and convert in visual tools to local times as needed. By default, Postgres uses the operating system's timezone setting as its timezone for logging. It is best to set it to UTC to avoid confusion, or to your organization's standard time zone setting. Remediation: Set the parameter log_timezone to UTC Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_log_statement_not_none | 2 | By default, log statements are not logged at all. It is useful for auditing purposes to at least set it to ddl , meaning that DROP, ALTER and CREATE statements are being logged.Remediation: Set the parameter log_statement to anything other but none (default value is none ).Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
postgres_log_statement_not_none | 2 | By default, log statements are not logged at all. It is useful for auditing purposes to at least set it to ddl , meaning that DROP, ALTER and CREATE statements are being logged.Remediation: Set the parameter log_statement to anything other but none (default value is none ).Source: https://www.postgresql.org/docs/10/runtime-config-logging.html |
dockerfile_container_healthcheck_parameter | 2 | Dockerfiles have an instruction called HEALTHCHECK . It enables a user to define a command to figure out if the program(s) running inside the container are working properly. It is generally advisable to have healthchecks in place to assist monitoring of running containers. Remediation: Have at least one HEALTHCHECK instruction in your Dockerfile.Source: https://docs.docker.com/engine/reference/builder/#healthcheck |
dockerfile_copy_destination_absolute_path_or_var | 1 | The COPY command should define its destination using an absolute path. Remediation: Ensure that every COPY instruction has as last argument a string starting with '/' or starting with an environment variable/argument. Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices |
dockerfile_env_and_arg_defined_and_right_away_used | 1 | When creating Docker images that use environment variables or build arguments, it is advisable to position the ARG or ENV directives close to their actual uses, since otherwise the caching for building the images is not greatly used.Remediation: Every variable defined by an ENV or ARG directive should be used within the next five commands inside the Dockerfile. |
dockerfile_only_one_definition_per_env_statement | 1 | The ENV statement allows multiple definitions. This should be avoided for readability reasons, as well as pitfalls like variables not being evaluated if defined within the same ENV directive. Remediation: Ensure that every ENV directive has only one assignment. |
dockerfile_use_multi_stage_builds_for_compilation | 1 | Best practice for Docker requires to keep images as small as possible. If a build is happening inside an image, it is recommended to copy the final artifacts into a new image layer at the end (referred to as multi-staged builds). Remediation: This check flags that if any of the RUN instructions contain one of the following commands, there needs to be at least two FROM directives: - make- cmake - mvn - gradle - gcc - ant Souce: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#use-multi-stage-builds |
Scan performed at 2022-12-12 15:23:07 using the CoGuard CLI