Table of Contents
What is klouddb_Shield ?
Klouddb_Shield is an open source security tool that checks for CIS compliance . Currently we check for 8 RDS controls , 40 controls(Postgres) , 46 MySQL controls – a total of 94 checks as of today and we plan to add more checks soon
Please see previous blog posts on this topic
Postgres release – https://klouddb.io/cis-benchmarks-for-postgres-klouddbshield-1-1/
MySQL release – https://klouddb.io/releasing-first-version-of-klouddb-shield-mysql-cis-benchmarks/
RDS release – https://klouddb.io/klouddb-shield-1-2-rds-cis-benchmarks/
HTML report release – https://klouddb.io/klouddb-shield-1-3-html-feature
Release 1.4 - What is new in this release ?
In this release we are introducing hba scanner feature . We perform about 9 different checks and generate a report (Total of 40 checks for Postgres)
HBA Scanner - Using pg_hba_file_rules
Internally we use pg_hba_file_rules to perform these checks . Please ensure that proper permissions are given to the user
For example a query like below can be used to check for presence of ‘all’ under database section
HBA Scanner - File scan
By default it uses pg_hba_file_rules and if this method fails it can use file scanner method. It can scan hba file and detect issues automatically (Our recommendation is to use pg_hba_file_rues method)
Sample run - How to produce hba report ?
After installing the package or cloning the repo , please run below command . Pick option 1 for Postgres , it will then prompt you ‘Do you also want to run HBA Scanner’ for which you will input ‘y’ as reply
HTML report for HBA scanner
HTML Report enhances user experience . Once you generate html report, you need to open it with a web browser . NOTE- Currently there are two different html reports being generated 1) postgressecreport.html 2) hbascannerreport.html
Below is sample output for hba scanner html report
Another very useful addon in this release is the + button . You can get detailed info about a particular control using + button
Future releases
Please try hba scanner and html report today – You will definitely like it. Please stay tuned – More exciting features coming up
Conclusion
We released KloudDB Shield 1.4 today . Please give it a try and pass your feedback . We spent ton of time to develop this tool and we plan to enhance this tool based on user feedback
Also check our performance articles –Pg_fincore and pg_buffercache to troubleshoot performance issues , Pgbouncer multiple instances(How we increased our TPS using multiple instances) , Postgres and temporary files , Pgpool and performance tuning, How we improved Lambda performance by 130x etc..