### Install PGDSAT Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Standard installation procedure for PGDSAT using Perl, make, and sudo. ```bash perl Makefile.PL make sudo make install ``` -------------------------------- ### Install PGDSAT from Source Source: https://context7.com/hexacluster/pgdsat/llms.txt Clone or extract the source, then build and install using Perl's standard tools. On RPM-based systems, ensure the 'perl-bignum' and 'perl-Math-BigRat' modules are installed. Verify the installation with 'pgdsat --version'. ```bash # Clone or extract the source, then build and install perl Makefile.PL make sudo make install # On RPM-based systems, install the required bignum Perl module if missing dnf install perl-bignum perl-Math-BigRat # Verify installation pgdsat --version # Output: pgdsat v2.0 # Run directly from the source directory without installing sudo perl -I ./lib ./pgdsat -U postgres -h localhost -d postgres -o report.html ``` -------------------------------- ### PGDSAT Usage with Specific PostgreSQL Version Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Example of running PGDSAT when multiple PostgreSQL versions are installed, specifying the version to test. ```bash pgdsat -U postgres -h localhost -d postgres -f html -V 15.4 > report.html ``` -------------------------------- ### Basic PGDSAT Usage Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Example of running PGDSAT to generate an HTML report for a specific database. ```bash pgdsat -U postgres -h localhost -d postgres -o report.html ``` ```bash pgdsat -U postgres -h localhost -d postgres -f html > report.html ``` -------------------------------- ### Specify Custom Binary Paths Source: https://context7.com/hexacluster/pgdsat/llms.txt Provide full paths to psql and pg_config using -P and -C options, respectively, when these binaries are not in the system's PATH. This is necessary for non-standard installations. ```bash pgdsat -U postgres -d postgres \ -P /usr/pgsql-15/bin/psql \ -o report.html ``` ```bash pgdsat -U postgres -d postgres \ -C /usr/pgsql-15/bin/pg_config \ -o report.html ``` ```bash pgdsat -U postgres -d postgres \ -P /usr/pgsql-15/bin/psql \ -C /usr/pgsql-15/bin/pg_config \ -o report.html ``` -------------------------------- ### Execute PGDSAT from Source Directory Source: https://github.com/hexacluster/pgdsat/blob/main/README.md How to run PGDSAT directly from its source directory without a system-wide installation, requiring sudo privileges. ```bash sudo perl -I ./lib ./pgdsat ... ``` -------------------------------- ### Run Specific PGDSAT Security Checks Source: https://context7.com/hexacluster/pgdsat/llms.txt Example command to run only connection and login checks (section 5) by excluding all other sections. ```bash # Run only connection and login checks (section 5) by removing all other sections pgdsat -U postgres -h localhost -d postgres -o section5.html \ -r '1.*' -r '2.*' -r '3.*' -r '4.*' -r '6.*' -r '7.*' -r '8.*' ``` -------------------------------- ### Install bignum Perl module on RPM-based systems Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Installs the required 'bignum' Perl module on systems like Fedora or CentOS. ```bash dnf install perl-bignum perl-Math-BigRat ``` -------------------------------- ### Remove Replication and Backup Checks Source: https://context7.com/hexacluster/pgdsat/llms.txt Use the -r option to exclude specific check sections from the report. This example removes checks related to replication (section 7) and backup (section 8). ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ -r '7.*' \ -r '8.*' ``` -------------------------------- ### PGDSAT Usage Excluding Specific Checks Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Example of running PGDSAT and excluding all checks from a specific section (e.g., section 1) using a regular expression. ```bash pgdsat -U postgres -h localhost -d postgres -V 15.4 -o report.html -r '1.*' ``` -------------------------------- ### PGDSAT Perl API: Initialization and Execution Source: https://context7.com/hexacluster/pgdsat/llms.txt Use the PGDSAT Perl module for programmatic assessment. The new() method initializes the engine with various options, and run() executes the checks and generates the report. ```perl use PGDSAT; # Instantiate the assessment engine with all connection and output options my $pgdsat = PGDSAT->new( user => 'postgres', host => 'localhost', port => 5432, database => 'postgres', pgdata => '/var/lib/pgsql/15/data', format => 'html', output => '/tmp/report.html', title => 'My PostgreSQL Cluster', lang => 'en_US', allow => ['myapp', 'analytics'], # per-db check inclusion list exclude => ['template0'], # per-db check exclusion list remove => ['1.4.5', '6.7'], # checks to omit from report 'no-pg-version-check' => 0, ); # Execute all security checks and generate + save the report $pgdsat->run(); # After run(), /tmp/report.html contains the full HTML security report ``` -------------------------------- ### Select Report Format Source: https://context7.com/hexacluster/pgdsat/llms.txt Controls whether the output is rendered as styled HTML or plain text. The HTML format is recommended for readability. The tool can auto-detect the format from the output file extension. ```bash # HTML output (default) — includes summary table with icons, collapsible sections pgdsat -U postgres -h localhost -d postgres -f html -o report.html # Text output — suitable for terminal review or log storage pgdsat -U postgres -h localhost -d postgres -f text -o report.txt # Auto-detect format from output file extension pgdsat -U postgres -h localhost -d postgres -o report.html # -> html pgdsat -U postgres -h localhost -d postgres -o report.txt # -> text # Sample text output structure: # ################################################################################ # Summary Table of security checks # ################################################################################ # 1 - Installation and Patches # 1.1 - Ensure packages are obtained from authorized repositories (Manual) # 1.1.1 - Ensure packages are obtained from PGDG => SUCCESS # 1.3 - Ensure systemd Service Files Are Enabled => FAILURE # 1.5 - Ensure PostgreSQL versions are up-to-date => FAILURE # ... ``` -------------------------------- ### Parse pg_hba.conf with load_pg_hba_file() Source: https://context7.com/hexacluster/pgdsat/llms.txt Parses a pg_hba.conf file, including include directives, into structured hash references for connection security checks. ```perl my $hba_path = `$self->{psql} -AtXc "SHOW hba_file;"`; chomp($hba_path); my @entries = $self->load_pg_hba_file($hba_path); foreach my $entry (@entries) { # Each entry hash contains: # { # source => "hostssl mydb appuser 10.0.0.0/24 scram-sha-256", # type => "hostssl", # local | host | hostssl | hostnossl | hostgssenc # database => "mydb", # user => "appuser", # address => "10.0.0.0", # netmask => "24", # CIDR prefix or dotted-decimal mask # method => "scram-sha-256", # trust | peer | md5 | scram-sha-256 | ldap | ... # options => "", # any trailing auth options # file => "/etc/postgresql/15/main/pg_hba.conf", # line => 42, # } print "Type: $entry->{type}, DB: $entry->{database}, Method: $entry->{method}\n"; } ``` -------------------------------- ### Generate HTML Security Report Source: https://context7.com/hexacluster/pgdsat/llms.txt Connect to a PostgreSQL cluster and run all security checks, writing results to an HTML file. You can specify the output format, PostgreSQL version, port, add a custom title, or manually specify the PGDATA directory. ```bash # Basic usage: connect as superuser, write HTML report to file pgdsat -U postgres -h localhost -d postgres -o /tmp/pg_security_report.html # Equivalent using output redirection with explicit format flag pgdsat -U postgres -h localhost -d postgres -f html > /tmp/pg_security_report.html # Generate a plain text report to stdout pgdsat -U postgres -h localhost -d postgres -f text # Specify the PostgreSQL cluster version explicitly (required when multiple # versions are installed on the same host) pgdsat -U postgres -h localhost -d postgres -f html -V 15.4 > report.html # Use a non-default port pgdsat -U postgres -h 10.0.0.5 -p 5433 -d mydb -o report.html # Add a custom title to differentiate reports from multiple servers pgdsat -U postgres -h localhost -d postgres -T "Production DB - East" -o prod_east.html # Specify PGDATA manually (useful when the postgres user cannot query data_directory) pgdsat -U postgres -h localhost -d postgres -D /var/lib/pgsql/15/data -o report.html ``` -------------------------------- ### Set Multilingual Output Source: https://context7.com/hexacluster/pgdsat/llms.txt Render report labels and messages in a specific language using the -l option. Supported locales include en_US, fr_FR, and zh_CN. ```bash pgdsat -U postgres -h localhost -d postgres -l en_US -o report_en.html ``` ```bash pgdsat -U postgres -h localhost -d postgres -l fr_FR -o report_fr.html ``` ```bash pgdsat -U postgres -h localhost -d postgres -l zh_CN -o report_zh.html ``` -------------------------------- ### Log Raw Data with logdata() Source: https://context7.com/hexacluster/pgdsat/llms.txt Appends raw collected data to the report. Automatically renders as an HTML table for pipe-separated columns or a `
` block for free-form text.

```perl
my @superusers = `$self->{psql} -AtXc "\du+"`;
unshift(@superusers, "Role|Attributes|Description\n");  # header row
$self->logdata(@superusers);
# HTML output: ...
```

```perl
my @block_info = `lsblk -f 2>/dev/null | grep -v "^loop"`;
$self->logdata(@block_info);
# HTML output: 
NAME   FSTYPE  LABEL UUID  MOUNTPOINT
...
``` ```perl # Text format — prefixes each line with indented "DATA:" # DATA: postgres|Superuser, Create role, ...| ``` -------------------------------- ### Filter Databases for Per-DB Checks Source: https://context7.com/hexacluster/pgdsat/llms.txt Control which databases are included or excluded in per-database checks using -a (allow) and -e (exclude) options. Regular expressions can be used for flexible matching. Allow takes precedence over exclude. ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ -a myapp_db \ -a analytics_db ``` ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ -e template0 \ -e template1 \ -e postgres ``` ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ -e '^test_.*' # exclude all databases whose name starts with "test_" ``` ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ -a production \ -e staging ``` -------------------------------- ### Log Plain Text with logtext() Source: https://context7.com/hexacluster/pgdsat/llms.txt Appends a plain prose paragraph to the report without data formatting. Used for informational notes. ```perl my @loginable = `$self->{psql} -AtXc "SELECT rolname FROM pg_roles ..."`; $self->logtext(join(', ', @loginable) . "\n"); # HTML:

appuser, reporting_user, replication_user

# Text: appuser, reporting_user, replication_user ``` -------------------------------- ### Generate and Save Report with PGDSAT::Report Source: https://context7.com/hexacluster/pgdsat/llms.txt Assembles the final report from summary results and detailed output, then writes it to a file or stdout. ```perl use PGDSAT::Report; # Called internally by $pgdsat->run() after all check_* methods complete: PGDSAT::Report::generate_report($self); # Builds $self->{content} by prepending the HTML header (begin_html), # appending the summary table (resume_as_html or resume_as_text), # appending $self->{details} (all logmsg/logdata output), and # closing the HTML footer (end_html). PGDSAT::Report::save_report($self); # Writes $self->{content} to $self->{output} (file path) or STDOUT if '-' # Example: writes complete HTML report to /tmp/report.html # open $fh, '>', '/tmp/report.html' or die ...; # print $fh $self->{content}; ``` -------------------------------- ### Disable Online PostgreSQL Version Check Source: https://context7.com/hexacluster/pgdsat/llms.txt Use the --no-pg-version-check option to skip the internet lookup for the latest PostgreSQL minor version. This is useful in air-gapped environments. ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ --no-pg-version-check ``` -------------------------------- ### PGDSAT Perl API: Logging Method Source: https://context7.com/hexacluster/pgdsat/llms.txt The internal logmsg method is used within check methods to record messages of varying severity (SUCCESS, FAILURE, CRITICAL, etc.) and format them for the report. It also handles section headings. ```perl # Inside a check method — emit a critical failure message $self->logmsg('5.12', 'CRITICAL', "parameter 'password_encryption' should be set to 'scram-sha-256', not '%s'.", $pwd_enc_type ); # Marks results{'5.12'} = 'FAILURE' and writes the formatted message to report # Emit a success confirmation $self->logmsg('0.1', 'SUCCESS', 'Test passed'); # Emit a section heading (head1 = top-level, head2 = sub-section, head3 = leaf) $self->logmsg('3', 'head1', 'Logging And Auditing'); $self->logmsg('3.1', 'head2', 'PostgreSQL Logging'); $self->logmsg('3.1.2', 'head3', 'Ensure the log destinations are set correctly'); ``` -------------------------------- ### Remove Specific Checks from Report Source: https://context7.com/hexacluster/pgdsat/llms.txt Excludes one or more numbered checks or entire sections from the report using exact check numbers or regular expressions. The '-r' option can be repeated to remove multiple items. ```bash # Remove a single specific check by number pgdsat -U postgres -h localhost -d postgres -o report.html -r 1.4.5 # Remove all checks in section 1 using a regexp pgdsat -U postgres -h localhost -d postgres -o report.html -r '1.*' # Remove multiple checks (option can be repeated) pgdsat -U postgres -h localhost -d postgres -o report.html \ -r '1.4.5' \ -r '6.7' \ -r '8.2' ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.
RoleAttributesDescription