### Install PGDSAT Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Standard installation procedure for PGDSAT using Perl, make, and sudo. ```bash perl Makefile.PL make sudo make install ``` -------------------------------- ### Install PGDSAT from Source Source: https://context7.com/hexacluster/pgdsat/llms.txt Clone or extract the source, then build and install using Perl's standard tools. On RPM-based systems, ensure the 'perl-bignum' and 'perl-Math-BigRat' modules are installed. Verify the installation with 'pgdsat --version'. ```bash # Clone or extract the source, then build and install perl Makefile.PL make sudo make install # On RPM-based systems, install the required bignum Perl module if missing dnf install perl-bignum perl-Math-BigRat # Verify installation pgdsat --version # Output: pgdsat v2.0 # Run directly from the source directory without installing sudo perl -I ./lib ./pgdsat -U postgres -h localhost -d postgres -o report.html ``` -------------------------------- ### PGDSAT Usage with Specific PostgreSQL Version Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Example of running PGDSAT when multiple PostgreSQL versions are installed, specifying the version to test. ```bash pgdsat -U postgres -h localhost -d postgres -f html -V 15.4 > report.html ``` -------------------------------- ### Basic PGDSAT Usage Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Example of running PGDSAT to generate an HTML report for a specific database. ```bash pgdsat -U postgres -h localhost -d postgres -o report.html ``` ```bash pgdsat -U postgres -h localhost -d postgres -f html > report.html ``` -------------------------------- ### Specify Custom Binary Paths Source: https://context7.com/hexacluster/pgdsat/llms.txt Provide full paths to psql and pg_config using -P and -C options, respectively, when these binaries are not in the system's PATH. This is necessary for non-standard installations. ```bash pgdsat -U postgres -d postgres \ -P /usr/pgsql-15/bin/psql \ -o report.html ``` ```bash pgdsat -U postgres -d postgres \ -C /usr/pgsql-15/bin/pg_config \ -o report.html ``` ```bash pgdsat -U postgres -d postgres \ -P /usr/pgsql-15/bin/psql \ -C /usr/pgsql-15/bin/pg_config \ -o report.html ``` -------------------------------- ### Execute PGDSAT from Source Directory Source: https://github.com/hexacluster/pgdsat/blob/main/README.md How to run PGDSAT directly from its source directory without a system-wide installation, requiring sudo privileges. ```bash sudo perl -I ./lib ./pgdsat ... ``` -------------------------------- ### Run Specific PGDSAT Security Checks Source: https://context7.com/hexacluster/pgdsat/llms.txt Example command to run only connection and login checks (section 5) by excluding all other sections. ```bash # Run only connection and login checks (section 5) by removing all other sections pgdsat -U postgres -h localhost -d postgres -o section5.html \ -r '1.*' -r '2.*' -r '3.*' -r '4.*' -r '6.*' -r '7.*' -r '8.*' ``` -------------------------------- ### Install bignum Perl module on RPM-based systems Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Installs the required 'bignum' Perl module on systems like Fedora or CentOS. ```bash dnf install perl-bignum perl-Math-BigRat ``` -------------------------------- ### Remove Replication and Backup Checks Source: https://context7.com/hexacluster/pgdsat/llms.txt Use the -r option to exclude specific check sections from the report. This example removes checks related to replication (section 7) and backup (section 8). ```bash pgdsat -U postgres -h localhost -d postgres -o report.html \ -r '7.*' \ -r '8.*' ``` -------------------------------- ### PGDSAT Usage Excluding Specific Checks Source: https://github.com/hexacluster/pgdsat/blob/main/README.md Example of running PGDSAT and excluding all checks from a specific section (e.g., section 1) using a regular expression. ```bash pgdsat -U postgres -h localhost -d postgres -V 15.4 -o report.html -r '1.*' ``` -------------------------------- ### PGDSAT Perl API: Initialization and Execution Source: https://context7.com/hexacluster/pgdsat/llms.txt Use the PGDSAT Perl module for programmatic assessment. The new() method initializes the engine with various options, and run() executes the checks and generates the report. ```perl use PGDSAT; # Instantiate the assessment engine with all connection and output options my $pgdsat = PGDSAT->new( user => 'postgres', host => 'localhost', port => 5432, database => 'postgres', pgdata => '/var/lib/pgsql/15/data', format => 'html', output => '/tmp/report.html', title => 'My PostgreSQL Cluster', lang => 'en_US', allow => ['myapp', 'analytics'], # per-db check inclusion list exclude => ['template0'], # per-db check exclusion list remove => ['1.4.5', '6.7'], # checks to omit from report 'no-pg-version-check' => 0, ); # Execute all security checks and generate + save the report $pgdsat->run(); # After run(), /tmp/report.html contains the full HTML security report ``` -------------------------------- ### Select Report Format Source: https://context7.com/hexacluster/pgdsat/llms.txt Controls whether the output is rendered as styled HTML or plain text. The HTML format is recommended for readability. The tool can auto-detect the format from the output file extension. ```bash # HTML output (default) — includes summary table with icons, collapsible sections pgdsat -U postgres -h localhost -d postgres -f html -o report.html # Text output — suitable for terminal review or log storage pgdsat -U postgres -h localhost -d postgres -f text -o report.txt # Auto-detect format from output file extension pgdsat -U postgres -h localhost -d postgres -o report.html # -> html pgdsat -U postgres -h localhost -d postgres -o report.txt # -> text # Sample text output structure: # ################################################################################ # Summary Table of security checks # ################################################################################ # 1 - Installation and Patches # 1.1 - Ensure packages are obtained from authorized repositories (Manual) # 1.1.1 - Ensure packages are obtained from PGDG => SUCCESS # 1.3 - Ensure systemd Service Files Are Enabled => FAILURE # 1.5 - Ensure PostgreSQL versions are up-to-date => FAILURE # ... ``` -------------------------------- ### Parse pg_hba.conf with load_pg_hba_file() Source: https://context7.com/hexacluster/pgdsat/llms.txt Parses a pg_hba.conf file, including include directives, into structured hash references for connection security checks. ```perl my $hba_path = `$self->{psql} -AtXc "SHOW hba_file;"`; chomp($hba_path); my @entries = $self->load_pg_hba_file($hba_path); foreach my $entry (@entries) { # Each entry hash contains: # { # source => "hostssl mydb appuser 10.0.0.0/24 scram-sha-256", # type => "hostssl", # local | host | hostssl | hostnossl | hostgssenc # database => "mydb", # user => "appuser", # address => "10.0.0.0", # netmask => "24", # CIDR prefix or dotted-decimal mask # method => "scram-sha-256", # trust | peer | md5 | scram-sha-256 | ldap | ... # options => "", # any trailing auth options # file => "/etc/postgresql/15/main/pg_hba.conf", # line => 42, # } print "Type: $entry->{type}, DB: $entry->{database}, Method: $entry->{method}\n"; } ``` -------------------------------- ### Generate HTML Security Report Source: https://context7.com/hexacluster/pgdsat/llms.txt Connect to a PostgreSQL cluster and run all security checks, writing results to an HTML file. You can specify the output format, PostgreSQL version, port, add a custom title, or manually specify the PGDATA directory. ```bash # Basic usage: connect as superuser, write HTML report to file pgdsat -U postgres -h localhost -d postgres -o /tmp/pg_security_report.html # Equivalent using output redirection with explicit format flag pgdsat -U postgres -h localhost -d postgres -f html > /tmp/pg_security_report.html # Generate a plain text report to stdout pgdsat -U postgres -h localhost -d postgres -f text # Specify the PostgreSQL cluster version explicitly (required when multiple # versions are installed on the same host) pgdsat -U postgres -h localhost -d postgres -f html -V 15.4 > report.html # Use a non-default port pgdsat -U postgres -h 10.0.0.5 -p 5433 -d mydb -o report.html # Add a custom title to differentiate reports from multiple servers pgdsat -U postgres -h localhost -d postgres -T "Production DB - East" -o prod_east.html # Specify PGDATA manually (useful when the postgres user cannot query data_directory) pgdsat -U postgres -h localhost -d postgres -D /var/lib/pgsql/15/data -o report.html ``` -------------------------------- ### Set Multilingual Output Source: https://context7.com/hexacluster/pgdsat/llms.txt Render report labels and messages in a specific language using the -l option. Supported locales include en_US, fr_FR, and zh_CN. ```bash pgdsat -U postgres -h localhost -d postgres -l en_US -o report_en.html ``` ```bash pgdsat -U postgres -h localhost -d postgres -l fr_FR -o report_fr.html ``` ```bash pgdsat -U postgres -h localhost -d postgres -l zh_CN -o report_zh.html ``` -------------------------------- ### Log Raw Data with logdata() Source: https://context7.com/hexacluster/pgdsat/llms.txt Appends raw collected data to the report. Automatically renders as an HTML table for pipe-separated columns or a `
` block for free-form text.
```perl
my @superusers = `$self->{psql} -AtXc "\du+"`;
unshift(@superusers, "Role|Attributes|Description\n"); # header row
$self->logdata(@superusers);
# HTML output: | Role | Attributes | Description |
|---|