fix: include users, groups perms

samrose · samrose · commit 008491a83806 · 2025-12-10T13:19:24.000-05:00
diff --git a/audit-specs/baselines/ami-build/files-postgres-config.yml b/audit-specs/baselines/ami-build/files-postgres-config.yml
@@ -0,0 +1,113 @@
+# File baseline: postgres-config
+# PostgreSQL configuration files for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # Main PostgreSQL config directory
+  /etc/postgresql:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0755'
+  /etc/postgresql/postgresql.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+  /etc/postgresql/pg_hba.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: postgres
+    mode: '0664'
+  /etc/postgresql/pg_ident.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: postgres
+    mode: '0644'
+  /etc/postgresql/logging.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: postgres
+    mode: '0644'
+
+  # Custom PostgreSQL config directory
+  /etc/postgresql-custom:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0755'
+  /etc/postgresql-custom/platform-defaults.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0644'
+  /etc/postgresql-custom/custom-overrides.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/generated-optimizations.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/supautils.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/wal-g.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/read-replica.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/pgsodium_root.key:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0600'
+
+  # Extension custom scripts directory
+  /etc/postgresql-custom/extension-custom-scripts:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0755'
+  /etc/postgresql-custom/extension-custom-scripts/before-create.sql:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0775'
+
+  # PostgREST config directory
+  /etc/postgrest:
+    exists: true
+    filetype: directory
+    owner: postgrest
+    group: postgrest
+    mode: '0755'
+  /etc/postgrest/base.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0664'
diff --git a/audit-specs/baselines/ami-build/files-postgres-data.yml b/audit-specs/baselines/ami-build/files-postgres-data.yml
@@ -0,0 +1,17 @@
+# File baseline: postgres-data
+# PostgreSQL data directory for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # PostgreSQL data directory
+  /var/lib/postgresql:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0755'
+  /var/lib/postgresql/data:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0700'
diff --git a/audit-specs/baselines/ami-build/files-security.yml b/audit-specs/baselines/ami-build/files-security.yml
@@ -0,0 +1,77 @@
+# File baseline: security
+# Critical security-related files for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # fail2ban configuration directory
+  /etc/fail2ban:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/fail2ban/jail.local:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # AppArmor
+  /etc/apparmor.d:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+  # UFW firewall
+  /etc/ufw:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/ufw/ufw.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # SSH configuration
+  /etc/ssh/sshd_config:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # PAM configuration
+  /etc/pam.d:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+  # Sudoers
+  /etc/sudoers:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0440'
+  /etc/sudoers.d:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0750'
+
+  # Security limits
+  /etc/security/limits.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
diff --git a/audit-specs/baselines/ami-build/files-ssl.yml b/audit-specs/baselines/ami-build/files-ssl.yml
@@ -0,0 +1,37 @@
+# File baseline: ssl
+# SSL certificate and key directories for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # System SSL directory
+  /etc/ssl:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/ssl/certs:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/ssl/private:
+    exists: true
+    filetype: directory
+    owner: root
+    group: ssl-cert
+    mode: '0710'
+  /etc/ssl/openssl.cnf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # AdminAPI SSL directory (created during AMI build)
+  /etc/ssl/adminapi:
+    exists: true
+    filetype: directory
+    owner: adminapi
+    group: root
+    mode: '0700'
diff --git a/nix/packages/supascan/internal/scanners/files.go b/nix/packages/supascan/internal/scanners/files.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/fs"
 	"os"
+	"os/user"
 	"path/filepath"
 	"syscall"
 
@@ -212,14 +213,20 @@ func (s *FileScanner) handleError(err error, path string, opts ScanOptions) erro
 
 // getUsername returns username for UID (or UID as string if lookup fails)
 func getUsername(uid uint32) string {
-	// Simple implementation: just return UID
-	// Could use os/user.LookupId() for name resolution
-	return fmt.Sprintf("%d", uid)
+	u, err := user.LookupId(fmt.Sprintf("%d", uid))
+	if err != nil {
+		// Fall back to numeric UID if lookup fails
+		return fmt.Sprintf("%d", uid)
+	}
+	return u.Username
 }
 
 // getGroupname returns groupname for GID (or GID as string if lookup fails)
 func getGroupname(gid uint32) string {
-	// Simple implementation: just return GID
-	// Could use os/user.LookupGroupId() for name resolution
-	return fmt.Sprintf("%d", gid)
+	g, err := user.LookupGroupId(fmt.Sprintf("%d", gid))
+	if err != nil {
+		// Fall back to numeric GID if lookup fails
+		return fmt.Sprintf("%d", gid)
+	}
+	return g.Name
 }
