feat: supascan audit feature (#1963)

* feat: audit feature

* feat: shallow dirs

* feat: include dirs

* fix: deal with various dirs

* fix: excludes

* feat: baseline test

* tests: upload baseline

* fix: move audit to end of image build

* feat: supascan

* fix: cleanup

* fix: upload

* fix: consolidate installation etc

* fix: install

* fix: sudo for validate

* fix: ubuntu user path

* feat: organize into ami build and deployed

* fix: rename

* fix: package not present at ami build

* fix: include users, groups perms

* fix: align perms with build stage

* fix: restore sh files undo formatting

* chore: restore version in package

* fix: update conf.d

* chore: rename task

Author: samrose

ansible/files/supascan_ami.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+# Baseline Validation Check
+#
+# This script validates that the machine matches the committed baseline
+# specifications using supascan (pre-installed via nix profile for ubuntu user).
+#
+# Usage: supascan_ami.sh [baselines-dir]
+
+set -euo pipefail
+
+BASELINES_DIR="${1:-/tmp/ansible-playbook/audit-specs/baselines/ami-build}"
+
+echo "============================================================"
+echo "Baseline Validation"
+echo "============================================================"
+echo ""
+echo "Baselines directory: $BASELINES_DIR"
+echo ""
+
+# Check baselines directory exists
+if [[ ! -d $BASELINES_DIR ]]; then
+  echo "ERROR: Baselines directory not found: $BASELINES_DIR"
+  exit 1
+fi
+
+# Add ubuntu user's nix profile to PATH
+export PATH="/home/ubuntu/.nix-profile/bin:$PATH"
+
+# Verify supascan is available
+if ! command -v supascan &>/dev/null; then
+  echo "ERROR: supascan not found in PATH"
+  echo "PATH: $PATH"
+  exit 1
+fi
+
+# Run supascan validate (it calls sudo goss internally for privileged checks)
+exec supascan validate --verbose "$BASELINES_DIR"

ansible/playbook.yml

@@ -220,6 +220,18 @@
         systemctl stop fail2ban.service
       when: stage2_nix
 
+    - name: Run supascan baseline validation
+      become: yes
+      shell: |
+        /bin/bash /tmp/ansible-playbook/ansible/files/supascan_ami.sh /tmp/ansible-playbook/audit-specs/baselines/ami-build
+      when: stage2_nix
+
+    - name: Remove supascan after validation
+      become: yes
+      shell: |
+        sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile remove supascan"
+      when: stage2_nix
+
     - name: nix collect garbage
       become: yes
       shell: |

ansible/tasks/stage2-setup-postgres.yml

@@ -106,6 +106,14 @@
       loop_control:
         loop_var: 'nix_item'
 
+    - name: Install supascan for baseline validation
+      ansible.builtin.shell: |
+        sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/{{ git_commit_sha }}#supascan"
+
+    - name: nix collect garbage after supascan install
+      ansible.builtin.shell:
+        cmd: sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix-collect-garbage -d"
+
     - name: Set ownership and permissions for file and dirs
       ansible.builtin.file:
         group: 'postgres'

audit-specs/baselines/README.md

@@ -0,0 +1,33 @@
+# Machine Baselines
+
+This directory contains captured baselines from real machines.
+
+## Generating a Baseline
+
+On your target machine:
+```bash
+sudo nix run github:supabase/ubuntu-cis-audit#cis-generate-spec -- baseline.yaml
+```
+
+## Naming Convention
+
+Use descriptive names that identify the machine type or environment:
+- `production-db-baseline.yaml` - Production database server
+- `staging-api-baseline.yaml` - Staging API server
+- `postgres-baseline.yaml` - Standard PostgreSQL server config
+
+## Using Baselines
+
+Copy your baseline to this directory and commit to git. Then use GOSS to audit other machines:
+
+```bash
+# On target machine
+goss --gossfile audit-specs/baselines/production-db-baseline.yaml validate
+```
+
+## Baseline Sources
+
+Document where each baseline came from:
+
+- `postgres-baseline.yaml` - Generated from db-pdnxwzxvlrfwogpyaltm on 2025-11-22
+- `production-baseline.yaml` - Generated from prod-server-001 on 2025-11-20

audit-specs/baselines/ami-build/files-postgres-config.yml

@@ -0,0 +1,108 @@
+# File baseline: postgres-config
+# PostgreSQL configuration files for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # Main PostgreSQL config directory
+  /etc/postgresql:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0775'
+  /etc/postgresql/postgresql.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+  /etc/postgresql/pg_hba.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: postgres
+    mode: '0664'
+  /etc/postgresql/pg_ident.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: postgres
+    mode: '0644'
+  /etc/postgresql/logging.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: postgres
+    mode: '0644'
+
+  # Custom PostgreSQL config directory
+  /etc/postgresql-custom:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0775'
+  # Note: platform-defaults.conf and pgsodium_root.key are created at deploy time
+  /etc/postgresql-custom/custom-overrides.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/generated-optimizations.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/supautils.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/conf.d:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0775'
+  /etc/postgresql-custom/conf.d/wal-g.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+  /etc/postgresql-custom/conf.d/read_replica.conf:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0664'
+
+  # Extension custom scripts directory
+  /etc/postgresql-custom/extension-custom-scripts:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0775'
+  /etc/postgresql-custom/extension-custom-scripts/before-create.sql:
+    exists: true
+    filetype: file
+    owner: postgres
+    group: postgres
+    mode: '0775'
+
+  # PostgREST config directory
+  /etc/postgrest:
+    exists: true
+    filetype: directory
+    owner: postgrest
+    group: postgrest
+    mode: '0775'
+  /etc/postgrest/base.conf:
+    exists: true
+    filetype: file
+    owner: postgrest
+    group: postgrest
+    mode: '0644'

audit-specs/baselines/ami-build/files-postgres-data.yml

@@ -0,0 +1,19 @@
+# File baseline: postgres-data
+# PostgreSQL data directory for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # PostgreSQL data directory
+  /var/lib/postgresql:
+    exists: true
+    filetype: directory
+    owner: postgres
+    group: postgres
+    mode: '0755'
+  # Note: /var/lib/postgresql/data is a symlink during AMI build (points to /data/...)
+  # The actual data directory is created at deploy time
+  /var/lib/postgresql/data:
+    exists: true
+    filetype: symlink
+    owner: root
+    group: root
+    mode: '0777'

audit-specs/baselines/ami-build/files-security.yml

@@ -0,0 +1,77 @@
+# File baseline: security
+# Critical security-related files for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # fail2ban configuration directory
+  /etc/fail2ban:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/fail2ban/jail.local:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # AppArmor
+  /etc/apparmor.d:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+  # UFW firewall
+  /etc/ufw:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/ufw/ufw.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # SSH configuration
+  /etc/ssh/sshd_config:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+
+  # PAM configuration
+  /etc/pam.d:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+  # Sudoers
+  /etc/sudoers:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0440'
+  /etc/sudoers.d:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0750'
+
+  # Security limits
+  /etc/security/limits.conf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'

audit-specs/baselines/ami-build/files-ssl.yml

@@ -0,0 +1,30 @@
+# File baseline: ssl
+# SSL certificate and key directories for AMI build
+# Uses string names for owner/group (not numeric IDs)
+file:
+  # System SSL directory
+  /etc/ssl:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/ssl/certs:
+    exists: true
+    filetype: directory
+    owner: root
+    group: root
+    mode: '0755'
+  /etc/ssl/private:
+    exists: true
+    filetype: directory
+    owner: root
+    group: postgres
+    mode: '0750'
+  /etc/ssl/openssl.cnf:
+    exists: true
+    filetype: file
+    owner: root
+    group: root
+    mode: '0644'
+  # Note: /etc/ssl/adminapi is created at deploy time, not during AMI build