Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00
Code Issues Projects Releases Packages Wiki Activity

add tests for roles

Browse source 
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
Martin Schurz 2023-11-11 03:47:22 +01:00
parent ec8811acdf
commit 35df355248
3 changed files with 35 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
molecule/mysql_hardening/prepare_tasks/mysql_users.yml
View file

@ -14,3 +14,20 @@
- "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';" - "CREATE USER 'user'@'192.168.%' IDENTIFIED BY 'keep';"
# - "CREATE ROLE 'keep';" # - "CREATE ROLE 'keep';"
login_unix_socket: "{{ login_unix_socket | default(omit) }}" login_unix_socket: "{{ login_unix_socket | default(omit) }}"
- name: Detect role support on MySQL
community.mysql.mysql_query:
query: >
SELECT 1 FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
AND COLUMN_NAME = 'is_role';
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_role_support
- name: create roles for test
community.mysql.mysql_query:
query:
- "CREATE ROLE 'role_keep';"
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
when:
- mysql_role_support.rowcount[0] > 0

17
molecule/mysql_hardening/verify_tasks/mysql_users.yml
View file

@ -23,3 +23,20 @@
- '"user@192.168.0.2" in mysql_users_list' - '"user@192.168.0.2" in mysql_users_list'
- '"user@keep" in mysql_users_list' - '"user@keep" in mysql_users_list'
- '"user@192.168.%" in mysql_users_list' - '"user@192.168.%" in mysql_users_list'
- name: Detect role support on MySQL
community.mysql.mysql_query:
query: >
SELECT 1 FROM information_schema.COLUMNS
WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user'
AND COLUMN_NAME = 'is_role';
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_role_support
- name: assert that roles remain
ansible.builtin.assert:
that:
- '"role_keep@%" in mysql_users_list'
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
when:
- mysql_role_support.rowcount[0] > 0

2
roles/mysql_hardening/tasks/mysql_secure_installation.yml
View file

@ -70,7 +70,7 @@
AND USER NOT IN ('mysql.sys', AND USER NOT IN ('mysql.sys',
'mysqlxsys', 'mysqlxsys',
'mariadb.sys') 'mariadb.sys')
{{ 'AND is_role like "N"' if mysql_role_support.rowcount[0] > 0 }}; {{ 'AND is_role = "N"' if mysql_role_support.rowcount[0] > 0 }};
login_unix_socket: "{{ login_unix_socket | default(omit) }}" login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_users_wo_passwords_or_auth_string register: mysql_users_wo_passwords_or_auth_string
check_mode: false check_mode: false