Merge branch 'migrate_mysql' into collection

2024-09-20 05:11:53 +00:00 · 2020-11-07 21:48:11 +01:00 · 2020-11-07 21:48:11 +01:00 · 66e88a34d1
commit 66e88a34d1
parent 51a7fed83d a10e4d7c1a
19 changed files with 523 additions and 0 deletions
--- a/roles/mysql_hardening/CHANGELOG.md
+++ b/roles/mysql_hardening/CHANGELOG.md
@ -0,0 +1,120 @@
+# Changelog
+
+## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-18)
+
+[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2)
+
+**Implemented enhancements:**
+
+- Use mysql\_query module instead of temporary files [\#56](https://github.com/dev-sec/ansible-mysql-hardening/pull/56) ([szEvEz](https://github.com/szEvEz))
+- update readme to new layout for vars [\#53](https://github.com/dev-sec/ansible-mysql-hardening/pull/53) ([rndmh3ro](https://github.com/rndmh3ro))
+- add mode to copy task [\#51](https://github.com/dev-sec/ansible-mysql-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro))
+- Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Fixed bugs:**
+
+- permissions on /etc/mysql/mysql.cnf too restrictive [\#35](https://github.com/dev-sec/ansible-mysql-hardening/issues/35)
+- fix missing variables [\#55](https://github.com/dev-sec/ansible-mysql-hardening/pull/55) ([rndmh3ro](https://github.com/rndmh3ro))
+- add modes to template and file tasks [\#50](https://github.com/dev-sec/ansible-mysql-hardening/pull/50) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Closed issues:**
+
+- Use mysql\_query module instead of temporary files [\#52](https://github.com/dev-sec/ansible-mysql-hardening/issues/52)
+- Add Centos 8 support for ansible-mysql-hardening [\#36](https://github.com/dev-sec/ansible-mysql-hardening/issues/36)
+
+**Merged pull requests:**
+
+- Run ansible-lint via github action [\#58](https://github.com/dev-sec/ansible-mysql-hardening/pull/58) ([szEvEz](https://github.com/szEvEz))
+- Fix kitchen and travisci for major distros [\#57](https://github.com/dev-sec/ansible-mysql-hardening/pull/57) ([szEvEz](https://github.com/szEvEz))
+- update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [2.2.1](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.1) (2020-06-06)
+
+[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.0...2.2.1)
+
+**Implemented enhancements:**
+
+- unify changelog and release actions [\#46](https://github.com/dev-sec/ansible-mysql-hardening/pull/46) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [2.2.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.0) (2020-05-09)
+
+[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.1.0...2.2.0)
+
+**Implemented enhancements:**
+
+- add changelog and release workflow [\#45](https://github.com/dev-sec/ansible-mysql-hardening/pull/45) ([rndmh3ro](https://github.com/rndmh3ro))
+- Use python3-mysqldb for Ubuntu 20.04 [\#44](https://github.com/dev-sec/ansible-mysql-hardening/pull/44) ([shadinaif](https://github.com/shadinaif))
+- add ansible-lint [\#43](https://github.com/dev-sec/ansible-mysql-hardening/pull/43) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [2.1.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.1.0) (2019-10-17)
+
+[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.0.0...2.1.0)
+
+**Implemented enhancements:**
+
+- Add support for Debian Buster in ansible-mysql-hardening [\#37](https://github.com/dev-sec/ansible-mysql-hardening/issues/37)
+- Update readme to include baselines [\#28](https://github.com/dev-sec/ansible-mysql-hardening/issues/28)
+- migrate to new inspec test suite [\#25](https://github.com/dev-sec/ansible-mysql-hardening/issues/25)
+- use bool filter on bare variable to address Ansible 2.8 deprecation warning [\#40](https://github.com/dev-sec/ansible-mysql-hardening/pull/40) ([deefour](https://github.com/deefour))
+- Add test support for Debian Buster [\#38](https://github.com/dev-sec/ansible-mysql-hardening/pull/38) ([cnkk](https://github.com/cnkk))
+- remove eol'd OS and add new [\#34](https://github.com/dev-sec/ansible-mysql-hardening/pull/34) ([rndmh3ro](https://github.com/rndmh3ro))
+- replace iteritems with items for python3 support [\#33](https://github.com/dev-sec/ansible-mysql-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro))
+- make mysql daemon enabling configurable [\#30](https://github.com/dev-sec/ansible-mysql-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro))
+
+**Fixed bugs:**
+
+- Template fails to render with Python 3 [\#32](https://github.com/dev-sec/ansible-mysql-hardening/issues/32)
+- my.cnf symlink turns into None? [\#24](https://github.com/dev-sec/ansible-mysql-hardening/issues/24)
+
+## [2.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.0.0) (2017-05-07)
+
+[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/1.0.0...2.0.0)
+
+**Implemented enhancements:**
+
+- Add CentOS7 with MariaDB support [\#23](https://github.com/dev-sec/ansible-mysql-hardening/issues/23)
+- Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin))
+- Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart))
+- - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01))
+
+**Fixed bugs:**
+
+- error on task protect my.cnf [\#20](https://github.com/dev-sec/ansible-mysql-hardening/issues/20)
+
+**Merged pull requests:**
+
+- use new docker files [\#26](https://github.com/dev-sec/ansible-mysql-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro))
+
+## [1.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/1.0.0) (2016-06-28)
+
+[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/dab153eb56e2296ce340e77d95586a55b5eefb80...1.0.0)
+
+**Implemented enhancements:**
+
+- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro))
+- add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock))
+
+**Closed issues:**
+
+- tasks - main [\#14](https://github.com/dev-sec/ansible-mysql-hardening/issues/14)
+- Fix directory structure. [\#6](https://github.com/dev-sec/ansible-mysql-hardening/issues/6)
+
+**Merged pull requests:**
+
+- Local testing [\#17](https://github.com/dev-sec/ansible-mysql-hardening/pull/17) ([rndmh3ro](https://github.com/rndmh3ro))
+- fix rhel daemon [\#16](https://github.com/dev-sec/ansible-mysql-hardening/pull/16) ([rndmh3ro](https://github.com/rndmh3ro))
+- alt version initial commit [\#15](https://github.com/dev-sec/ansible-mysql-hardening/pull/15) ([fitz123](https://github.com/fitz123))
+- add test support for ansible 2.0 and 1.9 [\#13](https://github.com/dev-sec/ansible-mysql-hardening/pull/13) ([rndmh3ro](https://github.com/rndmh3ro))
+- add webhook for ansible galaxy [\#11](https://github.com/dev-sec/ansible-mysql-hardening/pull/11) ([rndmh3ro](https://github.com/rndmh3ro))
+- update platforms in meta-file [\#10](https://github.com/dev-sec/ansible-mysql-hardening/pull/10) ([rndmh3ro](https://github.com/rndmh3ro))
+- Simplify local testing with custom role [\#9](https://github.com/dev-sec/ansible-mysql-hardening/pull/9) ([rndmh3ro](https://github.com/rndmh3ro))
+- New role layout [\#8](https://github.com/dev-sec/ansible-mysql-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro))
+- fix mysql restart not happening because of missing os specific variable [\#5](https://github.com/dev-sec/ansible-mysql-hardening/pull/5) ([fheinle](https://github.com/fheinle))
+- Update kitchen-ansible, remove separate debian install [\#4](https://github.com/dev-sec/ansible-mysql-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro))
+- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#3](https://github.com/dev-sec/ansible-mysql-hardening/pull/3) ([chris-rock](https://github.com/chris-rock))
+- Separate system-vars from editable vars. [\#2](https://github.com/dev-sec/ansible-mysql-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro))
+- Add documentation for testing, change value in vars [\#1](https://github.com/dev-sec/ansible-mysql-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro))
+
+
+
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
--- a/roles/mysql_hardening/README.md
+++ b/roles/mysql_hardening/README.md
@ -0,0 +1,79 @@
+# devsec.mysql_hardening
+
+![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg)
+
+## Description
+
+This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the [DevSec MySQL Baseline](https://github.com/dev-sec/mysql-baseline).
+
+It configures:
+
+* Permissions for the various configuration files and folders
+* Removes anonymous users, root-users without a password and test databases
+* various hardening options inside MySQL
+
+## Requirements
+
+* Ansible 2.9.0
+* An existing MySQL installation
+
+### Example playbook
+
+```yml
+- hosts: localhost
+  collections:
+    - devsec.hardening
+  roles:
+    - devsec.mysql_hardening
+```
+
+This role expects an existing installation of MySQL or MariaDB. Please ensure that the following variables are set accordingly:
+
+* `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"`
+* `mysql_hardening_user: 'mysql'` The user that mysql runs as.
+* `mysql_datadir: '/var/lib/mysql'` The MySQL data directory
+* `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed
+
+## Role Variables
+
+* `mysql_hardening_chroot`
+  * Default: ""
+  * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
+* `mysql_hardening_options.safe-user-create`
+  * Default: 1
+  * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
+* `mysql_hardening_options.secure-auth`
+  * Default: 1
+  * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
+* `mysql_hardening_options.skip-symbolic-links`
+  * Default: 1
+  * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
+* `mysql_hardening_skip_grant_tables:`
+  * Default: false
+  * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
+* `mysql_hardening_skip_show_database`
+  * Default: 1
+  * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
+* `mysql_hardening_options.local-infile`
+  * Default: 0
+  * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
+* `mysql_hardening_options.allow-suspicious-udfs`
+  * Default: 0
+  * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
+* `mysql_hardening_chroot.automatic-sp-privileges`
+  * Default: 0
+  * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
+* `mysql_hardening_options.secure-file-priv`
+  * Default: /tmp
+  * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
+* `mysql_allow_remote_root`
+  * Default: false
+  * Description: delete remote root users
+* `mysql_remove_anonymous_users`
+  * Default: true
+  * Description: remove users without authentication
+* `mysql_remove_test_database`
+  * Default: true
+  * Description: remove test database
+
+Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
--- a/roles/mysql_hardening/defaults/main.yml
+++ b/roles/mysql_hardening/defaults/main.yml
@ -0,0 +1,52 @@
+---
+# switcher to enable/disable role
+mysql_hardening_enabled: true
+
+mysql_daemon_enabled: true
+
+# general configuration
+mysql_datadir: '/var/lib/mysql'
+mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf'
+# You have to change this to your own strong enough mysql root password
+mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
+# There .my.cnf with mysql root credentials will be installed
+mysql_user_home: "{{ ansible_env.HOME}}"
+
+# ensure the following parameters are set properly
+mysql_remove_remote_root: true
+mysql_remove_anonymous_users: true
+mysql_remove_test_database: true
+
+# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database
+mysql_hardening_skip_show_database: true
+
+# @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables
+mysql_hardening_skip_grant_tables: false
+
+# @see http://www.symantec.com/connect/articles/securing-mysql-step-step
+# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot
+mysql_hardening_chroot: ""
+
+mysql_hardening_options:
+  # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create
+  safe-user-create: 1
+
+  # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-auth
+  secure-auth: 1
+
+  # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-symbolic-links
+  skip-symbolic-links: 1
+
+  # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-local-infile
+  local-infile: 0
+
+  # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-allow-suspicious-udfs
+  allow-suspicious-udfs: 0
+
+  # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-automatic-sp-privileges
+  automatic-sp-privileges: 0
+
+  # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv
+  secure-file-priv: '/tmp'
+  # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user
+  user: '{{mysql_hardening_user}}'
--- a/roles/mysql_hardening/handlers/main.yml
+++ b/roles/mysql_hardening/handlers/main.yml
@ -0,0 +1,4 @@
+---
+
+- name: restart mysql
+  service: name='{{ mysql_daemon }}' state=restarted
--- a/roles/mysql_hardening/meta/main.yml
+++ b/roles/mysql_hardening/meta/main.yml
@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Sebastian Gumprich"
+  description: 'This Ansible playbook provides security configuration for mysql.'
+  company: Hardening Framework Team
+  license: Apache License 2.0
+  min_ansible_version: '1.9'
+  platforms:
+    - name: EL
+      versions:
+        - 6
+        - 7
+    - name: Ubuntu
+      versions:
+        - xenial
+        - bionic
+    - name: Debian
+      versions:
+        - jessie
+    - name: Amazon
+    - name: Fedora
+  galaxy_tags:
+    - system
+    - security
+    - hardening
+    - database
+    - mysql
+dependencies: []
--- a/roles/mysql_hardening/tasks/configure.yml
+++ b/roles/mysql_hardening/tasks/configure.yml
@ -0,0 +1,56 @@
+---
+- name: protect my.cnf
+  file:
+    path: '{{ mysql_hardening_mysql_conf_file }}'
+    mode: '0640'
+    owner: '{{ mysql_cnf_owner }}'
+    group: '{{ mysql_cnf_group }}'
+    follow: true
+    state: file
+
+- name: ensure permissions on mysql-datadir are correct
+  file:
+    path: '{{ mysql_datadir }}'
+    state: directory
+    owner: '{{ mysql_hardening_user }}'
+    group: '{{ mysql_hardening_user }}'
+    mode: '0750'
+
+- name: ensure permissions on mysql-logfile are correct
+  file:
+    path: '{{ mysql_hardening_log_file }}'
+    state: file
+    owner: '{{ mysql_hardening_user }}'
+    group: '{{ mysql_hardening_group }}'
+    mode: '0640'
+
+- name: check mysql configuration-directory exists and has right permissions
+  file:
+    path: '{{ mysql_hardening_mysql_confd_dir }}'
+    state: directory
+    owner: '{{ mysql_hardening_user }}'
+    group: '{{ mysql_hardening_group }}'
+    mode: '0750'
+
+- name: check include-dir directive is present in my.cnf
+  lineinfile:
+    dest: '{{ mysql_hardening_mysql_conf_file }}'
+    line: '!includedir {{ mysql_hardening_mysql_confd_dir }}'
+    insertafter: 'EOF'
+    state: present
+    backup: true
+  notify: restart mysql
+
+- name: apply hardening configuration
+  template:
+    src: 'hardening.cnf.j2'
+    dest: '{{ mysql_hardening_mysql_hardening_conf_file }}'
+    owner: '{{ mysql_cnf_owner }}'
+    group: '{{ mysql_cnf_group }}'
+    mode: '0640'
+  notify: restart mysql
+
+- name: enable mysql
+  service:
+    name: '{{ mysql_daemon }}'
+    enabled: '{{ mysql_daemon_enabled }}'
--- a/roles/mysql_hardening/tasks/main.yml
+++ b/roles/mysql_hardening/tasks/main.yml
@ -0,0 +1,20 @@
+---
+- name: set OS dependent variables
+  include_vars: '{{ item }}'
+  with_first_found:
+    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.distribution }}.yml'
+    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
+    - '{{ ansible_facts.os_family }}.yml'
+  tags: always
+
+- include: configure.yml
+  when: mysql_hardening_enabled | bool
+  tags:
+    - mysql_hardening
+
+- include: mysql_secure_installation.yml
+  when: mysql_hardening_enabled | bool
+  tags:
+    - mysql_hardening
+    - mysql_secure_installation
--- a/roles/mysql_hardening/tasks/mysql_secure_installation.yml
+++ b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
@ -0,0 +1,46 @@
+---
+- name: Install mysqld python libary for Ansible
+  package:
+    name: '{{ mysql_python_package }}'
+    state: present
+
+- debug:
+    msg: 'WARNING - you have to change default mysql_root_password'
+  when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
+
+- name: root password is present
+  mysql_user:
+    name: 'root'
+    host_all: true
+    password: '{{ mysql_root_password | mandatory }}'
+    state: present
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+
+- name: install .my.cnf with credentials
+  template:
+    src: 'my.cnf.j2'
+    dest: '{{ mysql_user_home }}/.my.cnf'
+    mode: '0400'
+  tags: my_cnf
+
+- name: test database is absent
+  mysql_db:
+    name: test
+    state: absent
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  when: mysql_remove_test_database
+
+- name: anonymous users are absent
+  mysql_user:
+    name: ''
+    state: absent
+    host_all: true
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  when: mysql_remove_anonymous_users
+
+- name: remove remote root
+  community.mysql.mysql_query:
+    query:
+      - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  when: mysql_remove_remote_root
--- a/roles/mysql_hardening/templates/hardening.cnf.j2
+++ b/roles/mysql_hardening/templates/hardening.cnf.j2
@ -0,0 +1,15 @@
+[mysqld]
+{% if mysql_hardening_skip_show_database -%}
+skip-show-database
+{% endif %}
+{% if mysql_hardening_skip_grant_tables -%}
+skip-grant-tables
+{% endif %}
+
+{% for (key, value) in mysql_hardening_options.items() %}
+{{ key }} = {{ value }}
+{% endfor %}
+
+{% if mysql_hardening_chroot %}
+chroot = '{{ mysql_hardening_chroot }}'
+{% endif %}
--- a/roles/mysql_hardening/templates/my.cnf.j2
+++ b/roles/mysql_hardening/templates/my.cnf.j2
@ -0,0 +1,4 @@
+[client]
+user=root
+password='{{ mysql_root_password | mandatory }}'
+#ssl
--- a/roles/mysql_hardening/vars/Debian.yml
+++ b/roles/mysql_hardening/vars/Debian.yml
@ -0,0 +1,14 @@
+---
+mysql_daemon: mysql
+
+mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
+
+mysql_hardening_log_file: '/var/log/mysql/error.log'
+
+mysql_hardening_group: 'adm'
+
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
+mysql_python_package: "python3-pymysql"
--- a/roles/mysql_hardening/vars/Fedora.yml
+++ b/roles/mysql_hardening/vars/Fedora.yml
@ -0,0 +1,6 @@
+---
+mysql_daemon: mysqld
+mysql_hardening_mysql_conf_file: '/etc/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
+
+mysql_hardening_mysql_log_file: '/var/log/mysqld.log'
--- a/roles/mysql_hardening/vars/Oracle
+++ b/roles/mysql_hardening/vars/Oracle
@ -0,0 +1,9 @@
+---
+mysql_daemon: mysqld
+
+mysql_hardening_mysql_conf_file: '/etc/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
+
+mysql_hardening_log_file: '/var/log/mysqld.log'
+
+mysql_hardening_group: 'adm'
--- a/roles/mysql_hardening/vars/RedHat_7.yml
+++ b/roles/mysql_hardening/vars/RedHat_7.yml
@ -0,0 +1,13 @@
+---
+mysql_daemon: mariadb
+mysql_hardening_mysql_conf_file: '/etc/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
+
+mysql_hardening_log_file: '/var/log/mariadb/mariadb.log'
+
+mysql_python_package: 'MySQL-python'
+
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
+mysql_hardening_group: 'mysql'
--- a/roles/mysql_hardening/vars/RedHat_8.yml
+++ b/roles/mysql_hardening/vars/RedHat_8.yml
@ -0,0 +1,12 @@
+---
+mysql_daemon: mariadb
+mysql_hardening_mysql_conf_file: '/etc/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
+mysql_hardening_log_file: '/var/log/mariadb/mariadb.log'
+
+mysql_python_package: 'python3-mysqlclient'
+
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
+mysql_hardening_group: 'mysql'
--- a/roles/mysql_hardening/vars/Ubuntu_16.yml
+++ b/roles/mysql_hardening/vars/Ubuntu_16.yml
@ -0,0 +1,14 @@
+---
+mysql_daemon: mysql
+
+mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
+
+mysql_hardening_log_file: '/var/log/mysql/error.log'
+
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
+mysql_hardening_group: 'adm'
+
+mysql_python_package: "python-mysqldb"
--- a/roles/mysql_hardening/vars/Ubuntu_18.yml
+++ b/roles/mysql_hardening/vars/Ubuntu_18.yml
@ -0,0 +1,14 @@
+---
+mysql_daemon: mysql
+
+mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
+
+mysql_hardening_log_file: '/var/log/mysql/error.log'
+
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
+mysql_hardening_group: 'adm'
+
+mysql_python_package: "python-mysqldb"
--- a/roles/mysql_hardening/vars/Ubuntu_20.yml
+++ b/roles/mysql_hardening/vars/Ubuntu_20.yml
@ -0,0 +1,14 @@
+---
+mysql_daemon: mysql
+
+mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
+
+mysql_hardening_log_file: '/var/log/mysql/error.log'
+
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
+mysql_hardening_group: 'adm'
+
+mysql_python_package: "python3-mysqldb"
--- a/roles/mysql_hardening/vars/main.yml
+++ b/roles/mysql_hardening/vars/main.yml
@ -0,0 +1,3 @@
+---
+
+mysql_hardening_user: 'mysql'  # owner of data