From dab153eb56e2296ce340e77d95586a55b5eefb80 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 2 Jul 2015 18:32:22 +0000 Subject: [PATCH 001/115] INITIAL --- .gitignore | 14 ++ .kitchen.yml | 44 ++++++ .kitchen_debian.yml | 30 ++++ .travis.yml | 14 ++ CHANGELOG.md | 1 + CONTRIBUTING.md | 85 ++++++++++++ Gemfile | 31 +++++ README.md | 128 ++++++++++++++++++ TODO.md | 1 + Thorfile | 10 ++ ansible-install.sh | 6 + meta/main.yml | 28 ++++ .../files/mysql_grants.sql | 4 + .../ansible-mysql-hardening/handlers/main.yml | 4 + roles/ansible-mysql-hardening/tasks/main.yml | 28 ++++ .../templates/hardening.cnf.j2 | 15 ++ roles/ansible-mysql-hardening/vars/Debian.yml | 1 + .../vars/Oracle Linux.yml | 1 + roles/ansible-mysql-hardening/vars/RedHat.yml | 1 + roles/ansible-mysql-hardening/vars/main.yml | 39 ++++++ spec/travis.yml | 3 + 21 files changed, 488 insertions(+) create mode 100644 .gitignore create mode 100644 .kitchen.yml create mode 100644 .kitchen_debian.yml create mode 100644 .travis.yml create mode 100644 CHANGELOG.md create mode 100644 CONTRIBUTING.md create mode 100644 Gemfile create mode 100644 README.md create mode 100644 TODO.md create mode 100644 Thorfile create mode 100644 ansible-install.sh create mode 100644 meta/main.yml create mode 100644 roles/ansible-mysql-hardening/files/mysql_grants.sql create mode 100644 roles/ansible-mysql-hardening/handlers/main.yml create mode 100644 roles/ansible-mysql-hardening/tasks/main.yml create mode 100644 roles/ansible-mysql-hardening/templates/hardening.cnf.j2 create mode 100644 roles/ansible-mysql-hardening/vars/Debian.yml create mode 100644 roles/ansible-mysql-hardening/vars/Oracle Linux.yml create mode 100644 roles/ansible-mysql-hardening/vars/RedHat.yml create mode 100644 roles/ansible-mysql-hardening/vars/main.yml create mode 100644 spec/travis.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..f2a143af --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +README.pdf +README.html +shared_test_repo/ +test/integration +.kitchen +coverage +Vagrantfile.erb + +Gemfile.lock +Berksfile.lock + +ansible.cfg +hosts +default.yml diff --git a/.kitchen.yml b/.kitchen.yml new file mode 100644 index 00000000..6f06b9fa --- /dev/null +++ b/.kitchen.yml @@ -0,0 +1,44 @@ +--- +driver: + name: vagrant + +provisioner: + name: ansible_playbook + test_repo_uri: https://github.com/TelekomLabs/tests-mysql-hardening.git + hosts: all + +platforms: +- name: ubuntu-12.04 + driver_config: + box: opscode-ubuntu-12.04 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box +- name: ubuntu-14.04 + driver_config: + box: opscode-ubuntu-14.04 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box +- name: centos-6.4 + driver_config: + box: opscode-centos-6.4 + box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box +- name: centos-6.5 + driver_config: + box: opscode-centos-6.5 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box +- name: oracle-6.4 + driver_config: + box: oracle-6.4 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box +- name: oracle-6.5 + driver_config: + box: oracle-6.5 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box + +suites: +- name: default + roles_path: roles + hosts: all + require_ansible_repo: true + ansible_verbose: true + ansible_version: 1.9.2 + provisioner: + playbook: test/integration/playbooks/default.yml diff --git a/.kitchen_debian.yml b/.kitchen_debian.yml new file mode 100644 index 00000000..ce46f943 --- /dev/null +++ b/.kitchen_debian.yml @@ -0,0 +1,30 @@ +--- +driver: + name: vagrant + +provisioner: + name: ansible_playbook + test_repo_uri: https://github.com/TelekomLabs/tests-os-hardening.git + hosts: all + require_ansible_omnibus: true + ansible_omnibus_url: https://raw.githubusercontent.com/hardening-io/ansible-os-hardening/master/ansible-install.sh + +platforms: +- name: debian-6 + driver_config: + box: debian-6 + box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-6.0.10-amd64_virtualbox.box +- name: debian-7 + driver_config: + box: debian-7 + box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-7.7.0-amd64_virtualbox.box + +suites: +- name: default + roles_path: roles + hosts: all + require_ansible_repo: true + ansible_verbose: true + ansible_version: 1.9.2 + provisioner: + playbook: test/integration/playbooks/default.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 00000000..7ddad4a1 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,14 @@ +--- +language: python +python: "2.7" +before_install: + - sudo apt-get update -qq + - sudo apt-get install -qq python-apt python-pycurl +install: + - pip install ansible + - echo -e 'localhost ansible_connection=local' > spec/inventory + - echo -e '[defaults]\nroles_path = ./roles\nhostfile = ./spec/inventory' > ansible.cfg + +script: + - ansible-playbook --syntax-check spec/travis.yml + - ansible-playbook --sudo -v --diff spec/travis.yml --skip-tags "sysctl" diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1 @@ + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..783c10fb --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,85 @@ +# Contributor Guideline + +This document provides an overview of how you can participate in improving this project or extending it. We are grateful for all your help: bug reports and fixes, code contributions, documentation or ideas. Feel free to join, we appreciate your support!! + +## Communication + +### GitHub repositories + +Much of the issues, goals and ideas are tracked in the respective projects in GitHub. Please use this channel to report bugs and post ideas. + +## git and GitHub + +In order to contribute code please: + +1. Fork the project on GitHub +2. Clone the project +3. Add changes (and tests) +4. Commit and push +5. Create a merge-request + +To have your code merged, see the expectations listed below. + +You can find a well-written guide [here](https://help.github.com/articles/fork-a-repo). + +Please follow common commit best-practices. Be explicit, have a short summary, a well-written description and references. This is especially important for the merge-request. + +Some great guidelines can be found [here](https://wiki.openstack.org/wiki/GitCommitMessages) and [here](http://robots.thoughtbot.com/5-useful-tips-for-a-better-commit-message). + + +## Expectations + +### Don't reinvent the wheel + +This hardening project doesn't intend to reinvent the configuration stack for services. Aim to use official configuration projects first and provide hardening as a layer on top. The goal is remove the need for a user to configure all aspects of services and maintain security configuration. This way, the user can still configure a service using the interface provided by the official project. + +* For Chef refer to the official [opscode community cookbooks](http://community.opscode.com/cookbooks). +* For Puppet head to the [Puppet Forge](https://forge.puppetlabs.com/) and take a node of the Puppet supported modules. +* For Ansible check the [Ansible Module Index](http://docs.ansible.com/list_of_all_modules.html) + +These projects are generally hosted on GitHub as well. + +In some cases, we in fact create the full rollout stack, but this is generally the exception ([os-hardening](https://github.com/TelekomLabs/chef-os-hardening), [nginx-hardening](https://github.com/TelekomLabs/chef-nginx-hardening)). + + +### Be explicit + +* Please avoid using nonsensical property and variable names. +* Use self-describing attribute names for user configuration. +* In case of failures, communicate what happened and why a failure occurs to the user. Make it easy to track the code or action that produced the error. Try to catch and handle errors if possible to provide improved failure messages. + + +### Add tests + +The security review of this project is done using integration tests. + +Whenever you add a new security configuration, please start by writing a test that checks for this configuration. For example: If you want to set a new attribute in a configuration file, write a test that expects the value to be set first. Then implement your change. + +You may add a new feature request by creating a test for whatever value you need. + +All tests will be reviewed internally for their validity and overall project direction. + + +### Document your code + +As code is more often read than written, please provide documentation in all projects. + +Adhere to the respective guidelines for documentation: + +* Chef generally documents code based explicit readme files. For code documentation please use [yard-chef](https://github.com/rightscale/yard-chef) +* [Puppet module documentation](http://docs.puppetlabs.com/puppet/latest/reference/modules_documentation.html) + + +### Follow coding styles + +We generally include test for coding guidelines: + +* Chef follows [Foodcritic](http://acrmp.github.io/foodcritic/) +* Puppet is checked with [puppet-lint](http://puppet-lint.com/checks/) +* Ansible is checked by running the playbook with the syntax-check option, e.g. `ansible-playbook foo.yml --syntax-check` + +Remember: Code is generally read much more often than written. + +### Use Markdown + +Wherever possible, please refrain from any other formats and stick to simple markdown. diff --git a/Gemfile b/Gemfile new file mode 100644 index 00000000..83b3bba0 --- /dev/null +++ b/Gemfile @@ -0,0 +1,31 @@ +# encoding: utf-8 + +source 'https://rubygems.org' + +group :test do + gem 'rake' +# gem 'chefspec', '~> 4.2.0' + gem 'foodcritic', '~> 4.0' + gem 'thor-foodcritic' +# gem 'rubocop', '~> 0.28.0' + gem 'coveralls', require: false +end + +group :development do + gem 'guard' + gem 'guard-rspec' + gem 'guard-kitchen' +# gem 'guard-rubocop' +# gem 'guard-foodcritic' +end + +group :integration do + gem 'test-kitchen', '~> 1.0' + gem 'kitchen-ansible' + gem 'kitchen-vagrant' + gem 'kitchen-sharedtests', '~> 0.2.0' +end + +group :openstack do + gem 'kitchen-openstack' +end diff --git a/README.md b/README.md new file mode 100644 index 00000000..75b39905 --- /dev/null +++ b/README.md @@ -0,0 +1,128 @@ +# mysql-hardening (Ansible role) + +[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][3] + +## Description + +Provides security configurations for MySQL. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers. + +This role focuses on security configuration of MySQL. Therefore you can add this hardening role alongside your existing MySQL configuration in Ansible. + +## Requirements + +* Ansible + +## Usage + +Before you use this role make sure to have a valid login-configuration in `~/.my.cnf` so Ansible is able to login into your database. + +### Example Playbook + + - hosts: localhost + roles: + - ansible-os-hardening + +This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: + +- `mysql_hardening_user: 'mysql'` The user that mysql runs as. +- `mysql_datadir: '/var/lib/mysql'` The MySQL data directory +- `mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed + +## Security Options + +Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) + +* `mysql_hardening_chroot` - [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) +* `mysql_hardening_options.safe-user-create` - [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) +* `mysql_hardening_options.safe-user-create` - [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) +* `mysql_hardening_options.skip-symbolic-links` - [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) +* `mysql_hardening_skip_show_database` - [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) +* `mysql_hardening_options.local-infile` - [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) +* `mysql_hardening_options.allow-suspicious-udfs` - [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) +* `mysql_hardening_chroot.automatic-sp-privileges` - [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) +* `mysql_hardening_options.secure-file-priv` - [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) + +## Security Configuration + +This setup sets the following parameters by default + + # via `mysql_hardening_options.local-infile` + local-infile = 0 + + # via `mysql_hardening_options.safe-user-create` + safe-user-create = 1 + + # via `mysql_hardening_options.safe-user-create` + secure-auth = 1 + + # via `mysql_hardening_skip_show_database` + skip-show-database + + # via `mysql_hardening_options.skip-symbolic-links` + skip-symbolic-links + + # via `mysql_hardening_chroot.automatic-sp-privileges` + automatic_sp_privileges = 0 + + # via `mysql_hardening_options.secure-file-priv` + secure-file-priv = /tmp + + +Additionally it ensures that the following parameters are not set + + * deactivate old-passwords via `mysql_hardening_options.secure-auth` + * deactivate allow-suspicious-udfs via `mysql_hardening_options.allow-suspicious-udfs` + * skip-grant-tables via `mysql_hardening_skip_grant_tables` + * the permissions of `/var/lib/mysql` is limited to `mysql` user. + +## Local Testing + +For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). + +Next install test-kitchen: + +```bash +# Install dependencies +gem install bundler +bundle install + +# Fetch tests +bundle exec thor kitchen:fetch-remote-tests + +# fast test on one machine +bundle exec kitchen test default-ubuntu-1204 + +# test on all machines except Debian-based machines +bundle exec kitchen test + +# test on Debian-based machines +KITCHEN_YAML=".kitchen_debian.yml" bundle exec kitchen test + +# for development +bundle exec kitchen create default-ubuntu-1204 +bundle exec kitchen converge default-ubuntu-1204 +``` + +For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) + +## Contributors + Kudos + +... + +## License and Author + +* Author:: Sebastian Gumprich + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +[3]: https://gitter.im/hardening-io/general diff --git a/TODO.md b/TODO.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/TODO.md @@ -0,0 +1 @@ + diff --git a/Thorfile b/Thorfile new file mode 100644 index 00000000..15b092f6 --- /dev/null +++ b/Thorfile @@ -0,0 +1,10 @@ +# encoding: utf-8 + +require 'bundler' +require 'bundler/setup' +require 'thor/foodcritic' + +require 'kitchen_sharedtests' +require 'kitchen/sharedtests_thor_tasks' + +Kitchen::SharedtestsThorTasks.new diff --git a/ansible-install.sh b/ansible-install.sh new file mode 100644 index 00000000..ec8d54cb --- /dev/null +++ b/ansible-install.sh @@ -0,0 +1,6 @@ +#!/bin/bash +sudo apt-get install -y build-essential python-dev python-setuptools +cd /tmp && wget http://releases.ansible.com/ansible/ansible-latest.tar.gz +tar xzf ansible-latest.tar.gz +cd ansible-* && sudo python setup.py install + diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 00000000..50ab0294 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,28 @@ +--- +galaxy_info: + author: "Sebastian Gumprich" + description: ' This Ansible playbook provides numerous security-related configurations, providing all-round base protection.' + company: Hardening Framework Team + license: Apache License 2.0 + min_ansible_version: '1.9' + platforms: + - name: EL + versions: + - 6.4 + - 6.5 + - name: Oracle Linux + versions: + - 6.4 + - 6.5 + - name: Ubuntu + versions: + - 12.04 + - 14.04 + - name: Debian + versions: + - 6 + - 7 + categories: + - system + - security +dependencies: [] diff --git a/roles/ansible-mysql-hardening/files/mysql_grants.sql b/roles/ansible-mysql-hardening/files/mysql_grants.sql new file mode 100644 index 00000000..5312c5ac --- /dev/null +++ b/roles/ansible-mysql-hardening/files/mysql_grants.sql @@ -0,0 +1,4 @@ +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); +DELETE FROM mysql.user WHERE User=''; +DROP DATABASE IF EXISTS test; +DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'; diff --git a/roles/ansible-mysql-hardening/handlers/main.yml b/roles/ansible-mysql-hardening/handlers/main.yml new file mode 100644 index 00000000..85e3a366 --- /dev/null +++ b/roles/ansible-mysql-hardening/handlers/main.yml @@ -0,0 +1,4 @@ +--- + +- name: restart mysql + service: name='{{}}' state=restarted diff --git a/roles/ansible-mysql-hardening/tasks/main.yml b/roles/ansible-mysql-hardening/tasks/main.yml new file mode 100644 index 00000000..fb69230c --- /dev/null +++ b/roles/ansible-mysql-hardening/tasks/main.yml @@ -0,0 +1,28 @@ +--- + +- name: add the OS specific variables + include_vars: "{{ ansible_os_family }}.yml" + tags: always + +- name: protect my.cnf + file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root + +- name: ensure permissions on mysql-datadir are correct + file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' + +- name: create mysql configuration-directory + file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' mode=0600 + +- name: add include-dir directive to my.cnf + lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='^\[mysql\]' state=present backup=yes + +- name: apply hardening configuration + template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' mode=0750 + notify: restart mysql + +# Copy database dump file to remote host and restore it to database 'my_db' +- name: copy the sql-script to the remote host + copy: src='mysql_grants.sql' dest='/tmp/' + +- name: run the mysql_grants.sql script + mysql_db: name='mysql' state=import target='/tmp/mysql_grants.sql' diff --git a/roles/ansible-mysql-hardening/templates/hardening.cnf.j2 b/roles/ansible-mysql-hardening/templates/hardening.cnf.j2 new file mode 100644 index 00000000..b4bca563 --- /dev/null +++ b/roles/ansible-mysql-hardening/templates/hardening.cnf.j2 @@ -0,0 +1,15 @@ +[mysqld] +{% if mysql_hardening_skip_show_database -%} +skip-show-database +{% endif %} +{% if mysql_hardening_skip_grant_tables -%} +skip-grant-tables +{% endif %} + +{% for (key, value) in mysql_hardening_options.iteritems() %} +{{ key }} = {{ value }} +{% endfor %} + +{% if mysql_hardening_chroot %} +chroot = '{{ mysql_hardening_chroot }}' +{% endif %} diff --git a/roles/ansible-mysql-hardening/vars/Debian.yml b/roles/ansible-mysql-hardening/vars/Debian.yml new file mode 100644 index 00000000..a40233a7 --- /dev/null +++ b/roles/ansible-mysql-hardening/vars/Debian.yml @@ -0,0 +1 @@ +mysql_hardening_mysql_conf: '/etc/mysql/my.cnf' diff --git a/roles/ansible-mysql-hardening/vars/Oracle Linux.yml b/roles/ansible-mysql-hardening/vars/Oracle Linux.yml new file mode 100644 index 00000000..2984b144 --- /dev/null +++ b/roles/ansible-mysql-hardening/vars/Oracle Linux.yml @@ -0,0 +1 @@ +mysql_hardening_mysql_conf: '/etc/my.cnf' diff --git a/roles/ansible-mysql-hardening/vars/RedHat.yml b/roles/ansible-mysql-hardening/vars/RedHat.yml new file mode 100644 index 00000000..2984b144 --- /dev/null +++ b/roles/ansible-mysql-hardening/vars/RedHat.yml @@ -0,0 +1 @@ +mysql_hardening_mysql_conf: '/etc/my.cnf' diff --git a/roles/ansible-mysql-hardening/vars/main.yml b/roles/ansible-mysql-hardening/vars/main.yml new file mode 100644 index 00000000..2e42683d --- /dev/null +++ b/roles/ansible-mysql-hardening/vars/main.yml @@ -0,0 +1,39 @@ +# general configuration +mysql_hardening_user: 'mysql' +mysql_datadir: '/var/lib/mysql' +mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' + +# ensure the following parameters are set properly +mysql_allow_remote_root: false +mysql_remove_anonymous_users: true +mysql_remove_test_database: true + +# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database +mysql_hardening_skip_show_database: true +mysql_hardening_skip_grant_tables: true + +# @see http://www.symantec.com/connect/articles/securing-mysql-step-step +# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot +mysql_hardening_chroot: "" + +mysql_hardening_options: + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create + safe-user-create: 1 + + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-auth + secure-auth: 1 + + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-symbolic-links + skip-symbolic-links: 1 + + # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-local-infile + local-infile: 0 + + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-allow-suspicious-udfs + allow-suspicious-udfs: 0 + + # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-automatic-sp-privileges + automatic-sp-privileges: 0 + + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv + secure-file-priv: '/tmp' diff --git a/spec/travis.yml b/spec/travis.yml new file mode 100644 index 00000000..fb76525b --- /dev/null +++ b/spec/travis.yml @@ -0,0 +1,3 @@ +- hosts: localhost + roles: + - ansible-os-hardening From daf8e4c45b842cd80ad02c573f8593d13e880a4b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 18 Jul 2015 19:13:41 +0000 Subject: [PATCH 002/115] Add documentation for testing, change value in vars --- .gitignore | 1 + README.md | 6 ++++++ roles/ansible-mysql-hardening/vars/main.yml | 4 +++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index f2a143af..015abea8 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ Berksfile.lock ansible.cfg hosts default.yml +roles/bennojoy.mysql/ diff --git a/README.md b/README.md index 75b39905..c45d1efc 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,12 @@ bundle install # Fetch tests bundle exec thor kitchen:fetch-remote-tests +# download a MySQL-installation role +ansible-galaxy install -p roles/ bennojoy.mysql + +# change password in MySQL-installation role to match the one from testing +sed -i 's/foobar/iloverandompasswordsbutthiswilldo/g' roles/bennojoy.mysql/defaults/main.yml + # fast test on one machine bundle exec kitchen test default-ubuntu-1204 diff --git a/roles/ansible-mysql-hardening/vars/main.yml b/roles/ansible-mysql-hardening/vars/main.yml index 2e42683d..fd0235cf 100644 --- a/roles/ansible-mysql-hardening/vars/main.yml +++ b/roles/ansible-mysql-hardening/vars/main.yml @@ -10,7 +10,9 @@ mysql_remove_test_database: true # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database mysql_hardening_skip_show_database: true -mysql_hardening_skip_grant_tables: true + +# @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables +mysql_hardening_skip_grant_tables: false # @see http://www.symantec.com/connect/articles/securing-mysql-step-step # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot From a2c483ace80011cf3561dd7aed37318ff7ead12b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 28 Jul 2015 18:07:34 +0000 Subject: [PATCH 003/115] Separate system-vars from editable vars. This change moves variables that can be changed or overridden by the user to the defaults-vars-files, where it belongs. --- .../ansible-mysql-hardening/defaults/main.yml | 41 ++++++++++++++++++ roles/ansible-mysql-hardening/vars/main.yml | 42 +------------------ 2 files changed, 42 insertions(+), 41 deletions(-) create mode 100644 roles/ansible-mysql-hardening/defaults/main.yml diff --git a/roles/ansible-mysql-hardening/defaults/main.yml b/roles/ansible-mysql-hardening/defaults/main.yml new file mode 100644 index 00000000..fd0235cf --- /dev/null +++ b/roles/ansible-mysql-hardening/defaults/main.yml @@ -0,0 +1,41 @@ +# general configuration +mysql_hardening_user: 'mysql' +mysql_datadir: '/var/lib/mysql' +mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' + +# ensure the following parameters are set properly +mysql_allow_remote_root: false +mysql_remove_anonymous_users: true +mysql_remove_test_database: true + +# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database +mysql_hardening_skip_show_database: true + +# @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables +mysql_hardening_skip_grant_tables: false + +# @see http://www.symantec.com/connect/articles/securing-mysql-step-step +# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot +mysql_hardening_chroot: "" + +mysql_hardening_options: + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create + safe-user-create: 1 + + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-auth + secure-auth: 1 + + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-symbolic-links + skip-symbolic-links: 1 + + # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-local-infile + local-infile: 0 + + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-allow-suspicious-udfs + allow-suspicious-udfs: 0 + + # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-automatic-sp-privileges + automatic-sp-privileges: 0 + + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv + secure-file-priv: '/tmp' diff --git a/roles/ansible-mysql-hardening/vars/main.yml b/roles/ansible-mysql-hardening/vars/main.yml index fd0235cf..ed97d539 100644 --- a/roles/ansible-mysql-hardening/vars/main.yml +++ b/roles/ansible-mysql-hardening/vars/main.yml @@ -1,41 +1 @@ -# general configuration -mysql_hardening_user: 'mysql' -mysql_datadir: '/var/lib/mysql' -mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' - -# ensure the following parameters are set properly -mysql_allow_remote_root: false -mysql_remove_anonymous_users: true -mysql_remove_test_database: true - -# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database -mysql_hardening_skip_show_database: true - -# @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables -mysql_hardening_skip_grant_tables: false - -# @see http://www.symantec.com/connect/articles/securing-mysql-step-step -# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot -mysql_hardening_chroot: "" - -mysql_hardening_options: - # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create - safe-user-create: 1 - - # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-auth - secure-auth: 1 - - # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-symbolic-links - skip-symbolic-links: 1 - - # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-local-infile - local-infile: 0 - - # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-allow-suspicious-udfs - allow-suspicious-udfs: 0 - - # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-automatic-sp-privileges - automatic-sp-privileges: 0 - - # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv - secure-file-priv: '/tmp' +--- From 3f485a8164b8a5ef671d0e3f7d8dcb4f6c84582d Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Thu, 6 Aug 2015 23:45:17 -0700 Subject: [PATCH 004/115] update common kitchen.yml platforms (ansible), kitchen_debian.yml platforms (ansible) updating common files with changes that are configured in the profiles: kitchen.yml platforms (ansible), kitchen_debian.yml platforms (ansible) --- .kitchen.yml | 5 +---- .kitchen_debian.yml | 13 +++++++------ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 6f06b9fa..efa64680 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -1,12 +1,10 @@ --- driver: name: vagrant - provisioner: name: ansible_playbook test_repo_uri: https://github.com/TelekomLabs/tests-mysql-hardening.git hosts: all - platforms: - name: ubuntu-12.04 driver_config: @@ -32,13 +30,12 @@ platforms: driver_config: box: oracle-6.5 box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box - suites: - name: default roles_path: roles hosts: all require_ansible_repo: true ansible_verbose: true - ansible_version: 1.9.2 + ansible_version: 1.9.2 provisioner: playbook: test/integration/playbooks/default.yml diff --git a/.kitchen_debian.yml b/.kitchen_debian.yml index ce46f943..4121d1aa 100644 --- a/.kitchen_debian.yml +++ b/.kitchen_debian.yml @@ -1,30 +1,31 @@ --- driver: name: vagrant - provisioner: name: ansible_playbook test_repo_uri: https://github.com/TelekomLabs/tests-os-hardening.git hosts: all require_ansible_omnibus: true ansible_omnibus_url: https://raw.githubusercontent.com/hardening-io/ansible-os-hardening/master/ansible-install.sh - platforms: - name: debian-6 driver_config: box: debian-6 - box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-6.0.10-amd64_virtualbox.box + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box - name: debian-7 driver_config: box: debian-7 - box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-7.7.0-amd64_virtualbox.box - + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box +- name: debian-8 + driver_config: + box: debian-8 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: - name: default roles_path: roles hosts: all require_ansible_repo: true ansible_verbose: true - ansible_version: 1.9.2 + ansible_version: 1.9.2 provisioner: playbook: test/integration/playbooks/default.yml From e68e325943afdc570c50910b3b10c41df853501a Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Fri, 7 Aug 2015 01:10:26 -0700 Subject: [PATCH 005/115] update common kitchen.yml platforms (ansible), kitchen_debian.yml platforms (ansible) updating common files with changes that are configured in the profiles: kitchen.yml platforms (ansible), kitchen_debian.yml platforms (ansible) --- .kitchen.yml | 6 +++--- .kitchen_debian.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index efa64680..d965bbb9 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -9,11 +9,11 @@ platforms: - name: ubuntu-12.04 driver_config: box: opscode-ubuntu-12.04 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box - name: ubuntu-14.04 driver_config: box: opscode-ubuntu-14.04 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box - name: centos-6.4 driver_config: box: opscode-centos-6.4 @@ -21,7 +21,7 @@ platforms: - name: centos-6.5 driver_config: box: opscode-centos-6.5 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box - name: oracle-6.4 driver_config: box: oracle-6.4 diff --git a/.kitchen_debian.yml b/.kitchen_debian.yml index 4121d1aa..0d9a6246 100644 --- a/.kitchen_debian.yml +++ b/.kitchen_debian.yml @@ -11,15 +11,15 @@ platforms: - name: debian-6 driver_config: box: debian-6 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box - name: debian-7 driver_config: box: debian-7 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box - name: debian-8 driver_config: box: debian-8 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: - name: default roles_path: roles From 46ec321fd4305400c9038b1b555a500b747e9920 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 30 Aug 2015 19:48:46 +0200 Subject: [PATCH 006/115] Update kitchen-ansible, remove separate debian install Due to the new kitchen-ansible version it is now possible to install ansible on all major OS's via a ansible omnibus script which is provided by kitchen ansible. There's no more need to separate the debian tests. --- .kitchen.yml | 15 ++++++++++++++- .kitchen_debian.yml | 31 ------------------------------- README.md | 5 +---- ansible-install.sh | 6 ------ 4 files changed, 15 insertions(+), 42 deletions(-) delete mode 100644 .kitchen_debian.yml delete mode 100644 ansible-install.sh diff --git a/.kitchen.yml b/.kitchen.yml index d965bbb9..ed3f803c 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -5,6 +5,8 @@ provisioner: name: ansible_playbook test_repo_uri: https://github.com/TelekomLabs/tests-mysql-hardening.git hosts: all + require_ansible_repo: false + require_ansible_omnibus: true platforms: - name: ubuntu-12.04 driver_config: @@ -30,11 +32,22 @@ platforms: driver_config: box: oracle-6.5 box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box +- name: debian-6 + driver_config: + box: debian-6 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box +- name: debian-7 + driver_config: + box: debian-7 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box +- name: debian-8 + driver_config: + box: debian-8 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: - name: default roles_path: roles hosts: all - require_ansible_repo: true ansible_verbose: true ansible_version: 1.9.2 provisioner: diff --git a/.kitchen_debian.yml b/.kitchen_debian.yml deleted file mode 100644 index 0d9a6246..00000000 --- a/.kitchen_debian.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -driver: - name: vagrant -provisioner: - name: ansible_playbook - test_repo_uri: https://github.com/TelekomLabs/tests-os-hardening.git - hosts: all - require_ansible_omnibus: true - ansible_omnibus_url: https://raw.githubusercontent.com/hardening-io/ansible-os-hardening/master/ansible-install.sh -platforms: -- name: debian-6 - driver_config: - box: debian-6 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box -- name: debian-7 - driver_config: - box: debian-7 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box -- name: debian-8 - driver_config: - box: debian-8 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box -suites: -- name: default - roles_path: roles - hosts: all - require_ansible_repo: true - ansible_verbose: true - ansible_version: 1.9.2 - provisioner: - playbook: test/integration/playbooks/default.yml diff --git a/README.md b/README.md index c45d1efc..1b1bcfed 100644 --- a/README.md +++ b/README.md @@ -98,12 +98,9 @@ sed -i 's/foobar/iloverandompasswordsbutthiswilldo/g' roles/bennojoy.mysql/defau # fast test on one machine bundle exec kitchen test default-ubuntu-1204 -# test on all machines except Debian-based machines +# test on all machines bundle exec kitchen test -# test on Debian-based machines -KITCHEN_YAML=".kitchen_debian.yml" bundle exec kitchen test - # for development bundle exec kitchen create default-ubuntu-1204 bundle exec kitchen converge default-ubuntu-1204 diff --git a/ansible-install.sh b/ansible-install.sh deleted file mode 100644 index ec8d54cb..00000000 --- a/ansible-install.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -sudo apt-get install -y build-essential python-dev python-setuptools -cd /tmp && wget http://releases.ansible.com/ansible/ansible-latest.tar.gz -tar xzf ansible-latest.tar.gz -cd ansible-* && sudo python setup.py install - From c540ba2fe539afb36e6410e587207bb41bf51d18 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 30 Aug 2015 19:53:19 +0200 Subject: [PATCH 007/115] Use correct ansible-playbook in travis file --- spec/travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/travis.yml b/spec/travis.yml index fb76525b..a307e677 100644 --- a/spec/travis.yml +++ b/spec/travis.yml @@ -1,3 +1,3 @@ - hosts: localhost roles: - - ansible-os-hardening + - ansible-mysql-hardening From 2c9b868889ff91c6e271922b0896aa0b59b63606 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 30 Aug 2015 19:55:30 +0200 Subject: [PATCH 008/115] Exclude tags in travis file --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7ddad4a1..3875ac47 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,4 +11,4 @@ install: script: - ansible-playbook --syntax-check spec/travis.yml - - ansible-playbook --sudo -v --diff spec/travis.yml --skip-tags "sysctl" + - ansible-playbook --sudo -v --diff spec/travis.yml From 6b87da306373333167625909dc9632df4ab9e124 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 30 Aug 2015 19:58:15 +0200 Subject: [PATCH 009/115] Add myslq-python install to travis --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3875ac47..5984a4fd 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ language: python python: "2.7" before_install: - sudo apt-get update -qq - - sudo apt-get install -qq python-apt python-pycurl + - sudo apt-get install -qq python-apt python-pycurl mysql-python install: - pip install ansible - echo -e 'localhost ansible_connection=local' > spec/inventory From ae40dc6d332e3efc9ce0c91026f80178b6417086 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 30 Aug 2015 20:01:02 +0200 Subject: [PATCH 010/115] Use correct package for python mysql module --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5984a4fd..bcc64893 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ language: python python: "2.7" before_install: - sudo apt-get update -qq - - sudo apt-get install -qq python-apt python-pycurl mysql-python + - sudo apt-get install -qq python-apt python-pycurl python-mysqldb install: - pip install ansible - echo -e 'localhost ansible_connection=local' > spec/inventory From e21e62a0dc65ba932b8db08e97a46dc9d3d6ff94 Mon Sep 17 00:00:00 2001 From: Florian Heinle Date: Sat, 17 Oct 2015 18:30:56 +0200 Subject: [PATCH 011/115] fix mysql restart not happening because of missing os specific variable --- roles/ansible-mysql-hardening/handlers/main.yml | 2 +- roles/ansible-mysql-hardening/vars/Debian.yml | 1 + roles/ansible-mysql-hardening/vars/Oracle Linux.yml | 1 + roles/ansible-mysql-hardening/vars/RedHat.yml | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/ansible-mysql-hardening/handlers/main.yml b/roles/ansible-mysql-hardening/handlers/main.yml index 85e3a366..3a31d86a 100644 --- a/roles/ansible-mysql-hardening/handlers/main.yml +++ b/roles/ansible-mysql-hardening/handlers/main.yml @@ -1,4 +1,4 @@ --- - name: restart mysql - service: name='{{}}' state=restarted + service: name='{{ mysql_daemon }}' state=restarted diff --git a/roles/ansible-mysql-hardening/vars/Debian.yml b/roles/ansible-mysql-hardening/vars/Debian.yml index a40233a7..3f8056ba 100644 --- a/roles/ansible-mysql-hardening/vars/Debian.yml +++ b/roles/ansible-mysql-hardening/vars/Debian.yml @@ -1 +1,2 @@ +mysql_daemon: mysql mysql_hardening_mysql_conf: '/etc/mysql/my.cnf' diff --git a/roles/ansible-mysql-hardening/vars/Oracle Linux.yml b/roles/ansible-mysql-hardening/vars/Oracle Linux.yml index 2984b144..230225b0 100644 --- a/roles/ansible-mysql-hardening/vars/Oracle Linux.yml +++ b/roles/ansible-mysql-hardening/vars/Oracle Linux.yml @@ -1 +1,2 @@ +mysql_daemon: mysqld mysql_hardening_mysql_conf: '/etc/my.cnf' diff --git a/roles/ansible-mysql-hardening/vars/RedHat.yml b/roles/ansible-mysql-hardening/vars/RedHat.yml index 2984b144..4bef85f2 100644 --- a/roles/ansible-mysql-hardening/vars/RedHat.yml +++ b/roles/ansible-mysql-hardening/vars/RedHat.yml @@ -1 +1,2 @@ +mysql_daemon: mysql mysql_hardening_mysql_conf: '/etc/my.cnf' From ce8c62bb4a9885f447828e702faf43f17a63d8dc Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sun, 6 Dec 2015 16:59:05 +0100 Subject: [PATCH 012/115] add changelog generator --- Gemfile | 4 ++++ Rakefile | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 Rakefile diff --git a/Gemfile b/Gemfile index 83b3bba0..4dfd9cfa 100644 --- a/Gemfile +++ b/Gemfile @@ -29,3 +29,7 @@ end group :openstack do gem 'kitchen-openstack' end + +group :tools do + gem 'github_changelog_generator', '~> 1' +end diff --git a/Rakefile b/Rakefile new file mode 100644 index 00000000..02c58212 --- /dev/null +++ b/Rakefile @@ -0,0 +1,11 @@ +#!/usr/bin/env rake +# encoding: utf-8 + +# Automatically generate a changelog for this project. Only loaded if +# the necessary gem is installed. +begin + require 'github_changelog_generator/task' + GitHubChangelogGenerator::RakeTask.new :changelog +rescue LoadError + puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' +end From 8eeceea916acd6d4a954984e27aa3fe025a96875 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sun, 6 Dec 2015 16:59:26 +0100 Subject: [PATCH 013/115] update changelog --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b137891..142c4e1d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1 +1,15 @@ +# Change Log +## [Unreleased](https://github.com/hardening-io/ansible-mysql-hardening/tree/HEAD) + +**Merged pull requests:** + +- fix mysql restart not happening because of missing os specific variable [\#5](https://github.com/hardening-io/ansible-mysql-hardening/pull/5) ([fheinle](https://github.com/fheinle)) +- Update kitchen-ansible, remove separate debian install [\#4](https://github.com/hardening-io/ansible-mysql-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro)) +- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#3](https://github.com/hardening-io/ansible-mysql-hardening/pull/3) ([chris-rock](https://github.com/chris-rock)) +- Separate system-vars from editable vars. [\#2](https://github.com/hardening-io/ansible-mysql-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add documentation for testing, change value in vars [\#1](https://github.com/hardening-io/ansible-mysql-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro)) + + + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file From 877449997f39c7d4095ff98a9ef4805d726318d7 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 8 Jan 2016 17:00:57 +0100 Subject: [PATCH 014/115] New role layout. Fix #6 --- .kitchen.yml | 5 ++-- README.md | 24 +++++++------------ .../defaults => defaults}/main.yml | 0 .../files => files}/mysql_grants.sql | 0 .../handlers => handlers}/main.yml | 0 .../tasks => tasks}/main.yml | 0 .../templates => templates}/hardening.cnf.j2 | 0 .../vars => vars}/Debian.yml | 0 .../vars => vars}/Oracle Linux.yml | 0 .../vars => vars}/RedHat.yml | 0 .../vars => vars}/main.yml | 0 11 files changed, 12 insertions(+), 17 deletions(-) rename {roles/ansible-mysql-hardening/defaults => defaults}/main.yml (100%) rename {roles/ansible-mysql-hardening/files => files}/mysql_grants.sql (100%) rename {roles/ansible-mysql-hardening/handlers => handlers}/main.yml (100%) rename {roles/ansible-mysql-hardening/tasks => tasks}/main.yml (100%) rename {roles/ansible-mysql-hardening/templates => templates}/hardening.cnf.j2 (100%) rename {roles/ansible-mysql-hardening/vars => vars}/Debian.yml (100%) rename {roles/ansible-mysql-hardening/vars => vars}/Oracle Linux.yml (100%) rename {roles/ansible-mysql-hardening/vars => vars}/RedHat.yml (100%) rename {roles/ansible-mysql-hardening/vars => vars}/main.yml (100%) diff --git a/.kitchen.yml b/.kitchen.yml index ed3f803c..c89444d2 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -3,7 +3,7 @@ driver: name: vagrant provisioner: name: ansible_playbook - test_repo_uri: https://github.com/TelekomLabs/tests-mysql-hardening.git + test_repo_uri: https://github.com/hardening-io/tests-mysql-hardening.git hosts: all require_ansible_repo: false require_ansible_omnibus: true @@ -46,9 +46,10 @@ platforms: box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: - name: default - roles_path: roles hosts: all ansible_verbose: true ansible_version: 1.9.2 + ansible_diff: true + roles_path: ../ansible-mysql-hardening/ provisioner: playbook: test/integration/playbooks/default.yml diff --git a/README.md b/README.md index 1b1bcfed..d240a5bd 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this ## Requirements -* Ansible +* Ansible ## Usage @@ -20,7 +20,7 @@ Before you use this role make sure to have a valid login-configuration in `~/.my - hosts: localhost roles: - - ansible-os-hardening + - hardening.mysql-hardening This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: @@ -30,7 +30,7 @@ This hardening role installs the hardening but expects an existing installation ## Security Options -Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) +Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) * `mysql_hardening_chroot` - [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) * `mysql_hardening_options.safe-user-create` - [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) @@ -46,22 +46,22 @@ Further information is already available at [Deutsche Telekom (German)](http://w This setup sets the following parameters by default - # via `mysql_hardening_options.local-infile` + # via `mysql_hardening_options.local-infile` local-infile = 0 - # via `mysql_hardening_options.safe-user-create` + # via `mysql_hardening_options.safe-user-create` safe-user-create = 1 - # via `mysql_hardening_options.safe-user-create` + # via `mysql_hardening_options.safe-user-create` secure-auth = 1 - # via `mysql_hardening_skip_show_database` + # via `mysql_hardening_skip_show_database` skip-show-database - # via `mysql_hardening_options.skip-symbolic-links` + # via `mysql_hardening_options.skip-symbolic-links` skip-symbolic-links - # via `mysql_hardening_chroot.automatic-sp-privileges` + # via `mysql_hardening_chroot.automatic-sp-privileges` automatic_sp_privileges = 0 # via `mysql_hardening_options.secure-file-priv` @@ -89,12 +89,6 @@ bundle install # Fetch tests bundle exec thor kitchen:fetch-remote-tests -# download a MySQL-installation role -ansible-galaxy install -p roles/ bennojoy.mysql - -# change password in MySQL-installation role to match the one from testing -sed -i 's/foobar/iloverandompasswordsbutthiswilldo/g' roles/bennojoy.mysql/defaults/main.yml - # fast test on one machine bundle exec kitchen test default-ubuntu-1204 diff --git a/roles/ansible-mysql-hardening/defaults/main.yml b/defaults/main.yml similarity index 100% rename from roles/ansible-mysql-hardening/defaults/main.yml rename to defaults/main.yml diff --git a/roles/ansible-mysql-hardening/files/mysql_grants.sql b/files/mysql_grants.sql similarity index 100% rename from roles/ansible-mysql-hardening/files/mysql_grants.sql rename to files/mysql_grants.sql diff --git a/roles/ansible-mysql-hardening/handlers/main.yml b/handlers/main.yml similarity index 100% rename from roles/ansible-mysql-hardening/handlers/main.yml rename to handlers/main.yml diff --git a/roles/ansible-mysql-hardening/tasks/main.yml b/tasks/main.yml similarity index 100% rename from roles/ansible-mysql-hardening/tasks/main.yml rename to tasks/main.yml diff --git a/roles/ansible-mysql-hardening/templates/hardening.cnf.j2 b/templates/hardening.cnf.j2 similarity index 100% rename from roles/ansible-mysql-hardening/templates/hardening.cnf.j2 rename to templates/hardening.cnf.j2 diff --git a/roles/ansible-mysql-hardening/vars/Debian.yml b/vars/Debian.yml similarity index 100% rename from roles/ansible-mysql-hardening/vars/Debian.yml rename to vars/Debian.yml diff --git a/roles/ansible-mysql-hardening/vars/Oracle Linux.yml b/vars/Oracle Linux.yml similarity index 100% rename from roles/ansible-mysql-hardening/vars/Oracle Linux.yml rename to vars/Oracle Linux.yml diff --git a/roles/ansible-mysql-hardening/vars/RedHat.yml b/vars/RedHat.yml similarity index 100% rename from roles/ansible-mysql-hardening/vars/RedHat.yml rename to vars/RedHat.yml diff --git a/roles/ansible-mysql-hardening/vars/main.yml b/vars/main.yml similarity index 100% rename from roles/ansible-mysql-hardening/vars/main.yml rename to vars/main.yml From 99bcc4391ae7781f9a356c03e24e39f63485713a Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 8 Jan 2016 17:04:30 +0100 Subject: [PATCH 015/115] Edit README for local testing --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index d240a5bd..f397194a 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,13 @@ bundle install # Fetch tests bundle exec thor kitchen:fetch-remote-tests +# download a MySQL-installation role +ansible-galaxy install -p roles/ bennojoy.mysql + +# change password in MySQL-installation role to match the one from testing +sed -i 's/foobar/iloverandompasswordsbutthiswilldo/g' roles/bennojoy.mysql/defaults/main.yml + + # fast test on one machine bundle exec kitchen test default-ubuntu-1204 From 38af066c3fd7af2e7c7a81a9202a5d27581e3285 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 8 Jan 2016 17:12:06 +0100 Subject: [PATCH 016/115] Change role-path in travis-file --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index bcc64893..bfd61deb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ before_install: install: - pip install ansible - echo -e 'localhost ansible_connection=local' > spec/inventory - - echo -e '[defaults]\nroles_path = ./roles\nhostfile = ./spec/inventory' > ansible.cfg + - echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg script: - ansible-playbook --syntax-check spec/travis.yml From d6bdc34668ce1fa99355c65ff4e464e108f16b97 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 13 Feb 2016 14:36:55 +0100 Subject: [PATCH 017/115] remove whitespace --- defaults/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fd0235cf..297a7360 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -17,25 +17,25 @@ mysql_hardening_skip_grant_tables: false # @see http://www.symantec.com/connect/articles/securing-mysql-step-step # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot mysql_hardening_chroot: "" - + mysql_hardening_options: # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create safe-user-create: 1 - + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-auth secure-auth: 1 - + # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-symbolic-links skip-symbolic-links: 1 - + # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-local-infile local-infile: 0 - + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-allow-suspicious-udfs allow-suspicious-udfs: 0 - + # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar-automatic-sp-privileges automatic-sp-privileges: 0 - + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv secure-file-priv: '/tmp' From a09b1eab09739a02f80510328cd0394cf5628e99 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 31 Jan 2016 20:36:01 +0100 Subject: [PATCH 018/115] update platforms in meta-file this way the match the style used by ansible galaxy. --- meta/main.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 50ab0294..89625fe6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,28 +1,29 @@ --- galaxy_info: author: "Sebastian Gumprich" - description: ' This Ansible playbook provides numerous security-related configurations, providing all-round base protection.' + description: 'This Ansible playbook provides numerous security-related configurations, providing all-round base protection.' company: Hardening Framework Team license: Apache License 2.0 min_ansible_version: '1.9' platforms: - name: EL versions: - - 6.4 - - 6.5 + - 6 - name: Oracle Linux versions: - - 6.4 - - 6.5 + - 6 - name: Ubuntu versions: - - 12.04 - - 14.04 + - precise + - trusty - name: Debian versions: - - 6 - - 7 - categories: + - squeeze + - wheezy + galaxy_tags: - system - security + - hardening + - database + - mysql dependencies: [] From ee7d79e976d08a0d1999a79589652a388e7c1b32 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 1 Feb 2016 18:46:32 +0100 Subject: [PATCH 019/115] add webhook for ansible galaxy This way the build status is shown on ansible-galaxy. --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index bfd61deb..4e4ba7fe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,4 +1,6 @@ --- +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ language: python python: "2.7" before_install: From 25e6e0f478168b590b41fe7e1e1bb191a5a75a4b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 8 Jan 2016 17:07:58 +0100 Subject: [PATCH 020/115] Simplify local testing with custom role --- .kitchen.yml | 1 + README.md | 1 - requirements.txt | 1 + 3 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 requirements.txt diff --git a/.kitchen.yml b/.kitchen.yml index c89444d2..0f19c3f1 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -7,6 +7,7 @@ provisioner: hosts: all require_ansible_repo: false require_ansible_omnibus: true + requirements_path: requirements.txt platforms: - name: ubuntu-12.04 driver_config: diff --git a/README.md b/README.md index f397194a..e99cdb84 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,6 @@ ansible-galaxy install -p roles/ bennojoy.mysql # change password in MySQL-installation role to match the one from testing sed -i 's/foobar/iloverandompasswordsbutthiswilldo/g' roles/bennojoy.mysql/defaults/main.yml - # fast test on one machine bundle exec kitchen test default-ubuntu-1204 diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 00000000..04379a2b --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +zufallsheld.mysql From 9df80acddae0bead22beee2f4c809bc47a229fec Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 5 Mar 2016 22:18:23 +0100 Subject: [PATCH 021/115] add test support for ansible 2.0 and 1.9 --- .kitchen.yml | 11 +++++++++-- .travis.yml | 9 ++++++++- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index c89444d2..f451e4fd 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -45,10 +45,17 @@ platforms: box: debian-8 box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: -- name: default +- name: ansible_1.9 + hosts: all + ansible_verbose: true + ansible_diff: true + roles_path: ../ansible-mysql-hardening/ + provisioner: + playbook: test/integration/playbooks/default.yml + ansible_version: 1.9.4 +- name: ansible_latest hosts: all ansible_verbose: true - ansible_version: 1.9.2 ansible_diff: true roles_path: ../ansible-mysql-hardening/ provisioner: diff --git a/.travis.yml b/.travis.yml index bfd61deb..48e33a08 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,11 +1,18 @@ --- +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ language: python python: "2.7" + +env: + - ANSIBLE_VERSION=latest + - ANSIBLE_VERSION=1.9.4 + before_install: - sudo apt-get update -qq - sudo apt-get install -qq python-apt python-pycurl python-mysqldb install: - - pip install ansible + - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi - echo -e 'localhost ansible_connection=local' > spec/inventory - echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg From f56e209eff930324fb578486f8cde5cbfe3932f8 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 22 May 2016 20:00:08 +0200 Subject: [PATCH 022/115] update readme, kitchen.yml, requirements.yml readme: - make vars a table - replace hardening with dev-sec - add anton to authors kitchen.yml - consolidate variables use geerlingguy mysql role --- .kitchen.yml | 18 +++++-------- README.md | 66 ++++++++++++++---------------------------------- requirements.txt | 1 - requirements.yml | 1 + 4 files changed, 26 insertions(+), 60 deletions(-) delete mode 100644 requirements.txt create mode 100644 requirements.yml diff --git a/.kitchen.yml b/.kitchen.yml index 791b57f3..8d4b5416 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -5,9 +5,14 @@ provisioner: name: ansible_playbook test_repo_uri: https://github.com/hardening-io/tests-mysql-hardening.git hosts: all + playbook: default.yml require_ansible_repo: false require_ansible_omnibus: true - requirements_path: requirements.txt + requirements_path: requirements.yml + ansible_verbose: true + ansible_diff: true + roles_path: ../ansible-mysql-hardening/ + platforms: - name: ubuntu-12.04 driver_config: @@ -47,17 +52,6 @@ platforms: box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box suites: - name: ansible_1.9 - hosts: all - ansible_verbose: true - ansible_diff: true - roles_path: ../ansible-mysql-hardening/ provisioner: - playbook: test/integration/playbooks/default.yml ansible_version: 1.9.4 - name: ansible_latest - hosts: all - ansible_verbose: true - ansible_diff: true - roles_path: ../ansible-mysql-hardening/ - provisioner: - playbook: test/integration/playbooks/default.yml diff --git a/README.md b/README.md index e99cdb84..20244c1b 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this ## Requirements * Ansible +* Python MySQL-DB Package ## Usage @@ -20,7 +21,7 @@ Before you use this role make sure to have a valid login-configuration in `~/.my - hosts: localhost roles: - - hardening.mysql-hardening + - dev-sec.mysql-hardening This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: @@ -32,48 +33,21 @@ This hardening role installs the hardening but expects an existing installation Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) -* `mysql_hardening_chroot` - [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) -* `mysql_hardening_options.safe-user-create` - [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) -* `mysql_hardening_options.safe-user-create` - [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) -* `mysql_hardening_options.skip-symbolic-links` - [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) -* `mysql_hardening_skip_show_database` - [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) -* `mysql_hardening_options.local-infile` - [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) -* `mysql_hardening_options.allow-suspicious-udfs` - [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) -* `mysql_hardening_chroot.automatic-sp-privileges` - [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) -* `mysql_hardening_options.secure-file-priv` - [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) - -## Security Configuration - -This setup sets the following parameters by default - - # via `mysql_hardening_options.local-infile` - local-infile = 0 - - # via `mysql_hardening_options.safe-user-create` - safe-user-create = 1 - - # via `mysql_hardening_options.safe-user-create` - secure-auth = 1 - - # via `mysql_hardening_skip_show_database` - skip-show-database - - # via `mysql_hardening_options.skip-symbolic-links` - skip-symbolic-links - - # via `mysql_hardening_chroot.automatic-sp-privileges` - automatic_sp_privileges = 0 - - # via `mysql_hardening_options.secure-file-priv` - secure-file-priv = /tmp - - -Additionally it ensures that the following parameters are not set - - * deactivate old-passwords via `mysql_hardening_options.secure-auth` - * deactivate allow-suspicious-udfs via `mysql_hardening_options.allow-suspicious-udfs` - * skip-grant-tables via `mysql_hardening_skip_grant_tables` - * the permissions of `/var/lib/mysql` is limited to `mysql` user. +| Name | Default Value | Description | +| -------------- | ------------- | -----------------------------------| +| `mysql_hardening_chroot` | "" | [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)| +| `mysql_hardening_options.safe-user-create` | 1 | [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)| +| `mysql_hardening_options.secure-auth` | 1 | [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)| +| `mysql_hardening_options.skip-symbolic-links` | 1 | [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)| +| `mysql_hardening_skip_grant_tables:` | false | [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)| +| `mysql_hardening_skip_show_database` | 1 | [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)| +| `mysql_hardening_options.local-infile` | 0 | [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)| +| `mysql_hardening_options.allow-suspicious-udfs` | 0 | [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)| +| `mysql_hardening_chroot.automatic-sp-privileges` | 0 | [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)| +| `mysql_hardening_options.secure-file-priv` | /tmp | [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)| +| `mysql_allow_remote_root` | false | delete remote root users | +| `mysql_remove_anonymous_users` | true | remove users without authentication | +| `mysql_remove_test_database` | true | remove test database | ## Local Testing @@ -108,13 +82,11 @@ bundle exec kitchen converge default-ubuntu-1204 For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) -## Contributors + Kudos - -... ## License and Author * Author:: Sebastian Gumprich +* Author:: Anton Lugovoi Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -128,4 +100,4 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -[3]: https://gitter.im/hardening-io/general +[3]: https://gitter.im/dev-sec/general \ No newline at end of file diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 04379a2b..00000000 --- a/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -zufallsheld.mysql diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 00000000..9fb44f01 --- /dev/null +++ b/requirements.yml @@ -0,0 +1 @@ +- src: geerlingguy.mysql From 3d7eadc31c83b1e0b72a60f7432e76067c7eee0f Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 22 May 2016 20:02:45 +0200 Subject: [PATCH 023/115] add default playbook for testing --- .gitignore | 2 -- default.yml | 10 ++++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 default.yml diff --git a/.gitignore b/.gitignore index 015abea8..fbe87e09 100644 --- a/.gitignore +++ b/.gitignore @@ -11,5 +11,3 @@ Berksfile.lock ansible.cfg hosts -default.yml -roles/bennojoy.mysql/ diff --git a/default.yml b/default.yml new file mode 100644 index 00000000..7c5ef41d --- /dev/null +++ b/default.yml @@ -0,0 +1,10 @@ +--- +- name: wrapper playbook for kitchen testing "ansible-mysql-hardening" + hosts: localhost + vars: + overwrite_global_mycnf: no + mysql_hardening_enabled: yes + mysql_root_password: "root" + roles: + - geerlingguy.mysql + - ansible-mysql-hardening From 43b5e1ec947f51fcf622ff674224d97d1980f8bf Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 17:48:18 +0700 Subject: [PATCH 024/115] alt version initial commit --- defaults/main.yml | 3 ++ tasks/configure.yml | 18 ++++++++++++ tasks/main.yml | 30 ++++++------------- tasks/mysql_secure_installation.yml | 45 +++++++++++++++++++++++++++++ templates/my.cnf.j2 | 4 +++ 5 files changed, 79 insertions(+), 21 deletions(-) create mode 100644 tasks/configure.yml create mode 100644 tasks/mysql_secure_installation.yml create mode 100644 templates/my.cnf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 297a7360..61a5ac02 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,10 @@ +mysql_hardening_enabled: yes # general configuration mysql_hardening_user: 'mysql' +mysql_hardening_group: 'mysql' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' +mysql_root_password: "{{ lookup('env','mysql_root_password') }}" # ensure the following parameters are set properly mysql_allow_remote_root: false diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 00000000..6c3ec940 --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,18 @@ +--- + +- name: protect my.cnf + file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root + +- name: ensure permissions on mysql-datadir are correct + file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' + +- name: check mysql configuration-directory exists and has right permissions + file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 + +- name: check include-dir directive is present in my.cnf + lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='EOF' state=present backup=yes + notify: restart mysql + +- name: apply hardening configuration + template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 + notify: restart mysql diff --git a/tasks/main.yml b/tasks/main.yml index fb69230c..995202d3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,25 +4,13 @@ include_vars: "{{ ansible_os_family }}.yml" tags: always -- name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root +- include: configure.yml + when: mysql_hardening_enabled + tags: + - mysql_hardening -- name: ensure permissions on mysql-datadir are correct - file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - -- name: create mysql configuration-directory - file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' mode=0600 - -- name: add include-dir directive to my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='^\[mysql\]' state=present backup=yes - -- name: apply hardening configuration - template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' mode=0750 - notify: restart mysql - -# Copy database dump file to remote host and restore it to database 'my_db' -- name: copy the sql-script to the remote host - copy: src='mysql_grants.sql' dest='/tmp/' - -- name: run the mysql_grants.sql script - mysql_db: name='mysql' state=import target='/tmp/mysql_grants.sql' +- include: mysql_secure_installation.yml + when: mysql_hardening_enabled and mysql_root_password != '' + tags: + - mysql_hardening + - mysql_secure_installation diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml new file mode 100644 index 00000000..8491da0d --- /dev/null +++ b/tasks/mysql_secure_installation.yml @@ -0,0 +1,45 @@ +--- + +- name: Install python-mysqldb for Ansible + package: pkg=python-mysqldb state=present + +- name: root password is present + mysql_user: name=root host={{ item }} password={{ mysql_root_password }} state=present + with_items: + - '::1' + - '127.0.0.1' + - 'localhost' + +- name: root has .my.cnf + template: src=my.cnf.j2 dest=/root/.my.cnf + owner=root group=root mode=0600 + tags: my_cnf + +# Can use only if ansible ver => 2.1 +#- name: anonymous users are absent +# mysql_user: name='' state=absent host_all=yes +# when: mysql_remove_anonymous_users +- name: anonymous users are absent + command: 'mysql -ne "{{ item }}"' + with_items: + - DELETE FROM mysql.user WHERE User='' + when: mysql_remove_anonymous_users + changed_when: false + +- name: remote root login is restricted + command: 'mysql -ne "{{ item }}"' + with_items: + - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') + when: not mysql_allow_remote_root + changed_when: false + +- name: test database is absent + mysql_db: name=test state=absent + when: mysql_remove_test_database + +- name: access to test database is absent + command: 'mysql -ne "{{ item }}"' + with_items: + - DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%' + when: mysql_remove_test_database + changed_when: false diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2 new file mode 100644 index 00000000..3996fffc --- /dev/null +++ b/templates/my.cnf.j2 @@ -0,0 +1,4 @@ +[client] +user=root +password='{{ mysql_root_password }}' +#ssl From 8986cd94504696c4d930c5930487f274228a53d0 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 18:11:03 +0700 Subject: [PATCH 025/115] remove .sql file --- files/mysql_grants.sql | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 files/mysql_grants.sql diff --git a/files/mysql_grants.sql b/files/mysql_grants.sql deleted file mode 100644 index 5312c5ac..00000000 --- a/files/mysql_grants.sql +++ /dev/null @@ -1,4 +0,0 @@ -DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); -DELETE FROM mysql.user WHERE User=''; -DROP DATABASE IF EXISTS test; -DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'; From 2a8f03d0cc8726dcab3da34cf5cb8a464150f702 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 21:03:36 +0700 Subject: [PATCH 026/115] replace all mysql-client related tasks by ansible mysql modules tasks --- defaults/main.yml | 2 +- files/mysql_remove_anonymous_users.sql | 1 + files/mysql_remove_remote_root.sql | 1 + tasks/mysql_secure_installation.yml | 64 +++++++++++++++++--------- 4 files changed, 44 insertions(+), 24 deletions(-) create mode 100644 files/mysql_remove_anonymous_users.sql create mode 100644 files/mysql_remove_remote_root.sql diff --git a/defaults/main.yml b/defaults/main.yml index 61a5ac02..e0ebd84a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' mysql_root_password: "{{ lookup('env','mysql_root_password') }}" # ensure the following parameters are set properly -mysql_allow_remote_root: false +mysql_remove_remote_root: true mysql_remove_anonymous_users: true mysql_remove_test_database: true diff --git a/files/mysql_remove_anonymous_users.sql b/files/mysql_remove_anonymous_users.sql new file mode 100644 index 00000000..916d83ef --- /dev/null +++ b/files/mysql_remove_anonymous_users.sql @@ -0,0 +1 @@ +DELETE FROM mysql.user WHERE User=''; diff --git a/files/mysql_remove_remote_root.sql b/files/mysql_remove_remote_root.sql new file mode 100644 index 00000000..a95b9901 --- /dev/null +++ b/files/mysql_remove_remote_root.sql @@ -0,0 +1 @@ +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 8491da0d..f7e2293a 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -1,7 +1,17 @@ --- +# supported for ansible ver => 2.0 +#- name: Install python-mysqldb for Ansible +# package: pkg=python-mysqldb state=present + + - name: Install python-mysqldb for Ansible - package: pkg=python-mysqldb state=present + apt: name=python-mysqldb state=present + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + +- name: Install python-mysqldb for Ansible + yum: name=python-mysqldb state=present + when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: root password is present mysql_user: name=root host={{ item }} password={{ mysql_root_password }} state=present @@ -15,31 +25,39 @@ owner=root group=root mode=0600 tags: my_cnf -# Can use only if ansible ver => 2.1 -#- name: anonymous users are absent -# mysql_user: name='' state=absent host_all=yes -# when: mysql_remove_anonymous_users -- name: anonymous users are absent - command: 'mysql -ne "{{ item }}"' - with_items: - - DELETE FROM mysql.user WHERE User='' - when: mysql_remove_anonymous_users - changed_when: false - -- name: remote root login is restricted - command: 'mysql -ne "{{ item }}"' - with_items: - - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') - when: not mysql_allow_remote_root - changed_when: false - - name: test database is absent mysql_db: name=test state=absent when: mysql_remove_test_database -- name: access to test database is absent - command: 'mysql -ne "{{ item }}"' +# Can use only if ansible ver => 2.1 +#- name: anonymous users are absent +# mysql_user: name='' state=absent host_all=yes +# when: mysql_remove_anonymous_users + +- name: copy mysql_remove_anonymous_users + copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' with_items: - - DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%' - when: mysql_remove_test_database + - mysql_remove_anonymous_users + when: mysql_remove_anonymous_users + changed_when: false + +- name: apply mysql_remove_anonymous_users + mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' + with_items: + - mysql_remove_anonymous_users + when: mysql_remove_anonymous_users + changed_when: false + +- name: copy mysql_remove_remote_root + copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' + with_items: + - mysql_remove_remote_root + when: mysql_remove_remote_root + changed_when: false + +- name: apply mysql_remove_remote_root + mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' + with_items: + - mysql_remove_remote_root + when: mysql_remove_remote_root changed_when: false From 67a3b14051158000bb1be87da4fda96d8538de46 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 23:10:36 +0700 Subject: [PATCH 027/115] disable role by default --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index e0ebd84a..59b1d745 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,4 @@ -mysql_hardening_enabled: yes +mysql_hardening_enabled: no # general configuration mysql_hardening_user: 'mysql' mysql_hardening_group: 'mysql' From 57937c0170d9549526646c92f145d9a98399335d Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 23 May 2016 01:04:17 +0700 Subject: [PATCH 028/115] change default admin group mysql->root --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 59b1d745..e137d448 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ mysql_hardening_enabled: no # general configuration mysql_hardening_user: 'mysql' -mysql_hardening_group: 'mysql' +mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' mysql_root_password: "{{ lookup('env','mysql_root_password') }}" From 888247733806440eb55c8c3ef6d382ddfb980b89 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 23 May 2016 01:08:33 +0700 Subject: [PATCH 029/115] fixed package name for RHEL: python-mysqldb->MySQL-python --- tasks/mysql_secure_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index f7e2293a..b929a7c2 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -10,7 +10,7 @@ when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - name: Install python-mysqldb for Ansible - yum: name=python-mysqldb state=present + yum: name=MySQL-python state=present when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: root password is present From dfc4c813c83439663a47596f2bf18e3f9ce56e16 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 01:38:56 +0700 Subject: [PATCH 030/115] add 'mysql_user_home' variable and turn on role by default --- defaults/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e137d448..490802e5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,10 +1,13 @@ -mysql_hardening_enabled: no +# switcher to enable/disable role +mysql_hardening_enabled: yes + # general configuration mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' -mysql_root_password: "{{ lookup('env','mysql_root_password') }}" +mysql_user_home: "{{ ansible_env.HOME}}" +mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # ensure the following parameters are set properly mysql_remove_remote_root: true From 780c4affdef76919492e8557419bf62364de2832 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 01:39:35 +0700 Subject: [PATCH 031/115] install .my.cnf into 'mysql_user_home' location instead of hardcoded /root --- tasks/mysql_secure_installation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index b929a7c2..8b9c6364 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -20,8 +20,8 @@ - '127.0.0.1' - 'localhost' -- name: root has .my.cnf - template: src=my.cnf.j2 dest=/root/.my.cnf +- name: install .my.cnf with credentials + template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf owner=root group=root mode=0600 tags: my_cnf From 9289dc81a730abafc4f2ffea68f9a176f2588ebb Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:09:07 +0700 Subject: [PATCH 032/115] make mysql_root_password as mandatory variable --- templates/my.cnf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2 index 3996fffc..ce66b13e 100644 --- a/templates/my.cnf.j2 +++ b/templates/my.cnf.j2 @@ -1,4 +1,4 @@ [client] user=root -password='{{ mysql_root_password }}' +password='{{ mysql_root_password | mandatory }}' #ssl From 01bd7bcedee322506a667c8e5f9155f6e9ed082a Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:10:42 +0700 Subject: [PATCH 033/115] make mysql_root_password mandatory variable and change owner/group permissions for users .my.cnf --- tasks/mysql_secure_installation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 8b9c6364..866038eb 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -14,7 +14,7 @@ when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: root password is present - mysql_user: name=root host={{ item }} password={{ mysql_root_password }} state=present + mysql_user: name=root host={{ item }} password={{ mysql_root_password | mandatory }} state=present with_items: - '::1' - '127.0.0.1' @@ -22,7 +22,7 @@ - name: install .my.cnf with credentials template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf - owner=root group=root mode=0600 + mode=0400 tags: my_cnf - name: test database is absent From 6542799382d02fed35ee980da0550d5d27e00bf7 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:16:18 +0700 Subject: [PATCH 034/115] add warning about using default mysql_root_password --- tasks/mysql_secure_installation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 866038eb..53a6fd3b 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -13,6 +13,9 @@ yum: name=MySQL-python state=present when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' +- debug: msg="WARNING - you have to change default mysql_root_password" + when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----' + - name: root password is present mysql_user: name=root host={{ item }} password={{ mysql_root_password | mandatory }} state=present with_items: From f4e84e5fed2e1783fafd5cdc21d3d58868de206c Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:20:52 +0700 Subject: [PATCH 035/115] add comments into defaults --- defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 490802e5..32b0ea00 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,10 @@ mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' -mysql_user_home: "{{ ansible_env.HOME}}" +# You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' +# There .my.cnf with mysql root credentials will be installed +mysql_user_home: "{{ ansible_env.HOME}}" # ensure the following parameters are set properly mysql_remove_remote_root: true From 8f1d970bd27c21d7c5a2cae25caeff7f63183305 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:39:46 +0700 Subject: [PATCH 036/115] run mysql_secure_installation always --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 995202d3..83659fb6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,7 +10,7 @@ - mysql_hardening - include: mysql_secure_installation.yml - when: mysql_hardening_enabled and mysql_root_password != '' + when: mysql_hardening_enabled tags: - mysql_hardening - mysql_secure_installation From 4e4b931cc5bdd198c0f85fdc2415479324d25872 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:41:38 +0700 Subject: [PATCH 037/115] fix task name --- tasks/mysql_secure_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 53a6fd3b..3f7ed215 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -5,7 +5,7 @@ # package: pkg=python-mysqldb state=present -- name: Install python-mysqldb for Ansible +- name: Install MySQL-python for Ansible apt: name=python-mysqldb state=present when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' From 56fe7393f2bd17092b826aac054280ca9bcc47f4 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:46:41 +0700 Subject: [PATCH 038/115] README updated --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 20244c1b..ba148684 100644 --- a/README.md +++ b/README.md @@ -11,11 +11,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this ## Requirements * Ansible -* Python MySQL-DB Package - -## Usage - -Before you use this role make sure to have a valid login-configuration in `~/.my.cnf` so Ansible is able to login into your database. +* Set up `mysql_root_password` variable ### Example Playbook From ef77bf7c1120bffe361114d02a49f16a301ea581 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:57:04 +0700 Subject: [PATCH 039/115] delete spaces in variables ({{ item }} -> {{item}}) --- tasks/mysql_secure_installation.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 3f7ed215..d5f88344 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -17,7 +17,7 @@ when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----' - name: root password is present - mysql_user: name=root host={{ item }} password={{ mysql_root_password | mandatory }} state=present + mysql_user: name=root host={{item}} password={{mysql_root_password | mandatory}} state=present with_items: - '::1' - '127.0.0.1' @@ -38,28 +38,28 @@ # when: mysql_remove_anonymous_users - name: copy mysql_remove_anonymous_users - copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' + copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' with_items: - mysql_remove_anonymous_users when: mysql_remove_anonymous_users changed_when: false - name: apply mysql_remove_anonymous_users - mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' + mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' with_items: - mysql_remove_anonymous_users when: mysql_remove_anonymous_users changed_when: false - name: copy mysql_remove_remote_root - copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' + copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root changed_when: false - name: apply mysql_remove_remote_root - mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' + mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root From ec90b8d3ebd3531799a2a1312073ded800713906 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sun, 5 Jun 2016 14:08:10 +0700 Subject: [PATCH 040/115] Update README with explaining of conditional enabling/disabling role --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ba148684..470a0c92 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: +- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` - `mysql_hardening_user: 'mysql'` The user that mysql runs as. - `mysql_datadir: '/var/lib/mysql'` The MySQL data directory - `mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed From 6f838d31dc1422c02a49f4d9b9ac99c30d77376e Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 16 Jun 2016 18:34:33 +0200 Subject: [PATCH 041/115] fix rhel daemon --- vars/RedHat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 4bef85f2..230225b0 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,2 +1,2 @@ -mysql_daemon: mysql +mysql_daemon: mysqld mysql_hardening_mysql_conf: '/etc/my.cnf' From 5134982390913f436bcb34c33159fbc24541d9c7 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Thu, 16 Jun 2016 18:46:13 +0200 Subject: [PATCH 042/115] fix local testing --- .kitchen.yml | 1 + default.yml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index 8d4b5416..4238a494 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -12,6 +12,7 @@ provisioner: ansible_verbose: true ansible_diff: true roles_path: ../ansible-mysql-hardening/ + sudo_command: 'sudo -E -H' platforms: - name: ubuntu-12.04 diff --git a/default.yml b/default.yml index 7c5ef41d..ce4b72b6 100644 --- a/default.yml +++ b/default.yml @@ -3,7 +3,6 @@ hosts: localhost vars: overwrite_global_mycnf: no - mysql_hardening_enabled: yes mysql_root_password: "root" roles: - geerlingguy.mysql From 63be562cac7c097c050098ed79c86ed5595a23d1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 24 Jun 2016 17:34:16 +0200 Subject: [PATCH 043/115] update meta file --- meta/main.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 89625fe6..001f3234 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: "Sebastian Gumprich" - description: 'This Ansible playbook provides numerous security-related configurations, providing all-round base protection.' + description: 'This Ansible playbook provides security configuration for mysql.' company: Hardening Framework Team license: Apache License 2.0 min_ansible_version: '1.9' @@ -9,17 +9,16 @@ galaxy_info: - name: EL versions: - 6 - - name: Oracle Linux - versions: - - 6 + - 7 - name: Ubuntu versions: - precise - trusty + - xenial - name: Debian versions: - - squeeze - wheezy + - jessie galaxy_tags: - system - security From b37b623d18a9df6c79eeaa7379d3f95a8cf8e271 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 24 Jun 2016 17:43:13 +0200 Subject: [PATCH 044/115] update readme --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 470a0c92..acc1cc5b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # mysql-hardening (Ansible role) -[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][3] +[![Build Status](http://img.shields.io/travis/dev-sec/ansible-mysql-hardening.svg)][1] +[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] +[![Ansible Galaxy](https://img.shields.io/badge/galaxy-mysql--hardening-660198.svg)][3] ## Description @@ -97,4 +99,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -[3]: https://gitter.im/dev-sec/general \ No newline at end of file +[1]: http://travis-ci.org/dev-sec/ansible-ssh-hardening +[2]: https://gitter.im/dev-sec/general +[3]: https://galaxy.ansible.com/dev-sec/mysql-hardening/ From f5e9299854411d9470d3700431b4d82637064ad3 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 24 Jun 2016 17:44:31 +0200 Subject: [PATCH 045/115] fix wrong travis link in readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index acc1cc5b..fac45d1a 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,6 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -[1]: http://travis-ci.org/dev-sec/ansible-ssh-hardening +[1]: http://travis-ci.org/dev-sec/ansible-mysql-hardening [2]: https://gitter.im/dev-sec/general [3]: https://galaxy.ansible.com/dev-sec/mysql-hardening/ From 74a3b03fd984278f2f819b1070e5906824f3a401 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 8 Oct 2016 12:07:34 +0200 Subject: [PATCH 046/115] add follow=yes to my.cnf protect task, incase its a symlink --- tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index 6c3ec940..699fbee6 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,7 +1,7 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root + file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root follow=yes - name: ensure permissions on mysql-datadir are correct file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' From 0cd5205c23ebc69c01d68d7d9e015f7276559708 Mon Sep 17 00:00:00 2001 From: Andrej Golis Date: Fri, 14 Oct 2016 17:07:46 +0200 Subject: [PATCH 047/115] - renamed 'mysql_hardening_mysql_conf' var to 'mysql_hardening_mysql_conf_file' - introduced 'mysql_hardening_mysql_conf_dir' variable - set default value of 'mysql_hardening_mysql_conf_dir' variable for RedHat, OracleLinux, Debian - changed default hardcoded full path in 'mysql_hardening_hardening_conf' var to be based on 'mysql_hardening_mysql_conf_dir' var --- defaults/main.yml | 2 +- tasks/configure.yml | 6 +++--- vars/Debian.yml | 3 ++- vars/Oracle Linux.yml | 3 ++- vars/RedHat.yml | 3 ++- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 32b0ea00..3f545b86 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,7 +5,7 @@ mysql_hardening_enabled: yes mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' -mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' +mysql_hardening_hardening_conf: '{{mysql_hardening_mysql_conf_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # There .my.cnf with mysql root credentials will be installed diff --git a/tasks/configure.yml b/tasks/configure.yml index 699fbee6..fa755bca 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,16 +1,16 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root follow=yes + file: path='{{mysql_hardening_mysql_conf_file}}' mode=0600 owner=root group=root follow=yes - name: ensure permissions on mysql-datadir are correct file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - name: check mysql configuration-directory exists and has right permissions - file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 + file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 - name: check include-dir directive is present in my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='EOF' state=present backup=yes + lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_conf_dir}}' insertafter='EOF' state=present backup=yes notify: restart mysql - name: apply hardening configuration diff --git a/vars/Debian.yml b/vars/Debian.yml index 3f8056ba..6513df3c 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,2 +1,3 @@ mysql_daemon: mysql -mysql_hardening_mysql_conf: '/etc/mysql/my.cnf' +mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' +mysql_hardening_mysql_conf_dir: '/etc/mysql/conf.d' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 230225b0..f091e6cc 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,2 +1,3 @@ mysql_daemon: mysqld -mysql_hardening_mysql_conf: '/etc/my.cnf' +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 230225b0..f091e6cc 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,2 +1,3 @@ mysql_daemon: mysqld -mysql_hardening_mysql_conf: '/etc/my.cnf' +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' From 6a9ff3492c1d0be36e2be289e05da1645408d3c0 Mon Sep 17 00:00:00 2001 From: Andrej Golis Date: Sat, 15 Oct 2016 16:32:22 +0200 Subject: [PATCH 048/115] - added owner executable bit on my.cnf.d dir to allow mysql process to list files and apply custom configuration, otherwise it doesn't apply it --- tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index fa755bca..59b1ba59 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -7,7 +7,7 @@ file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - name: check mysql configuration-directory exists and has right permissions - file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 + file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 - name: check include-dir directive is present in my.cnf lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_conf_dir}}' insertafter='EOF' state=present backup=yes From 6fa57844e92834900293419ec3c205f01a631dcd Mon Sep 17 00:00:00 2001 From: Andrej Golis Date: Fri, 21 Oct 2016 13:36:58 +0200 Subject: [PATCH 049/115] aligned more var names to be consistent, changed hardcoded owner/group values to use vars instead --- README.md | 2 +- defaults/main.yml | 2 +- tasks/configure.yml | 8 ++++---- vars/Debian.yml | 2 +- vars/Oracle Linux.yml | 2 +- vars/RedHat.yml | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index fac45d1a..ec27898b 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ This hardening role installs the hardening but expects an existing installation - `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` - `mysql_hardening_user: 'mysql'` The user that mysql runs as. - `mysql_datadir: '/var/lib/mysql'` The MySQL data directory -- `mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed +- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed ## Security Options diff --git a/defaults/main.yml b/defaults/main.yml index 3f545b86..a2a87f43 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,7 +5,7 @@ mysql_hardening_enabled: yes mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' -mysql_hardening_hardening_conf: '{{mysql_hardening_mysql_conf_dir}}/hardening.cnf' +mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # There .my.cnf with mysql root credentials will be installed diff --git a/tasks/configure.yml b/tasks/configure.yml index 59b1ba59..e0b8edbf 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,18 +1,18 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf_file}}' mode=0600 owner=root group=root follow=yes + file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' follow=yes - name: ensure permissions on mysql-datadir are correct file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - name: check mysql configuration-directory exists and has right permissions - file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 + file: path='{{mysql_hardening_mysql_confd_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 - name: check include-dir directive is present in my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_conf_dir}}' insertafter='EOF' state=present backup=yes + lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_confd_dir}}' insertafter='EOF' state=present backup=yes notify: restart mysql - name: apply hardening configuration - template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 + template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 notify: restart mysql diff --git a/vars/Debian.yml b/vars/Debian.yml index 6513df3c..e96ea36d 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,3 +1,3 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' -mysql_hardening_mysql_conf_dir: '/etc/mysql/conf.d' +mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index f091e6cc..8165061e 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,3 +1,3 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' diff --git a/vars/RedHat.yml b/vars/RedHat.yml index f091e6cc..8165061e 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,3 +1,3 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' From 1315e92df567021d5cadb5aeb56d03868b88899d Mon Sep 17 00:00:00 2001 From: Chris Poupart Date: Tue, 18 Apr 2017 10:38:06 -0400 Subject: [PATCH 050/115] Add variables specific to RHEL 7 to allow use of mariadb instead of mysql. --- tasks/main.yml | 5 ++++- vars/RedHat-7.yml | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 vars/RedHat-7.yml diff --git a/tasks/main.yml b/tasks/main.yml index 83659fb6..f21d7b2c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,10 @@ --- - name: add the OS specific variables - include_vars: "{{ ansible_os_family }}.yml" + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_os_family }}.yml" tags: always - include: configure.yml diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml new file mode 100644 index 00000000..0b784c13 --- /dev/null +++ b/vars/RedHat-7.yml @@ -0,0 +1,3 @@ +mysql_daemon: mariadb +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' From 311562fdfc0b6144428fd1f4c2ab423ffcc4e966 Mon Sep 17 00:00:00 2001 From: Chris Poupart Date: Tue, 18 Apr 2017 15:53:20 -0400 Subject: [PATCH 051/115] add test for centos 7.2 --- .kitchen.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index 4238a494..0b2054ec 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -31,6 +31,10 @@ platforms: driver_config: box: opscode-centos-6.5 box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box +- name: centos-7.2 + driver_config: + box: opscode-centos-7.2 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box - name: oracle-6.4 driver_config: box: oracle-6.4 From 3fcae0e2848cada3439b49417fa95785762e8108 Mon Sep 17 00:00:00 2001 From: Chris Poupart Date: Fri, 21 Apr 2017 14:34:37 -0400 Subject: [PATCH 052/115] add ansible_distribution to standardize with other hardening roles. --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index f21d7b2c..ec5ad75f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,6 +3,8 @@ - name: add the OS specific variables include_vars: "{{ item }}" with_first_found: + - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" + - "{{ ansible_distribution }}.yml" - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" - "{{ ansible_os_family }}.yml" tags: always From 71062df26683b41f2875b816814a2a0f4a005f37 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 22 Apr 2017 20:34:53 +0200 Subject: [PATCH 053/115] update changelog --- CHANGELOG.md | 49 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 142c4e1d..0af01626 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,15 +1,50 @@ # Change Log -## [Unreleased](https://github.com/hardening-io/ansible-mysql-hardening/tree/HEAD) +## [2.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.0.0) (2017-04-21) +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/1.0.0...2.0.0) + +### Breaking Changes: + +- renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) + +--- + +**Implemented enhancements:** + +- Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) +- - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) +- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Fixed bugs:** + +- error on task protect my.cnf [\#20](https://github.com/dev-sec/ansible-mysql-hardening/issues/20) + +## [1.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/1.0.0) (2016-06-28) +**Implemented enhancements:** + +- add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock)) + +**Closed issues:** + +- tasks - main [\#14](https://github.com/dev-sec/ansible-mysql-hardening/issues/14) +- Fix directory structure. [\#6](https://github.com/dev-sec/ansible-mysql-hardening/issues/6) **Merged pull requests:** -- fix mysql restart not happening because of missing os specific variable [\#5](https://github.com/hardening-io/ansible-mysql-hardening/pull/5) ([fheinle](https://github.com/fheinle)) -- Update kitchen-ansible, remove separate debian install [\#4](https://github.com/hardening-io/ansible-mysql-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro)) -- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#3](https://github.com/hardening-io/ansible-mysql-hardening/pull/3) ([chris-rock](https://github.com/chris-rock)) -- Separate system-vars from editable vars. [\#2](https://github.com/hardening-io/ansible-mysql-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro)) -- Add documentation for testing, change value in vars [\#1](https://github.com/hardening-io/ansible-mysql-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro)) +- Local testing [\#17](https://github.com/dev-sec/ansible-mysql-hardening/pull/17) ([rndmh3ro](https://github.com/rndmh3ro)) +- fix rhel daemon [\#16](https://github.com/dev-sec/ansible-mysql-hardening/pull/16) ([rndmh3ro](https://github.com/rndmh3ro)) +- alt version initial commit [\#15](https://github.com/dev-sec/ansible-mysql-hardening/pull/15) ([fitz123](https://github.com/fitz123)) +- add test support for ansible 2.0 and 1.9 [\#13](https://github.com/dev-sec/ansible-mysql-hardening/pull/13) ([rndmh3ro](https://github.com/rndmh3ro)) +- add webhook for ansible galaxy [\#11](https://github.com/dev-sec/ansible-mysql-hardening/pull/11) ([rndmh3ro](https://github.com/rndmh3ro)) +- update platforms in meta-file [\#10](https://github.com/dev-sec/ansible-mysql-hardening/pull/10) ([rndmh3ro](https://github.com/rndmh3ro)) +- Simplify local testing with custom role [\#9](https://github.com/dev-sec/ansible-mysql-hardening/pull/9) ([rndmh3ro](https://github.com/rndmh3ro)) +- New role layout [\#8](https://github.com/dev-sec/ansible-mysql-hardening/pull/8) ([rndmh3ro](https://github.com/rndmh3ro)) +- fix mysql restart not happening because of missing os specific variable [\#5](https://github.com/dev-sec/ansible-mysql-hardening/pull/5) ([fheinle](https://github.com/fheinle)) +- Update kitchen-ansible, remove separate debian install [\#4](https://github.com/dev-sec/ansible-mysql-hardening/pull/4) ([rndmh3ro](https://github.com/rndmh3ro)) +- update common kitchen.yml platforms \(ansible\), kitchen\_debian.yml platforms \(ansible\) [\#3](https://github.com/dev-sec/ansible-mysql-hardening/pull/3) ([chris-rock](https://github.com/chris-rock)) +- Separate system-vars from editable vars. [\#2](https://github.com/dev-sec/ansible-mysql-hardening/pull/2) ([rndmh3ro](https://github.com/rndmh3ro)) +- Add documentation for testing, change value in vars [\#1](https://github.com/dev-sec/ansible-mysql-hardening/pull/1) ([rndmh3ro](https://github.com/rndmh3ro)) -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* From 143270cbcce4fb2443cecd1ef68f629056fcda69 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 22 Apr 2017 20:38:17 +0200 Subject: [PATCH 054/115] update changelog --- CHANGELOG.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0af01626..879ef2b8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,14 +5,18 @@ ### Breaking Changes: -- renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) +- [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) + - renamed `mysql_hardening_mysql_conf` var to `mysql_hardening_mysql_conf_file` + - introduced `mysql_hardening_mysql_conf_dir` variable + - set default value of `mysql_hardening_mysql_conf_dir` variable for RedHat, OracleLinux, Debian + - changed default hardcoded full path in `mysql_hardening_hardening_conf` var to be based on `mysql_hardening_mysql_conf_dir` var + --- **Implemented enhancements:** - Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) -- - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) - add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** From ba7d3d538757891027d1c75e5da92f51d60cb622 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 08:50:44 +0200 Subject: [PATCH 055/115] cleanup old files, streamline ansible.cfg --- TODO.md | 1 - Thorfile | 10 ---------- ansible.cfg | 14 ++++++++++++++ 3 files changed, 14 insertions(+), 11 deletions(-) delete mode 100644 TODO.md delete mode 100644 Thorfile create mode 100644 ansible.cfg diff --git a/TODO.md b/TODO.md deleted file mode 100644 index 8b137891..00000000 --- a/TODO.md +++ /dev/null @@ -1 +0,0 @@ - diff --git a/Thorfile b/Thorfile deleted file mode 100644 index 15b092f6..00000000 --- a/Thorfile +++ /dev/null @@ -1,10 +0,0 @@ -# encoding: utf-8 - -require 'bundler' -require 'bundler/setup' -require 'thor/foodcritic' - -require 'kitchen_sharedtests' -require 'kitchen/sharedtests_thor_tasks' - -Kitchen::SharedtestsThorTasks.new diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 00000000..d7cda5ba --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,14 @@ +# config file for ansible -- http://ansible.com/ +# ============================================== + +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + +[defaults] +ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host} + +role_path = /vagrant +scp_if_ssh = True From 5a1e875715fe0b34005eecb4993832f5b05cdc37 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 08:52:02 +0200 Subject: [PATCH 056/115] update gitignore, gemfile --- .gitignore | 12 +----------- Gemfile | 25 ++++--------------------- 2 files changed, 5 insertions(+), 32 deletions(-) diff --git a/.gitignore b/.gitignore index fbe87e09..1953eaac 100644 --- a/.gitignore +++ b/.gitignore @@ -1,13 +1,3 @@ -README.pdf -README.html -shared_test_repo/ -test/integration .kitchen -coverage -Vagrantfile.erb - -Gemfile.lock -Berksfile.lock - -ansible.cfg hosts +Gemfile.lock diff --git a/Gemfile b/Gemfile index 4dfd9cfa..c11b3bf6 100644 --- a/Gemfile +++ b/Gemfile @@ -2,32 +2,15 @@ source 'https://rubygems.org' -group :test do - gem 'rake' -# gem 'chefspec', '~> 4.2.0' - gem 'foodcritic', '~> 4.0' - gem 'thor-foodcritic' -# gem 'rubocop', '~> 0.28.0' - gem 'coveralls', require: false -end - -group :development do - gem 'guard' - gem 'guard-rspec' - gem 'guard-kitchen' -# gem 'guard-rubocop' -# gem 'guard-foodcritic' -end - group :integration do gem 'test-kitchen', '~> 1.0' gem 'kitchen-ansible' gem 'kitchen-vagrant' + gem 'kitchen-inspec' gem 'kitchen-sharedtests', '~> 0.2.0' -end - -group :openstack do - gem 'kitchen-openstack' + gem 'kitchen-sync' + gem 'kitchen-transport-rsync' + gem 'kitchen-docker' end group :tools do From a58e5bf2fa38af39c7512c986292a59100a0d1d1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 08:53:19 +0200 Subject: [PATCH 057/115] add newmysql_cnf_owner variable, use ansible 2.0 features --- defaults/main.yml | 7 +++++-- tasks/configure.yml | 7 +++++-- tasks/main.yml | 4 ++-- tasks/mysql_secure_installation.yml | 23 ++++------------------- 4 files changed, 16 insertions(+), 25 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a2a87f43..1d4dba21 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,13 +2,14 @@ mysql_hardening_enabled: yes # general configuration -mysql_hardening_user: 'mysql' +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files +mysql_hardening_user: 'mysql' # owner of data mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' -# There .my.cnf with mysql root credentials will be installed +# There .my.cnf with mysql root credentials will be installed mysql_user_home: "{{ ansible_env.HOME}}" # ensure the following parameters are set properly @@ -47,3 +48,5 @@ mysql_hardening_options: # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option-mysqld-secure-file-priv secure-file-priv: '/tmp' + # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_user + user: '{{mysql_hardening_user}}' diff --git a/tasks/configure.yml b/tasks/configure.yml index e0b8edbf..2ff0cb3d 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,7 +1,7 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' follow=yes + file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_cnf_owner}}' group='{{mysql_hardening_group}}' follow=yes state=file - name: ensure permissions on mysql-datadir are correct file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' @@ -14,5 +14,8 @@ notify: restart mysql - name: apply hardening configuration - template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 + template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_cnf_owner}}' group='{{mysql_hardening_group}}' mode=0460 notify: restart mysql + +- name: enable mysql + service: name='{{ mysql_daemon }}' enabled=yes diff --git a/tasks/main.yml b/tasks/main.yml index ec5ad75f..330ac2ec 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -11,11 +11,11 @@ - include: configure.yml when: mysql_hardening_enabled - tags: + tags: - mysql_hardening - include: mysql_secure_installation.yml when: mysql_hardening_enabled - tags: + tags: - mysql_hardening - mysql_secure_installation diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index d5f88344..746b1421 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -24,7 +24,7 @@ - 'localhost' - name: install .my.cnf with credentials - template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf + template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf mode=0400 tags: my_cnf @@ -32,24 +32,9 @@ mysql_db: name=test state=absent when: mysql_remove_test_database -# Can use only if ansible ver => 2.1 -#- name: anonymous users are absent -# mysql_user: name='' state=absent host_all=yes -# when: mysql_remove_anonymous_users - -- name: copy mysql_remove_anonymous_users - copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' - with_items: - - mysql_remove_anonymous_users +- name: anonymous users are absent + mysql_user: name='' state=absent host_all=yes when: mysql_remove_anonymous_users - changed_when: false - -- name: apply mysql_remove_anonymous_users - mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' - with_items: - - mysql_remove_anonymous_users - when: mysql_remove_anonymous_users - changed_when: false - name: copy mysql_remove_remote_root copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' @@ -59,7 +44,7 @@ changed_when: false - name: apply mysql_remove_remote_root - mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' + mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root From 619aed0f360666fd08a7bc0a3bf845ee4ffdf686 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 08:53:35 +0200 Subject: [PATCH 058/115] use docker for testing --- .kitchen.vagrant.yml | 75 ++++++++++++++++++++++++++++ .kitchen.yml | 116 +++++++++++++++++++++++++------------------ .travis.yml | 82 ++++++++++++++++++++++++------ default.yml | 19 ++++++- initctl_faker | 24 +++++++++ spec/travis.yml | 3 -- 6 files changed, 253 insertions(+), 66 deletions(-) create mode 100644 .kitchen.vagrant.yml create mode 100644 initctl_faker delete mode 100644 spec/travis.yml diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml new file mode 100644 index 00000000..11e71edc --- /dev/null +++ b/.kitchen.vagrant.yml @@ -0,0 +1,75 @@ +--- +driver: + name: vagrant + +provisioner: + name: ansible_playbook + hosts: all + require_ansible_repo: false + require_ansible_omnibus: true + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_verbose: true + roles_path: ../ansible-mysql-hardening/ + playbook: default.yml + requirements_path: requirements.yml + sudo_command: 'sudo -E -H' + +transport: + max_ssh_sessions: 5 + +platforms: +- name: ubuntu-12.04 + driver_config: + box: opscode-ubuntu-12.04 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box +- name: ubuntu-14.04 + driver_config: + box: opscode-ubuntu-14.04 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box +- name: ubuntu-16.04 + driver_config: + box: opscode-ubuntu-16.04 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box +- name: centos-6.4 + driver_config: + box: opscode-centos-6.4 + box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box +- name: centos-6.5 + driver_config: + box: opscode-centos-6.5 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box +- name: centos-6.8 + driver_config: + box: bento/centos-6.8 +- name: centos-7 + driver_config: + box: bento/centos-7.2 +- name: oracle-6.4 + driver_config: + box: oracle-6.4 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box +- name: oracle-6.5 + driver_config: + box: oracle-6.5 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box +- name: oracle-7 + driver_config: + box: boxcutter/ol72 +- name: debian-7 + driver_config: + box: debian-7 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box +- name: debian-8 + driver_config: + box: debian-8 + box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box + +verifier: + name: inspec + sudo: true + inspec_tests: + - https://github.com/dev-sec/mysql-baseline/ + +suites: +- name: mysql diff --git a/.kitchen.yml b/.kitchen.yml index 0b2054ec..a653a4fa 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -1,62 +1,82 @@ --- driver: - name: vagrant + name: docker + privileged: true + use_sudo: false + +transport: + max_ssh_sessions: 5 + provisioner: name: ansible_playbook - test_repo_uri: https://github.com/hardening-io/tests-mysql-hardening.git hosts: all - playbook: default.yml require_ansible_repo: false require_ansible_omnibus: true - requirements_path: requirements.yml + require_chef_for_busser: false + require_ruby_for_busser: false ansible_verbose: true ansible_diff: true + hosts: all roles_path: ../ansible-mysql-hardening/ + playbook: default.yml + requirements_path: requirements.yml sudo_command: 'sudo -E -H' platforms: -- name: ubuntu-12.04 - driver_config: - box: opscode-ubuntu-12.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box -- name: ubuntu-14.04 - driver_config: - box: opscode-ubuntu-14.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box -- name: centos-6.4 - driver_config: - box: opscode-centos-6.4 - box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box -- name: centos-6.5 - driver_config: - box: opscode-centos-6.5 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box -- name: centos-7.2 - driver_config: - box: opscode-centos-7.2 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.2_chef-provisionerless.box -- name: oracle-6.4 - driver_config: - box: oracle-6.4 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box -- name: oracle-6.5 - driver_config: - box: oracle-6.5 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box -- name: debian-6 - driver_config: - box: debian-6 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box -- name: debian-7 - driver_config: - box: debian-7 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box -- name: debian-8 - driver_config: - box: debian-8 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box +- name: centos6-ansible-latest + driver: + image: rndmh3ro/docker-centos6-ansible:latest + platform: centos +- name: centos7-ansible-latest + driver: + image: rndmh3ro/docker-centos7-ansible:latest + platform: centos +- name: oracle6-ansible-latest + driver: + image: rndmh3ro/docker-oracle6-ansible:latest + platform: centos +- name: oracle7-ansible-latest + driver: + image: rndmh3ro/docker-oracle7-ansible:latest + platform: centos +- name: ubuntu1204-ansible-latest + driver: + image: rndmh3ro/docker-ubuntu1204-ansible:latest + platform: ubuntu + run_command: /sbin/init +- name: ubuntu1404-ansible-latest + driver: + image: rndmh3ro/docker-ubuntu1404-ansible:latest + platform: ubuntu +- name: ubuntu1604-ansible-latest + driver: + image: rndmh3ro/docker-ubuntu1604-ansible:latest + platform: ubuntu +- name: debian7-ansible-latest + driver: + image: rndmh3ro/docker-debian7-ansible:latest + platform: debian + intermediate_instructions: + - RUN /usr/bin/apt-get update + - RUN /usr/bin/apt-get install -y procps +- name: debian8-ansible-latest + driver: + image: rndmh3ro/docker-debian8-ansible:latest + platform: debian + intermediate_instructions: + - RUN /usr/bin/apt-get update + - RUN /usr/bin/apt-get install -y procps + pid_one_command: /bin/systemd +- name: debian9-ansible-latest + driver: + image: rndmh3ro/docker-debian9-ansible:latest + platform: debian + +verifier: + name: inspec + sudo: true + inspec_tests: + - https://github.com/dev-sec/mysql-baseline + suites: -- name: ansible_1.9 - provisioner: - ansible_version: 1.9.4 -- name: ansible_latest +- name: mysql diff --git a/.travis.yml b/.travis.yml index 48e33a08..10371633 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,21 +1,75 @@ --- -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ -language: python -python: "2.7" +services: docker env: - - ANSIBLE_VERSION=latest - - ANSIBLE_VERSION=1.9.4 + - distro: centos6 + version: latest + run_opts: "--privileged" + init: /sbin/init + + - distro: centos7 + init: /usr/lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + version: latest + + - distro: oracle6 + version: latest + run_opts: "--privileged" + init: /sbin/init + + - distro: oracle7 + init: /usr/lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + version: latest + +# see https://github.com/dev-sec/mysql-baseline/issues/35 +# - distro: ubuntu1604 +# version: latest +# init: /lib/systemd/systemd +# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + +# - distro: ubuntu1404 +# version: latest +# run_opts: "--privileged" +# init: /sbin/init + + - distro: debian7 + version: latest + run_opts: "--privileged" + init: /sbin/init + +# - distro: debian8 +# version: latest +# init: /bin/systemd +# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + + # - distro: debian9 + # version: latest + # init: /lib/systemd/systemd + # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" before_install: - - sudo apt-get update -qq - - sudo apt-get install -qq python-apt python-pycurl python-mysqldb -install: - - if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi - - echo -e 'localhost ansible_connection=local' > spec/inventory - - echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg + # Pull container + - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' script: - - ansible-playbook --syntax-check spec/travis.yml - - ansible-playbook --sudo -v --diff spec/travis.yml + - container_id=$(mktemp) + # Run container in detached state. + - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-mysql-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' + + # Install ansible galaxy requirements + - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' + + # Test role. + - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/default.yml' + + # Verify role + - 'inspec exec https://github.com/rndmh3ro/mysql-baseline/ -t docker://$(cat ${container_id})' + +after_failure: + # Check MySQL settings. + - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql/error.log' + - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql.err' + - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql.log' +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/default.yml b/default.yml index ce4b72b6..65186417 100644 --- a/default.yml +++ b/default.yml @@ -1,9 +1,26 @@ --- + - name: wrapper playbook for kitchen testing "ansible-mysql-hardening" hosts: localhost + pre_tasks: + - file: path="/etc/mysql" state=directory + - name: Copy initctl_faker into place for Ubuntu 14.04. + copy: + src: initctl_faker + dest: /sbin/initctl + mode: 0755 + force: yes + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04' + changed_when: false + - name: install procps for debian systems + apt: name=procps state=installed update_cache=yes + when: ansible_distribution == 'Debian' vars: overwrite_global_mycnf: no - mysql_root_password: "root" + mysql_root_password: iloverandompasswordsbutthiswilldo + mysql_user_password: iloverandompasswordsbutthiswilldo + mysql_config_file: /etc/mysql/mariadb.cnf + mysql_root_password_update: yes roles: - geerlingguy.mysql - ansible-mysql-hardening diff --git a/initctl_faker b/initctl_faker new file mode 100644 index 00000000..55d2c364 --- /dev/null +++ b/initctl_faker @@ -0,0 +1,24 @@ +#!/bin/sh +ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')" + +case "$ALIAS_CMD" in + start|stop|restart|reload|status) + exec service $1 $ALIAS_CMD + ;; +esac + +case "$1" in + list ) + exec service --status-all + ;; + reload-configuration ) + exec service $2 restart + ;; + start|stop|restart|reload|status) + exec service $2 $1 + ;; + \?) + exit 0 + ;; +esac + diff --git a/spec/travis.yml b/spec/travis.yml deleted file mode 100644 index a307e677..00000000 --- a/spec/travis.yml +++ /dev/null @@ -1,3 +0,0 @@ -- hosts: localhost - roles: - - ansible-mysql-hardening From bf03862346d6f1a14282e7f15c6420c312ca802d Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 08:55:20 +0200 Subject: [PATCH 059/115] remove 12.04 from kitchen testing --- .kitchen.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index a653a4fa..0d3a4d8d 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -39,11 +39,6 @@ platforms: driver: image: rndmh3ro/docker-oracle7-ansible:latest platform: centos -- name: ubuntu1204-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1204-ansible:latest - platform: ubuntu - run_command: /sbin/init - name: ubuntu1404-ansible-latest driver: image: rndmh3ro/docker-ubuntu1404-ansible:latest From 6e2a25dd713099c6e8dde1415ff6a955275e3979 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 08:55:38 +0200 Subject: [PATCH 060/115] update readme --- README.md | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index ec27898b..020623e0 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,9 @@ Further information is already available at [Deutsche Telekom (German)](http://w ## Local Testing -For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). +The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system. + +You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). Next install test-kitchen: @@ -58,16 +60,10 @@ Next install test-kitchen: # Install dependencies gem install bundler bundle install +``` -# Fetch tests -bundle exec thor kitchen:fetch-remote-tests - -# download a MySQL-installation role -ansible-galaxy install -p roles/ bennojoy.mysql - -# change password in MySQL-installation role to match the one from testing -sed -i 's/foobar/iloverandompasswordsbutthiswilldo/g' roles/bennojoy.mysql/defaults/main.yml - +### Testing with Docker +``` # fast test on one machine bundle exec kitchen test default-ubuntu-1204 @@ -79,8 +75,19 @@ bundle exec kitchen create default-ubuntu-1204 bundle exec kitchen converge default-ubuntu-1204 ``` -For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) +### Testing with Virtualbox +``` +# fast test on one machine +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404 +# test on all machines +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test + +# for development +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404 +KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404 +``` +For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) ## License and Author From 934685c61618841daa5e138b368df00b27412bd9 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 25 Apr 2017 21:42:10 +0200 Subject: [PATCH 061/115] update vagrant boxes to use latest bento vms --- .kitchen.vagrant.yml | 47 +++++--------------------------------------- 1 file changed, 5 insertions(+), 42 deletions(-) diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 11e71edc..23b1614c 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -19,51 +19,14 @@ transport: max_ssh_sessions: 5 platforms: -- name: ubuntu-12.04 - driver_config: - box: opscode-ubuntu-12.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box - name: ubuntu-14.04 - driver_config: - box: opscode-ubuntu-14.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box - name: ubuntu-16.04 - driver_config: - box: opscode-ubuntu-16.04 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box -- name: centos-6.4 - driver_config: - box: opscode-centos-6.4 - box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box -- name: centos-6.5 - driver_config: - box: opscode-centos-6.5 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box - name: centos-6.8 - driver_config: - box: bento/centos-6.8 -- name: centos-7 - driver_config: - box: bento/centos-7.2 -- name: oracle-6.4 - driver_config: - box: oracle-6.4 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box -- name: oracle-6.5 - driver_config: - box: oracle-6.5 - box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box -- name: oracle-7 - driver_config: - box: boxcutter/ol72 -- name: debian-7 - driver_config: - box: debian-7 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box -- name: debian-8 - driver_config: - box: debian-8 - box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box +- name: centos-7.3 +- name: oracle-6.8 +- name: oracle-7.3 +- name: debian-7.11 +- name: debian-8.7 verifier: name: inspec From 72344ca8d08c58b92e217b0cf92df9225e4c61ac Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 30 Apr 2017 17:17:32 +0200 Subject: [PATCH 062/115] add travis wait so oracle finishes --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 10371633..5c8747fe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -61,7 +61,7 @@ script: - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' # Test role. - - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/default.yml' + - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/default.yml' # Verify role - 'inspec exec https://github.com/rndmh3ro/mysql-baseline/ -t docker://$(cat ${container_id})' From b4b820acca2b6a3c2843ec8b10c4730ddb64bc0d Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 28 May 2017 18:33:56 +0200 Subject: [PATCH 063/115] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 020623e0..042bbe78 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ ## Description -Provides security configurations for MySQL. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers. +Provides security configurations for MySQL. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the [DevSec MySQL Baseline](https://github.com/dev-sec/mysql-baseline). This role focuses on security configuration of MySQL. Therefore you can add this hardening role alongside your existing MySQL configuration in Ansible. From 0ac83273ec27f56256ba2eafa2fce95814a10762 Mon Sep 17 00:00:00 2001 From: Fazle Arefin Date: Fri, 7 Jul 2017 11:34:29 +1000 Subject: [PATCH 064/115] Fix ansible.cfg settings - using `%Y-%m-%d` in `ansible_managed` message is not recommended as deploying from a new git checkout will change the `ansible_managed` string in the template and Ansible will report the template file as changed (see http://docs.ansible.com/ansible/intro_configuration.html#ansible-managed ) - no such setting called `role_path` (see http://docs.ansible.com/ansible/intro_configuration.html ) - `scp_if_ssh` should be under `[ssh_connection]` header --- ansible.cfg | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index d7cda5ba..6c2fb60f 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,7 +8,8 @@ # finds first [defaults] -ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host} +ansible_managed = Ansible managed: {file} modified by {uid} on {host} +roles_path = /vagrant -role_path = /vagrant +[ssh_connection] scp_if_ssh = True From 25367c6777798ceecbb66e2a689babdba3c8d830 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 12 Feb 2018 13:42:43 +0100 Subject: [PATCH 065/115] make mysql daemon enabling configurable --- defaults/main.yml | 2 ++ tasks/configure.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1d4dba21..49a1e636 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,8 @@ # switcher to enable/disable role mysql_hardening_enabled: yes +mysql_daemon_enabled: yes + # general configuration mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files mysql_hardening_user: 'mysql' # owner of data diff --git a/tasks/configure.yml b/tasks/configure.yml index 2ff0cb3d..af3bbb41 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -18,4 +18,4 @@ notify: restart mysql - name: enable mysql - service: name='{{ mysql_daemon }}' enabled=yes + service: name='{{ mysql_daemon }}' enabled='{{ mysql_daemon_enabled }}' From 975720436fcf9740b7c9ab8630625747eb5117ef Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 29 Apr 2018 12:48:57 +0200 Subject: [PATCH 066/115] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 042bbe78..8eb91bb1 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) ## License and Author -* Author:: Sebastian Gumprich +* Author:: Sebastian Gumprich * Author:: Anton Lugovoi Licensed under the Apache License, Version 2.0 (the "License"); From 03937787dfe0060306f5f5dcd83401e177a2bdeb Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 6 Oct 2018 18:54:43 +0200 Subject: [PATCH 067/115] Update issue templates --- .github/ISSUE_TEMPLATE/bug_report.md | 40 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 17 ++++++++++ 2 files changed, 57 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..43f045d2 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,40 @@ +--- +name: Bug report +about: Create a report to help us improve + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Actual behavior** + +```paste below + +``` +**Example Playbook** + +```paste below + +``` + +**OS / Environment** + + +**Ansible Version** + +```paste below + +``` + +**Role Version** + +```paste below + +``` + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..066b2d92 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,17 @@ +--- +name: Feature request +about: Suggest an idea for this project + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From e8384a4aa74a0a4df9e54ec4af2f9204daf753b8 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 30 Oct 2018 20:44:41 +0100 Subject: [PATCH 068/115] replace iteritems with items for python3 support --- templates/hardening.cnf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/hardening.cnf.j2 b/templates/hardening.cnf.j2 index b4bca563..727cbb5a 100644 --- a/templates/hardening.cnf.j2 +++ b/templates/hardening.cnf.j2 @@ -6,7 +6,7 @@ skip-show-database skip-grant-tables {% endif %} -{% for (key, value) in mysql_hardening_options.iteritems() %} +{% for (key, value) in mysql_hardening_options.items() %} {{ key }} = {{ value }} {% endfor %} From b03e4f65590fd3e817b0cc1b33dfce22647e7502 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 18 Nov 2018 10:07:23 +0100 Subject: [PATCH 069/115] remove duplicate Parameter --- .kitchen.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index 0d3a4d8d..c0795e8e 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -16,7 +16,7 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true ansible_diff: true - hosts: all + roles_path: ../ansible-mysql-hardening/ playbook: default.yml requirements_path: requirements.yml From 63603315e8e890134ecf5ca035752eb0f394387e Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 29 Apr 2019 16:50:42 +0200 Subject: [PATCH 070/115] add install instructions to readme Signed-off-by: Sebastian Gumprich --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 8eb91bb1..d7456644 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,14 @@ This role focuses on security configuration of MySQL. Therefore you can add this * Ansible * Set up `mysql_root_password` variable +## Installation + +Install the role with ansible-galaxy: + +``` +ansible-galaxy install dev-sec.mysqmysqll-hardening +``` + ### Example Playbook - hosts: localhost From 2c9a47f19f41ae1038375743869598bc486fea99 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 29 Apr 2019 16:53:30 +0200 Subject: [PATCH 071/115] add install instructions to readme Signed-off-by: Sebastian Gumprich --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d7456644..55291952 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this Install the role with ansible-galaxy: ``` -ansible-galaxy install dev-sec.mysqmysqll-hardening +ansible-galaxy install dev-sec.mysql-hardening ``` ### Example Playbook From dbe5ae6bd79c71be4a6ee3c6adc53ca76fffa4bd Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 29 Apr 2019 17:15:39 +0200 Subject: [PATCH 072/115] remove eol'd OS and add new Signed-off-by: Sebastian Gumprich --- .kitchen.vagrant.yml | 30 ++++++++++++++++++++++------- .kitchen.yml | 45 +++++++++++++++++++++++++------------------- .travis.yml | 28 +++++++++++++-------------- meta/main.yml | 6 +++--- 4 files changed, 66 insertions(+), 43 deletions(-) diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 23b1614c..13f96956 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -19,14 +19,30 @@ transport: max_ssh_sessions: 5 platforms: -- name: ubuntu-14.04 - name: ubuntu-16.04 -- name: centos-6.8 -- name: centos-7.3 -- name: oracle-6.8 -- name: oracle-7.3 -- name: debian-7.11 -- name: debian-8.7 + driver_config: + box: bento/ubuntu-16.04 +- name: ubuntu-18.04 + driver_config: + box: bento/ubuntu-18.04 +- name: centos-6 + driver_config: + box: bento/centos-6 +- name: centos-7 + driver_config: + box: bento/centos-7 +- name: oracle-6 + driver_config: + box: bento/oracle-6 +- name: oracle-7 + driver_config: + box: bento/oracle-7 +- name: debian-9 + driver_config: + box: bento/debian-9 +- name: amazon + driver_config: + box: bento/amazonlinux-2 verifier: name: inspec diff --git a/.kitchen.yml b/.kitchen.yml index c0795e8e..dc949b8f 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -39,39 +39,46 @@ platforms: driver: image: rndmh3ro/docker-oracle7-ansible:latest platform: centos -- name: ubuntu1404-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1404-ansible:latest - platform: ubuntu + run_command: /sbin/init + provision_command: + - systemctl enable ssh.service - name: ubuntu1604-ansible-latest driver: image: rndmh3ro/docker-ubuntu1604-ansible:latest platform: ubuntu -- name: debian7-ansible-latest + run_command: /sbin/init +- name: ubuntu1804-ansible-latest driver: - image: rndmh3ro/docker-debian7-ansible:latest - platform: debian - intermediate_instructions: - - RUN /usr/bin/apt-get update - - RUN /usr/bin/apt-get install -y procps -- name: debian8-ansible-latest - driver: - image: rndmh3ro/docker-debian8-ansible:latest - platform: debian - intermediate_instructions: - - RUN /usr/bin/apt-get update - - RUN /usr/bin/apt-get install -y procps - pid_one_command: /bin/systemd + image: rndmh3ro/docker-ubuntu1804-ansible:latest + platform: ubuntu - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service +- name: amazon-ansible-latest + driver: + image: rndmh3ro/docker-amazon-ansible:latest + platform: centos + run_command: /sbin/init +#- name: amazon-ansible-latest +# driver: +# image: rndmh3ro/docker-amazon-ansible:latest +# platform: centos +# run_command: /sbin/init +# provision_command: +# - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config +# - systemctl enable sshd.service verifier: name: inspec sudo: true inspec_tests: - - https://github.com/dev-sec/mysql-baseline + - ../mysql-baseline +# - https://github.com/dev-sec/mysql-baseline suites: - name: mysql diff --git a/.travis.yml b/.travis.yml index 5c8747fe..a5d8bbf9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -28,25 +28,25 @@ env: # init: /lib/systemd/systemd # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# - distro: ubuntu1404 -# version: latest -# run_opts: "--privileged" -# init: /sbin/init - - - distro: debian7 + - distro: ubuntu1804 version: latest - run_opts: "--privileged" - init: /sbin/init + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# - distro: debian8 +# - distro: debian9 # version: latest -# init: /bin/systemd +# init: /lib/systemd/systemd # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - # - distro: debian9 - # version: latest - # init: /lib/systemd/systemd - # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: amazon + init: /lib/systemd/systemd + version: latest + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + + - distro: fedora + init: /lib/systemd/systemd + version: latest + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" before_install: # Pull container diff --git a/meta/main.yml b/meta/main.yml index 001f3234..cf8fdcbf 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -12,13 +12,13 @@ galaxy_info: - 7 - name: Ubuntu versions: - - precise - - trusty - xenial + - bionic - name: Debian versions: - - wheezy - jessie + - name: Amazon + - name: Fedora galaxy_tags: - system - security From e8a05eed0eb82891a7183b67d4673557e02982ed Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 29 Apr 2019 17:59:34 +0200 Subject: [PATCH 073/115] add fedora vars file Signed-off-by: Sebastian Gumprich --- vars/Fedora.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 vars/Fedora.yml diff --git a/vars/Fedora.yml b/vars/Fedora.yml new file mode 100644 index 00000000..8165061e --- /dev/null +++ b/vars/Fedora.yml @@ -0,0 +1,3 @@ +mysql_daemon: mysqld +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' From c608e028a529f60df55a99f3bc05f0c82c336d51 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Mon, 29 Apr 2019 18:29:59 +0200 Subject: [PATCH 074/115] ignore certs in travis ansible-galaxy install Signed-off-by: Sebastian Gumprich --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a5d8bbf9..66760afc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -58,7 +58,7 @@ script: - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-mysql-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' # Install ansible galaxy requirements - - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' + - 'docker exec "$(cat ${container_id})" ansible-galaxy install -c -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' # Test role. - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/default.yml' From 0e4534e7cbfecf9effc223ca3904562f4671f06b Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 30 Apr 2019 15:56:51 +0200 Subject: [PATCH 075/115] pin inspec version --- Gemfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Gemfile b/Gemfile index c11b3bf6..3502d8f1 100644 --- a/Gemfile +++ b/Gemfile @@ -11,6 +11,7 @@ group :integration do gem 'kitchen-sync' gem 'kitchen-transport-rsync' gem 'kitchen-docker' + gem 'inspec', '~> 3' end group :tools do From be39384f6004a76dfe81286c8d5f2273502d977d Mon Sep 17 00:00:00 2001 From: Cenk Kuecuek Date: Sun, 6 Oct 2019 17:00:43 +0200 Subject: [PATCH 076/115] add test for debian 10 Signed-off-by: Cenk Kuecuek --- .kitchen.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.kitchen.yml b/.kitchen.yml index dc949b8f..52d40c00 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -59,6 +59,14 @@ platforms: provision_command: - apt install -y systemd-sysv - systemctl enable ssh.service +- name: debian10-ansible-latest + driver: + image: rndmh3ro/docker-debian10-ansible:latest + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service - name: amazon-ansible-latest driver: image: rndmh3ro/docker-amazon-ansible:latest From 43a91bbb8fa0b44b237a3becd333d3d01ff93c3f Mon Sep 17 00:00:00 2001 From: Cenk Kuecuek Date: Sun, 6 Oct 2019 17:01:35 +0200 Subject: [PATCH 077/115] add test env for debian 10 Signed-off-by: Cenk Kuecuek --- .travis.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.travis.yml b/.travis.yml index 66760afc..042f6e9a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -38,6 +38,11 @@ env: # init: /lib/systemd/systemd # run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: debian10 + version: latest + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: amazon init: /lib/systemd/systemd version: latest From 8d855bee144edd8781f0851c78e9334e474a9444 Mon Sep 17 00:00:00 2001 From: Cenk Kuecuek Date: Sun, 6 Oct 2019 20:21:05 +0200 Subject: [PATCH 078/115] add test env for debian 10 Signed-off-by: Cenk Kuecuek --- .kitchen.vagrant.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 13f96956..65789221 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -40,6 +40,9 @@ platforms: - name: debian-9 driver_config: box: bento/debian-9 +- name: debian-10 + driver_config: + box: bento/debian-10 - name: amazon driver_config: box: bento/amazonlinux-2 From 77f3f6e75d7f4672a128c264a15832f1fd80c613 Mon Sep 17 00:00:00 2001 From: Jason Daly Date: Wed, 16 Oct 2019 23:10:34 -0400 Subject: [PATCH 079/115] use bool filter on bare variable to address Ansible 2.8 deprecation warning Signed-off-by: Jason Daly --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 330ac2ec..ae5fdd3b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,12 +10,12 @@ tags: always - include: configure.yml - when: mysql_hardening_enabled + when: mysql_hardening_enabled | bool tags: - mysql_hardening - include: mysql_secure_installation.yml - when: mysql_hardening_enabled + when: mysql_hardening_enabled | bool tags: - mysql_hardening - mysql_secure_installation From a745e667cfa6b2ea004c3818ebc1b27c45f3a189 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 14 Dec 2019 20:54:18 +0100 Subject: [PATCH 080/115] release 2.1.0 --- CHANGELOG.md | 48 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 879ef2b8..b4c83386 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,29 +1,49 @@ -# Change Log +# Changelog -## [2.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.0.0) (2017-04-21) -[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/1.0.0...2.0.0) +## [2.1.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.1.0) (2019-12-14) -### Breaking Changes: - -- [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) - - renamed `mysql_hardening_mysql_conf` var to `mysql_hardening_mysql_conf_file` - - introduced `mysql_hardening_mysql_conf_dir` variable - - set default value of `mysql_hardening_mysql_conf_dir` variable for RedHat, OracleLinux, Debian - - changed default hardcoded full path in `mysql_hardening_hardening_conf` var to be based on `mysql_hardening_mysql_conf_dir` var - - ---- +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.0.0...2.1.0) **Implemented enhancements:** +- Add support for Debian Buster in ansible-mysql-hardening [\#37](https://github.com/dev-sec/ansible-mysql-hardening/issues/37) +- Update readme to include baselines [\#28](https://github.com/dev-sec/ansible-mysql-hardening/issues/28) +- migrate to new inspec test suite [\#25](https://github.com/dev-sec/ansible-mysql-hardening/issues/25) +- use bool filter on bare variable to address Ansible 2.8 deprecation warning [\#40](https://github.com/dev-sec/ansible-mysql-hardening/pull/40) ([deefour](https://github.com/deefour)) +- Add test support for Debian Buster [\#38](https://github.com/dev-sec/ansible-mysql-hardening/pull/38) ([cnkk](https://github.com/cnkk)) +- remove eol'd OS and add new [\#34](https://github.com/dev-sec/ansible-mysql-hardening/pull/34) ([rndmh3ro](https://github.com/rndmh3ro)) +- replace iteritems with items for python3 support [\#33](https://github.com/dev-sec/ansible-mysql-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro)) +- make mysql daemon enabling configurable [\#30](https://github.com/dev-sec/ansible-mysql-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro)) +- Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin)) + +**Fixed bugs:** + +- Template fails to render with Python 3 [\#32](https://github.com/dev-sec/ansible-mysql-hardening/issues/32) +- my.cnf symlink turns into None? [\#24](https://github.com/dev-sec/ansible-mysql-hardening/issues/24) + +## [2.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.0.0) (2017-05-07) + +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/1.0.0...2.0.0) + +**Implemented enhancements:** + +- Add CentOS7 with MariaDB support [\#23](https://github.com/dev-sec/ansible-mysql-hardening/issues/23) - Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) +- - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) - add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** - error on task protect my.cnf [\#20](https://github.com/dev-sec/ansible-mysql-hardening/issues/20) +**Merged pull requests:** + +- use new docker files [\#26](https://github.com/dev-sec/ansible-mysql-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro)) + ## [1.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/1.0.0) (2016-06-28) + +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/dab153eb56e2296ce340e77d95586a55b5eefb80...1.0.0) + **Implemented enhancements:** - add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock)) @@ -51,4 +71,4 @@ -\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* +\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* From 20eacfabf7c2f4cba9b0c2fbffa92b88328a9d77 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 18 Feb 2020 17:44:51 +0100 Subject: [PATCH 081/115] Update .travis.yml --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index 042f6e9a..52246a2e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -58,6 +58,9 @@ before_install: - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' script: + - pip install --user ansible-lint + - ansible-lint ./ + - container_id=$(mktemp) # Run container in detached state. - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-mysql-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' From 9c77d0b512ee8e9468e63882e34b4a276bd65b3b Mon Sep 17 00:00:00 2001 From: Shadi Naif Date: Tue, 28 Apr 2020 09:06:21 +0300 Subject: [PATCH 082/115] Use python3-mysqldb for Ubuntu 20.04 --- tasks/mysql_secure_installation.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 746b1421..297091bb 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -5,11 +5,16 @@ # package: pkg=python-mysqldb state=present -- name: Install MySQL-python for Ansible - apt: name=python-mysqldb state=present - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' +- name: Install python3-mysqldb for Ansible + apt: name=python3-mysqldb state=present + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '20.04' - name: Install python-mysqldb for Ansible + apt: name=python-mysqldb state=present + when: ansible_distribution == 'Debian' or + (ansible_distribution == 'Ubuntu' and ansible_distribution_version < '20.04') + +- name: Install MySQL-python for Ansible yum: name=MySQL-python state=present when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' From 5d885bef432a4cbd0c4f7dc497763ae42c732e0f Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 9 May 2020 20:27:23 +0200 Subject: [PATCH 083/115] add changelog and release workflow Signed-off-by: Sebastian Gumprich --- .github/workflows/changelog.yml | 34 ++++++++++++++++++++++ .github/workflows/release.yml | 50 +++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 .github/workflows/changelog.yml create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml new file mode 100644 index 00000000..99857c7c --- /dev/null +++ b/.github/workflows/changelog.yml @@ -0,0 +1,34 @@ +name: Create Changelog + +on: + pull_request: + types: [closed] + + release: + types: [published] + + issues: + types: [closed, edited] + +jobs: + generate_changelog: + runs-on: ubuntu-latest + name: Generate changelog for master branch + steps: + - uses: actions/checkout@v1 + + - name: Generate changelog + uses: charmixer/auto-changelog-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: push + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: github@gumpri.ch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..5187c8f7 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,50 @@ +name: New release + +on: + push: + branches: + - master + +jobs: + generate_changelog: + runs-on: ubuntu-latest + name: create release draft + steps: + - uses: actions/checkout@v1 + + - name: 'Get Previous tag' + id: previoustag + uses: "WyriHaximus/github-action-get-previous-tag@master" + env: + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + + - name: calculate next version + id: version + uses: charmixer/auto-changelog-action@8095796 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate changelog + uses: charmixer/auto-changelog-action@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + since_tag: ${{ steps.previoustag.outputs.tag }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Read CHANGELOG.md + id: package + uses: juliangruber/read-file-action@v1 + with: + path: ./CHANGELOG.md + + - name: Create Release draft + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + release_name: ${{ steps.version.outputs.next-version }} + tag_name: ${{ steps.version.outputs.next-version }} + body: | + ${{ steps.package.outputs.content }} + draft: true From a0c5d0c59695793d9643c9088f6d75c099ee6929 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 9 May 2020 18:29:35 +0000 Subject: [PATCH 084/115] update changelog --- CHANGELOG.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b4c83386..ea7b7419 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,23 @@ # Changelog -## [2.1.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.1.0) (2019-12-14) +## [Unreleased](https://github.com/dev-sec/ansible-mysql-hardening/tree/HEAD) + +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.1.0...HEAD) + +**Implemented enhancements:** + +- add changelog and release workflow [\#45](https://github.com/dev-sec/ansible-mysql-hardening/pull/45) ([rndmh3ro](https://github.com/rndmh3ro)) + +**Closed issues:** + +- New Tag? [\#41](https://github.com/dev-sec/ansible-mysql-hardening/issues/41) + +**Merged pull requests:** + +- Use python3-mysqldb for Ubuntu 20.04 [\#44](https://github.com/dev-sec/ansible-mysql-hardening/pull/44) ([shadinaif](https://github.com/shadinaif)) +- add ansible-lint [\#43](https://github.com/dev-sec/ansible-mysql-hardening/pull/43) ([rndmh3ro](https://github.com/rndmh3ro)) + +## [2.1.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.1.0) (2019-10-17) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.0.0...2.1.0) From c04c5bd0607be4222b386638b1d906238d37123a Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 9 May 2020 20:43:49 +0200 Subject: [PATCH 085/115] fix release action Signed-off-by: Sebastian Gumprich --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5187c8f7..eb515e69 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -20,12 +20,12 @@ jobs: - name: calculate next version id: version - uses: charmixer/auto-changelog-action@8095796 + uses: patrickjahns/version-drafter-action@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 + uses: charmixer/auto-changelog-action@8095796 with: token: ${{ secrets.GITHUB_TOKEN }} since_tag: ${{ steps.previoustag.outputs.tag }} From 99d63ffee1f228347ddc18a17aa1361d220137e9 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 9 May 2020 18:46:44 +0000 Subject: [PATCH 086/115] update changelog --- CHANGELOG.md | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea7b7419..d5d7bc53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,19 +1,12 @@ # Changelog -## [Unreleased](https://github.com/dev-sec/ansible-mysql-hardening/tree/HEAD) +## [2.2.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.0) (2020-05-09) -[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.1.0...HEAD) +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.1.0...2.2.0) **Implemented enhancements:** - add changelog and release workflow [\#45](https://github.com/dev-sec/ansible-mysql-hardening/pull/45) ([rndmh3ro](https://github.com/rndmh3ro)) - -**Closed issues:** - -- New Tag? [\#41](https://github.com/dev-sec/ansible-mysql-hardening/issues/41) - -**Merged pull requests:** - - Use python3-mysqldb for Ubuntu 20.04 [\#44](https://github.com/dev-sec/ansible-mysql-hardening/pull/44) ([shadinaif](https://github.com/shadinaif)) - add ansible-lint [\#43](https://github.com/dev-sec/ansible-mysql-hardening/pull/43) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -32,12 +25,17 @@ - replace iteritems with items for python3 support [\#33](https://github.com/dev-sec/ansible-mysql-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro)) - make mysql daemon enabling configurable [\#30](https://github.com/dev-sec/ansible-mysql-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro)) - Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin)) +- Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) **Fixed bugs:** - Template fails to render with Python 3 [\#32](https://github.com/dev-sec/ansible-mysql-hardening/issues/32) - my.cnf symlink turns into None? [\#24](https://github.com/dev-sec/ansible-mysql-hardening/issues/24) +**Merged pull requests:** + +- use new docker files [\#26](https://github.com/dev-sec/ansible-mysql-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro)) + ## [2.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.0.0) (2017-05-07) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/1.0.0...2.0.0) @@ -45,24 +43,19 @@ **Implemented enhancements:** - Add CentOS7 with MariaDB support [\#23](https://github.com/dev-sec/ansible-mysql-hardening/issues/23) -- Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) - - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) -- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** - error on task protect my.cnf [\#20](https://github.com/dev-sec/ansible-mysql-hardening/issues/20) -**Merged pull requests:** - -- use new docker files [\#26](https://github.com/dev-sec/ansible-mysql-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro)) - ## [1.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/1.0.0) (2016-06-28) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/dab153eb56e2296ce340e77d95586a55b5eefb80...1.0.0) **Implemented enhancements:** +- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) - add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock)) **Closed issues:** From a2e7cf3fd8a667b661f21db783a8f04818e75296 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 6 Jun 2020 10:24:29 +0200 Subject: [PATCH 087/115] unify changelog and release actions Signed-off-by: Sebastian Gumprich --- .github/workflows/changelog.yml | 34 --------------------------------- .github/workflows/release.yml | 20 ++++++++++++++++++- 2 files changed, 19 insertions(+), 35 deletions(-) delete mode 100644 .github/workflows/changelog.yml diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml deleted file mode 100644 index 99857c7c..00000000 --- a/.github/workflows/changelog.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Create Changelog - -on: - pull_request: - types: [closed] - - release: - types: [published] - - issues: - types: [closed, edited] - -jobs: - generate_changelog: - runs-on: ubuntu-latest - name: Generate changelog for master branch - steps: - - uses: actions/checkout@v1 - - - name: Generate changelog - uses: charmixer/auto-changelog-action@v1 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - - name: push - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update changelog' - force-add: 'true' - files: CHANGELOG.md - name: dev-sec CI - email: github@gumpri.ch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eb515e69..4d5fa699 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,17 +25,35 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate changelog + uses: charmixer/auto-changelog-action@8095796 + with: + token: ${{ secrets.GITHUB_TOKEN }} + future_release: ${{ steps.version.outputs.next-version }} + + - name: Generate changelog for the release uses: charmixer/auto-changelog-action@8095796 with: token: ${{ secrets.GITHUB_TOKEN }} since_tag: ${{ steps.previoustag.outputs.tag }} future_release: ${{ steps.version.outputs.next-version }} + output: CHANGELOGRELEASE.md + + - name: push changelog + uses: github-actions-x/commit@v2.6 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + push-branch: 'master' + commit-message: 'update changelog' + force-add: 'true' + files: CHANGELOG.md + name: dev-sec CI + email: hello@dev-sec.io - name: Read CHANGELOG.md id: package uses: juliangruber/read-file-action@v1 with: - path: ./CHANGELOG.md + path: ./CHANGELOGRELEASE.md - name: Create Release draft id: create_release From e9782fb2c15d853826a91ca5640edbf0fca6cfcc Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 6 Jun 2020 08:27:35 +0000 Subject: [PATCH 088/115] update changelog --- CHANGELOG.md | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d5d7bc53..1b8ccfc0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [2.2.1](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.1) (2020-06-06) + +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.0...2.2.1) + +**Implemented enhancements:** + +- unify changelog and release actions [\#46](https://github.com/dev-sec/ansible-mysql-hardening/pull/46) ([rndmh3ro](https://github.com/rndmh3ro)) + ## [2.2.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.0) (2020-05-09) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.1.0...2.2.0) @@ -25,17 +33,12 @@ - replace iteritems with items for python3 support [\#33](https://github.com/dev-sec/ansible-mysql-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro)) - make mysql daemon enabling configurable [\#30](https://github.com/dev-sec/ansible-mysql-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro)) - Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin)) -- Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) **Fixed bugs:** - Template fails to render with Python 3 [\#32](https://github.com/dev-sec/ansible-mysql-hardening/issues/32) - my.cnf symlink turns into None? [\#24](https://github.com/dev-sec/ansible-mysql-hardening/issues/24) -**Merged pull requests:** - -- use new docker files [\#26](https://github.com/dev-sec/ansible-mysql-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro)) - ## [2.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.0.0) (2017-05-07) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/1.0.0...2.0.0) @@ -43,19 +46,24 @@ **Implemented enhancements:** - Add CentOS7 with MariaDB support [\#23](https://github.com/dev-sec/ansible-mysql-hardening/issues/23) +- Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) - - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) +- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** - error on task protect my.cnf [\#20](https://github.com/dev-sec/ansible-mysql-hardening/issues/20) +**Merged pull requests:** + +- use new docker files [\#26](https://github.com/dev-sec/ansible-mysql-hardening/pull/26) ([rndmh3ro](https://github.com/rndmh3ro)) + ## [1.0.0](https://github.com/dev-sec/ansible-mysql-hardening/tree/1.0.0) (2016-06-28) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/dab153eb56e2296ce340e77d95586a55b5eefb80...1.0.0) **Implemented enhancements:** -- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) - add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock)) **Closed issues:** From 4494ddd1324f6007a21ef1886267709bac89d624 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 12 Jul 2020 09:16:33 +0200 Subject: [PATCH 089/115] remove mention of gitter --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 55291952..c88d96cf 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # mysql-hardening (Ansible role) [![Build Status](http://img.shields.io/travis/dev-sec/ansible-mysql-hardening.svg)][1] -[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2] [![Ansible Galaxy](https://img.shields.io/badge/galaxy-mysql--hardening-660198.svg)][3] ## Description From 6b42f124340a5ceabaf6df5cddc6800fd56415e1 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 15 Aug 2018 17:05:24 +0200 Subject: [PATCH 090/115] update testing Signed-off-by: Sebastian Gumprich --- .kitchen.yml | 34 +++++++-------- .travis.yml | 28 ++++++------ Gemfile | 4 -- default.yml | 26 ------------ defaults/main.yml | 3 +- files/mysql_remove_anonymous_users.sql | 1 - initctl_faker | 24 ----------- tasks/configure.yml | 46 +++++++++++++++++--- tasks/mysql_secure_installation.yml | 59 +++++++++++++------------- tests/test.yml | 35 +++++++++++++++ vars/Debian.yml | 11 +++++ vars/Fedora.yml | 2 + vars/Oracle Linux.yml | 8 ++++ vars/RedHat-7.yml | 4 ++ vars/RedHat-8.yml | 8 ++++ vars/RedHat.yml | 10 +++++ vars/Ubuntu-20.04.yml | 2 + vars/main.yml | 2 + 18 files changed, 182 insertions(+), 125 deletions(-) delete mode 100644 default.yml delete mode 100644 files/mysql_remove_anonymous_users.sql delete mode 100644 initctl_faker create mode 100644 tests/test.yml create mode 100644 vars/RedHat-8.yml create mode 100644 vars/Ubuntu-20.04.yml diff --git a/.kitchen.yml b/.kitchen.yml index 52d40c00..ffa3ee09 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -1,8 +1,10 @@ --- driver: name: docker - privileged: true use_sudo: false + privileged: true + http_proxy: <%= ENV['http_proxy'] || nil %> + https_proxy: <%= ENV['https_proxy'] || nil %> transport: max_ssh_sessions: 5 @@ -11,16 +13,18 @@ provisioner: name: ansible_playbook hosts: all require_ansible_repo: false - require_ansible_omnibus: true require_chef_for_busser: false require_ruby_for_busser: false ansible_verbose: true ansible_diff: true roles_path: ../ansible-mysql-hardening/ - playbook: default.yml + http_proxy: <%= ENV['http_proxy'] || nil %> + https_proxy: <%= ENV['https_proxy'] || nil %> requirements_path: requirements.yml sudo_command: 'sudo -E -H' + playbook: tests/test.yml + galaxy_ignore_certs: true platforms: - name: centos6-ansible-latest @@ -31,6 +35,10 @@ platforms: driver: image: rndmh3ro/docker-centos7-ansible:latest platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service - name: oracle6-ansible-latest driver: image: rndmh3ro/docker-oracle6-ansible:latest @@ -38,19 +46,17 @@ platforms: - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest + run_command: /sbin/init platform: centos run_command: /sbin/init provision_command: - systemctl enable ssh.service -- name: ubuntu1604-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1604-ansible:latest - platform: ubuntu - run_command: /sbin/init - name: ubuntu1804-ansible-latest driver: image: rndmh3ro/docker-ubuntu1804-ansible:latest platform: ubuntu + provision_command: + - systemctl enable ssh.service - name: debian9-ansible-latest driver: image: rndmh3ro/docker-debian9-ansible:latest @@ -72,15 +78,9 @@ platforms: image: rndmh3ro/docker-amazon-ansible:latest platform: centos run_command: /sbin/init -#- name: amazon-ansible-latest -# driver: -# image: rndmh3ro/docker-amazon-ansible:latest -# platform: centos -# run_command: /sbin/init -# provision_command: -# - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config -# - systemctl enable sshd.service - + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec sudo: true diff --git a/.travis.yml b/.travis.yml index 52246a2e..9abcc5f4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,39 +4,35 @@ services: docker env: - distro: centos6 version: latest - run_opts: "--privileged" init: /sbin/init - distro: centos7 - init: /usr/lib/systemd/systemd + init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" version: latest - distro: oracle6 version: latest - run_opts: "--privileged" init: /sbin/init - distro: oracle7 - init: /usr/lib/systemd/systemd + init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest -# see https://github.com/dev-sec/mysql-baseline/issues/35 -# - distro: ubuntu1604 -# version: latest -# init: /lib/systemd/systemd -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: ubuntu1604 + version: latest + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro: ubuntu1804 version: latest init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" -# - distro: debian9 -# version: latest -# init: /lib/systemd/systemd -# run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" + - distro: debian9 + version: latest + init: /lib/systemd/systemd + run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - distro: debian10 version: latest @@ -69,10 +65,10 @@ script: - 'docker exec "$(cat ${container_id})" ansible-galaxy install -c -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' # Test role. - - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/default.yml' + - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/tests/test.yml' # Verify role - - 'inspec exec https://github.com/rndmh3ro/mysql-baseline/ -t docker://$(cat ${container_id})' + - 'inspec exec https://github.com/dev-sec/mysql-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit' after_failure: # Check MySQL settings. diff --git a/Gemfile b/Gemfile index 3502d8f1..32a3bfeb 100644 --- a/Gemfile +++ b/Gemfile @@ -13,7 +13,3 @@ group :integration do gem 'kitchen-docker' gem 'inspec', '~> 3' end - -group :tools do - gem 'github_changelog_generator', '~> 1' -end diff --git a/default.yml b/default.yml deleted file mode 100644 index 65186417..00000000 --- a/default.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: wrapper playbook for kitchen testing "ansible-mysql-hardening" - hosts: localhost - pre_tasks: - - file: path="/etc/mysql" state=directory - - name: Copy initctl_faker into place for Ubuntu 14.04. - copy: - src: initctl_faker - dest: /sbin/initctl - mode: 0755 - force: yes - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version == '14.04' - changed_when: false - - name: install procps for debian systems - apt: name=procps state=installed update_cache=yes - when: ansible_distribution == 'Debian' - vars: - overwrite_global_mycnf: no - mysql_root_password: iloverandompasswordsbutthiswilldo - mysql_user_password: iloverandompasswordsbutthiswilldo - mysql_config_file: /etc/mysql/mariadb.cnf - mysql_root_password_update: yes - roles: - - geerlingguy.mysql - - ansible-mysql-hardening diff --git a/defaults/main.yml b/defaults/main.yml index 49a1e636..ae642ec3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,8 +5,9 @@ mysql_daemon_enabled: yes # general configuration mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'root' # owner of /etc/mysql/*.cnf files mysql_hardening_user: 'mysql' # owner of data -mysql_hardening_group: 'root' +mysql_hardening_group: 'mysql' mysql_datadir: '/var/lib/mysql' mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password diff --git a/files/mysql_remove_anonymous_users.sql b/files/mysql_remove_anonymous_users.sql deleted file mode 100644 index 916d83ef..00000000 --- a/files/mysql_remove_anonymous_users.sql +++ /dev/null @@ -1 +0,0 @@ -DELETE FROM mysql.user WHERE User=''; diff --git a/initctl_faker b/initctl_faker deleted file mode 100644 index 55d2c364..00000000 --- a/initctl_faker +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/sh -ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')" - -case "$ALIAS_CMD" in - start|stop|restart|reload|status) - exec service $1 $ALIAS_CMD - ;; -esac - -case "$1" in - list ) - exec service --status-all - ;; - reload-configuration ) - exec service $2 restart - ;; - start|stop|restart|reload|status) - exec service $2 $1 - ;; - \?) - exit 0 - ;; -esac - diff --git a/tasks/configure.yml b/tasks/configure.yml index af3bbb41..1b451851 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,21 +1,55 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_cnf_owner}}' group='{{mysql_hardening_group}}' follow=yes state=file + file: + path: '{{ mysql_hardening_mysql_conf_file }}' + mode: 0400 + owner: '{{ mysql_cnf_owner }}' + group: '{{ mysql_cnf_owner }}' + follow: yes + state: file - name: ensure permissions on mysql-datadir are correct - file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' + file: + path: '{{ mysql_datadir }}' + state: directory + owner: '{{ mysql_hardening_user }}' + group: '{{ mysql_hardening_user }}' + +- name: ensure permissions on mysql-logfile are correct + file: + path: '{{ mysql_hardening_log_dir }}/{{ mysql_hardening_log_file }}' + state: file + owner: '{{ mysql_hardening_user }}' + group: '{{ mysql_hardening_group }}' - name: check mysql configuration-directory exists and has right permissions - file: path='{{mysql_hardening_mysql_confd_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 + file: + path: '{{ mysql_hardening_mysql_confd_dir }}' + state: directory + owner: '{{ mysql_hardening_user }}' + group: '{{ mysql_hardening_group }}' + mode: "0570" - name: check include-dir directive is present in my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_confd_dir}}' insertafter='EOF' state=present backup=yes + lineinfile: + dest: '{{ mysql_hardening_mysql_conf_file }}' + line: '!includedir {{ mysql_hardening_mysql_confd_dir }}' + insertafter: 'EOF' + state: present + backup: yes notify: restart mysql - name: apply hardening configuration - template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_cnf_owner}}' group='{{mysql_hardening_group}}' mode=0460 + template: + src: 'hardening.cnf.j2' + dest: '{{ mysql_hardening_mysql_hardening_conf_file }}' + owner: '{{ mysql_cnf_owner }}' + group: '{{ mysql_cnf_group }}' + mode: "0460" notify: restart mysql - name: enable mysql - service: name='{{ mysql_daemon }}' enabled='{{ mysql_daemon_enabled }}' + service: + name: '{{ mysql_daemon }}' + enabled: '{{ mysql_daemon_enabled }}' diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 297091bb..fbf47467 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -1,55 +1,54 @@ --- +- name: Install mysqld python libary for Ansible + package: + name: "{{ mysql_python_package }}" + state: present -# supported for ansible ver => 2.0 -#- name: Install python-mysqldb for Ansible -# package: pkg=python-mysqldb state=present - - -- name: Install python3-mysqldb for Ansible - apt: name=python3-mysqldb state=present - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version >= '20.04' - -- name: Install python-mysqldb for Ansible - apt: name=python-mysqldb state=present - when: ansible_distribution == 'Debian' or - (ansible_distribution == 'Ubuntu' and ansible_distribution_version < '20.04') - -- name: Install MySQL-python for Ansible - yum: name=MySQL-python state=present - when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - -- debug: msg="WARNING - you have to change default mysql_root_password" +- debug: + msg: "WARNING - you have to change default mysql_root_password" when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----' - name: root password is present - mysql_user: name=root host={{item}} password={{mysql_root_password | mandatory}} state=present - with_items: - - '::1' - - '127.0.0.1' - - 'localhost' + mysql_user: + name: 'root' + host_all: true + password: '{{ mysql_root_password | mandatory }}' + state: present - name: install .my.cnf with credentials - template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf - mode=0400 + template: + src: 'my.cnf.j2' + dest: '{{ mysql_user_home }}/.my.cnf' + mode: '0400' tags: my_cnf - name: test database is absent - mysql_db: name=test state=absent + mysql_db: + name: test + state: absent when: mysql_remove_test_database - name: anonymous users are absent - mysql_user: name='' state=absent host_all=yes + mysql_user: + name: '' + state: absent + host_all: yes when: mysql_remove_anonymous_users - name: copy mysql_remove_remote_root - copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' + copy: + src: '{{ item }}.sql' + dest: '/tmp/{{ item }}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root changed_when: false - name: apply mysql_remove_remote_root - mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' + mysql_db: + name: 'mysql' + state: import + target: '/tmp/{{ item }}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 00000000..f90711bb --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,35 @@ +--- + +- name: wrapper playbook for kitchen testing "ansible-mysql-hardening" + hosts: localhost + pre_tasks: + - name: Run the equivalent of "apt-get update" as a separate step + apt: + update_cache: yes + when: ansible_os_family == 'Debian' + - file: + path: "/etc/mysql" + state: directory + - name: install procps for debian systems + apt: + name: procps + state: installed + update_cache: yes + when: ansible_distribution == 'Debian' + - name: set logfile according to OS + set_fact: + mysql_log_error: "/var/log/mysql.log" + when: ansible_os_family == "Debian" + - name: set logfile according to OS + set_fact: + mysql_log_error: "/var/log/mysqld.log" + when: ansible_os_family == "RedHat" + vars: + overwrite_global_mycnf: no + mysql_root_password: iloverandompasswordsbutthiswilldo + mysql_user_password: iloverandompasswordsbutthiswilldo + mysql_config_file: /etc/mysql/mariadb.cnf + mysql_root_password_update: yes + roles: + - geerlingguy.mysql + - ansible-mysql-hardening diff --git a/vars/Debian.yml b/vars/Debian.yml index e96ea36d..8b82f9af 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,3 +1,14 @@ +--- mysql_daemon: mysql + mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' + +mysql_hardening_log_dir: '/var/log' +mysql_hardening_log_file: 'mysql.log' + +mysql_hardening_user: 'mysql' # owner of data +mysql_hardening_group: 'adm' + + +mysql_python_package: "python-mysqldb" diff --git a/vars/Fedora.yml b/vars/Fedora.yml index 8165061e..ac6fb202 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -1,3 +1,5 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' + +mysql_hardening_mysql_log_file: '/var/log/mysqld.log' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 8165061e..f3fa6a60 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,3 +1,11 @@ +--- mysql_daemon: mysqld + mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' + +mysql_hardening_log_dir: '/var/log' +mysql_hardening_log_file: 'mysqld.log' + +mysql_hardening_user: 'mysql' # owner of data +mysql_hardening_group: 'adm' diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml index 0b784c13..44ccab2f 100644 --- a/vars/RedHat-7.yml +++ b/vars/RedHat-7.yml @@ -1,3 +1,7 @@ mysql_daemon: mariadb mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' +mysql_hardening_log_dir: '/var/log/mariadb' +mysql_hardening_log_file: 'mariadb.log' + +mysql_python_package: "MySQL-python" diff --git a/vars/RedHat-8.yml b/vars/RedHat-8.yml new file mode 100644 index 00000000..ffe4e303 --- /dev/null +++ b/vars/RedHat-8.yml @@ -0,0 +1,8 @@ +--- +mysql_daemon: mariadb +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' +mysql_hardening_log_dir: '/var/log/mariadb' +mysql_hardening_log_file: 'mariadb.log' + +mysql_python_package: "python3-mysqlclient" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 8165061e..af2cd1f1 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,3 +1,13 @@ +--- mysql_daemon: mysqld + mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' + +mysql_hardening_log_dir: '/var/log/' +mysql_hardening_log_file: 'mysqld.log' + +mysql_hardening_user: 'mysql' # owner of data +mysql_hardening_group: 'mysql' + +mysql_python_package: "MySQL-python" diff --git a/vars/Ubuntu-20.04.yml b/vars/Ubuntu-20.04.yml new file mode 100644 index 00000000..570bb815 --- /dev/null +++ b/vars/Ubuntu-20.04.yml @@ -0,0 +1,2 @@ +--- +mysql_python_package: "python3-mysqldb" diff --git a/vars/main.yml b/vars/main.yml index ed97d539..e3fb3063 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1 +1,3 @@ --- +mysql_hardening_log_dir: '/var/log' +mysql_hardening_log_file: 'mysql.log' From bbe5ad4707a97ef1302af096e64e24ab719f96d4 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Fri, 7 Aug 2020 18:06:25 +0000 Subject: [PATCH 091/115] update changelog --- CHANGELOG.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b8ccfc0..48f1e7a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-08-07) + +[Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) + +**Merged pull requests:** + +- update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro)) + ## [2.2.1](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.1) (2020-06-06) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.0...2.2.1) From 0757a3d1c3578f3f9a226875b459a3aa6f3a6006 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 23 Aug 2020 13:18:24 +0200 Subject: [PATCH 092/115] fix linting errors Signed-off-by: Sebastian Gumprich --- .github/workflows/release.yml | 5 +- .kitchen.vagrant.yml | 56 +++++++------- .kitchen.yml | 112 ++++++++++++++-------------- defaults/main.yml | 5 +- requirements.yml | 1 + tasks/configure.yml | 8 +- tasks/mysql_secure_installation.yml | 6 +- tests/test.yml | 9 +-- vars/Fedora.yml | 1 + 9 files changed, 102 insertions(+), 101 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4d5fa699..e5486562 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,7 @@ +--- name: New release -on: +on: # yamllint disable-line rule:truthy push: branches: - master @@ -59,7 +60,7 @@ jobs: id: create_release uses: actions/create-release@v1 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token with: release_name: ${{ steps.version.outputs.next-version }} tag_name: ${{ steps.version.outputs.next-version }} diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 65789221..93ab0b9d 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -19,33 +19,33 @@ transport: max_ssh_sessions: 5 platforms: -- name: ubuntu-16.04 - driver_config: - box: bento/ubuntu-16.04 -- name: ubuntu-18.04 - driver_config: - box: bento/ubuntu-18.04 -- name: centos-6 - driver_config: - box: bento/centos-6 -- name: centos-7 - driver_config: - box: bento/centos-7 -- name: oracle-6 - driver_config: - box: bento/oracle-6 -- name: oracle-7 - driver_config: - box: bento/oracle-7 -- name: debian-9 - driver_config: - box: bento/debian-9 -- name: debian-10 - driver_config: - box: bento/debian-10 -- name: amazon - driver_config: - box: bento/amazonlinux-2 + - name: ubuntu-16.04 + driver_config: + box: bento/ubuntu-16.04 + - name: ubuntu-18.04 + driver_config: + box: bento/ubuntu-18.04 + - name: centos-6 + driver_config: + box: bento/centos-6 + - name: centos-7 + driver_config: + box: bento/centos-7 + - name: oracle-6 + driver_config: + box: bento/oracle-6 + - name: oracle-7 + driver_config: + box: bento/oracle-7 + - name: debian-9 + driver_config: + box: bento/debian-9 + - name: debian-10 + driver_config: + box: bento/debian-10 + - name: amazon + driver_config: + box: bento/amazonlinux-2 verifier: name: inspec @@ -54,4 +54,4 @@ verifier: - https://github.com/dev-sec/mysql-baseline/ suites: -- name: mysql + - name: mysql diff --git a/.kitchen.yml b/.kitchen.yml index ffa3ee09..8d4dda71 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -27,66 +27,64 @@ provisioner: galaxy_ignore_certs: true platforms: -- name: centos6-ansible-latest - driver: - image: rndmh3ro/docker-centos6-ansible:latest - platform: centos -- name: centos7-ansible-latest - driver: - image: rndmh3ro/docker-centos7-ansible:latest - platform: centos - run_command: /sbin/init - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service -- name: oracle6-ansible-latest - driver: - image: rndmh3ro/docker-oracle6-ansible:latest - platform: centos -- name: oracle7-ansible-latest - driver: - image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init - platform: centos - run_command: /sbin/init - provision_command: - - systemctl enable ssh.service -- name: ubuntu1804-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1804-ansible:latest - platform: ubuntu - provision_command: - - systemctl enable ssh.service -- name: debian9-ansible-latest - driver: - image: rndmh3ro/docker-debian9-ansible:latest - platform: debian - run_command: /sbin/init - provision_command: - - apt install -y systemd-sysv - - systemctl enable ssh.service -- name: debian10-ansible-latest - driver: - image: rndmh3ro/docker-debian10-ansible:latest - platform: debian - run_command: /sbin/init - provision_command: - - apt install -y systemd-sysv - - systemctl enable ssh.service -- name: amazon-ansible-latest - driver: - image: rndmh3ro/docker-amazon-ansible:latest - platform: centos - run_command: /sbin/init - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service + - name: centos6-ansible-latest + driver: + image: rndmh3ro/docker-centos6-ansible:latest + platform: centos + - name: centos7-ansible-latest + driver: + image: rndmh3ro/docker-centos7-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service + - name: oracle6-ansible-latest + driver: + image: rndmh3ro/docker-oracle6-ansible:latest + platform: centos + - name: oracle7-ansible-latest + driver: + image: rndmh3ro/docker-oracle7-ansible:latest + run_command: /sbin/init + platform: centos + provision_command: + - systemctl enable ssh.service + - name: ubuntu1804-ansible-latest + driver: + image: rndmh3ro/docker-ubuntu1804-ansible:latest + platform: ubuntu + provision_command: + - systemctl enable ssh.service + - name: debian9-ansible-latest + driver: + image: rndmh3ro/docker-debian9-ansible:latest + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service + - name: debian10-ansible-latest + driver: + image: rndmh3ro/docker-debian10-ansible:latest + platform: debian + run_command: /sbin/init + provision_command: + - apt install -y systemd-sysv + - systemctl enable ssh.service + - name: amazon-ansible-latest + driver: + image: rndmh3ro/docker-amazon-ansible:latest + platform: centos + run_command: /sbin/init + provision_command: + - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config + - systemctl enable sshd.service verifier: name: inspec sudo: true inspec_tests: - - ../mysql-baseline -# - https://github.com/dev-sec/mysql-baseline + - https://github.com/dev-sec/mysql-baseline suites: -- name: mysql + - name: mysql diff --git a/defaults/main.yml b/defaults/main.yml index ae642ec3..669580fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,8 @@ +--- # switcher to enable/disable role -mysql_hardening_enabled: yes +mysql_hardening_enabled: true -mysql_daemon_enabled: yes +mysql_daemon_enabled: true # general configuration mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files diff --git a/requirements.yml b/requirements.yml index 9fb44f01..71b5f0bf 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1 +1,2 @@ +--- - src: geerlingguy.mysql diff --git a/tasks/configure.yml b/tasks/configure.yml index 1b451851..5c7b6eaf 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -6,7 +6,7 @@ mode: 0400 owner: '{{ mysql_cnf_owner }}' group: '{{ mysql_cnf_owner }}' - follow: yes + follow: true state: file - name: ensure permissions on mysql-datadir are correct @@ -29,7 +29,7 @@ state: directory owner: '{{ mysql_hardening_user }}' group: '{{ mysql_hardening_group }}' - mode: "0570" + mode: '0570' - name: check include-dir directive is present in my.cnf lineinfile: @@ -37,7 +37,7 @@ line: '!includedir {{ mysql_hardening_mysql_confd_dir }}' insertafter: 'EOF' state: present - backup: yes + backup: true notify: restart mysql - name: apply hardening configuration @@ -46,7 +46,7 @@ dest: '{{ mysql_hardening_mysql_hardening_conf_file }}' owner: '{{ mysql_cnf_owner }}' group: '{{ mysql_cnf_group }}' - mode: "0460" + mode: '0460' notify: restart mysql - name: enable mysql diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index fbf47467..c1dacc88 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -1,11 +1,11 @@ --- - name: Install mysqld python libary for Ansible package: - name: "{{ mysql_python_package }}" + name: '{{ mysql_python_package }}' state: present - debug: - msg: "WARNING - you have to change default mysql_root_password" + msg: 'WARNING - you have to change default mysql_root_password' when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----' - name: root password is present @@ -32,7 +32,7 @@ mysql_user: name: '' state: absent - host_all: yes + host_all: true when: mysql_remove_anonymous_users - name: copy mysql_remove_remote_root diff --git a/tests/test.yml b/tests/test.yml index f90711bb..23bf5e74 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,11 +1,10 @@ --- - - name: wrapper playbook for kitchen testing "ansible-mysql-hardening" hosts: localhost pre_tasks: - name: Run the equivalent of "apt-get update" as a separate step apt: - update_cache: yes + update_cache: true when: ansible_os_family == 'Debian' - file: path: "/etc/mysql" @@ -14,7 +13,7 @@ apt: name: procps state: installed - update_cache: yes + update_cache: true when: ansible_distribution == 'Debian' - name: set logfile according to OS set_fact: @@ -25,11 +24,11 @@ mysql_log_error: "/var/log/mysqld.log" when: ansible_os_family == "RedHat" vars: - overwrite_global_mycnf: no + overwrite_global_mycnf: false mysql_root_password: iloverandompasswordsbutthiswilldo mysql_user_password: iloverandompasswordsbutthiswilldo mysql_config_file: /etc/mysql/mariadb.cnf - mysql_root_password_update: yes + mysql_root_password_update: true roles: - geerlingguy.mysql - ansible-mysql-hardening diff --git a/vars/Fedora.yml b/vars/Fedora.yml index ac6fb202..aa38ebf6 100644 --- a/vars/Fedora.yml +++ b/vars/Fedora.yml @@ -1,3 +1,4 @@ +--- mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' From 3b059d4c7c58f0c90948da06a15777092b494229 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 23 Aug 2020 13:56:39 +0200 Subject: [PATCH 093/115] simplify vars-handling Signed-off-by: Sebastian Gumprich --- defaults/main.yml | 4 ---- tasks/configure.yml | 4 ++-- tasks/main.yml | 13 ++++++------- vars/Debian.yml | 8 ++++---- vars/Oracle Linux.yml | 4 +--- vars/RedHat-7.yml | 7 ------- vars/RedHat-8.yml | 8 -------- vars/RedHat.yml | 13 ------------- vars/RedHat_7.yml | 13 +++++++++++++ vars/RedHat_8.yml | 12 ++++++++++++ vars/Ubuntu-20.04.yml | 2 -- vars/Ubuntu_16.yml | 11 +++++++++++ vars/Ubuntu_18.yml | 11 +++++++++++ vars/Ubuntu_20.yml | 11 +++++++++++ vars/main.yml | 4 ++-- 15 files changed, 73 insertions(+), 52 deletions(-) delete mode 100644 vars/RedHat-7.yml delete mode 100644 vars/RedHat-8.yml delete mode 100644 vars/RedHat.yml create mode 100644 vars/RedHat_7.yml create mode 100644 vars/RedHat_8.yml delete mode 100644 vars/Ubuntu-20.04.yml create mode 100644 vars/Ubuntu_16.yml create mode 100644 vars/Ubuntu_18.yml create mode 100644 vars/Ubuntu_20.yml diff --git a/defaults/main.yml b/defaults/main.yml index 669580fd..57ce9670 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,10 +5,6 @@ mysql_hardening_enabled: true mysql_daemon_enabled: true # general configuration -mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files -mysql_cnf_group: 'root' # owner of /etc/mysql/*.cnf files -mysql_hardening_user: 'mysql' # owner of data -mysql_hardening_group: 'mysql' mysql_datadir: '/var/lib/mysql' mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password diff --git a/tasks/configure.yml b/tasks/configure.yml index 5c7b6eaf..dcb12d67 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -3,7 +3,7 @@ - name: protect my.cnf file: path: '{{ mysql_hardening_mysql_conf_file }}' - mode: 0400 + mode: '0400' owner: '{{ mysql_cnf_owner }}' group: '{{ mysql_cnf_owner }}' follow: true @@ -18,7 +18,7 @@ - name: ensure permissions on mysql-logfile are correct file: - path: '{{ mysql_hardening_log_dir }}/{{ mysql_hardening_log_file }}' + path: '{{ mysql_hardening_log_file }}' state: file owner: '{{ mysql_hardening_user }}' group: '{{ mysql_hardening_group }}' diff --git a/tasks/main.yml b/tasks/main.yml index ae5fdd3b..99587de4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,12 +1,11 @@ --- - -- name: add the OS specific variables - include_vars: "{{ item }}" +- name: set OS dependent variables + include_vars: '{{ item }}' with_first_found: - - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml" - - "{{ ansible_distribution }}.yml" - - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml" - - "{{ ansible_os_family }}.yml" + - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.distribution }}.yml' + - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml' + - '{{ ansible_facts.os_family }}.yml' tags: always - include: configure.yml diff --git a/vars/Debian.yml b/vars/Debian.yml index 8b82f9af..8d05ffbb 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -4,11 +4,11 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' -mysql_hardening_log_dir: '/var/log' -mysql_hardening_log_file: 'mysql.log' +mysql_hardening_log_dir: '/var/log/mysql/error.log' -mysql_hardening_user: 'mysql' # owner of data mysql_hardening_group: 'adm' +mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files -mysql_python_package: "python-mysqldb" +mysql_python_package: "python3-pymysql" diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index f3fa6a60..62be6248 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -4,8 +4,6 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' -mysql_hardening_log_dir: '/var/log' -mysql_hardening_log_file: 'mysqld.log' +mysql_hardening_log_dir: '/var/log/mysqld.log' -mysql_hardening_user: 'mysql' # owner of data mysql_hardening_group: 'adm' diff --git a/vars/RedHat-7.yml b/vars/RedHat-7.yml deleted file mode 100644 index 44ccab2f..00000000 --- a/vars/RedHat-7.yml +++ /dev/null @@ -1,7 +0,0 @@ -mysql_daemon: mariadb -mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' -mysql_hardening_log_dir: '/var/log/mariadb' -mysql_hardening_log_file: 'mariadb.log' - -mysql_python_package: "MySQL-python" diff --git a/vars/RedHat-8.yml b/vars/RedHat-8.yml deleted file mode 100644 index ffe4e303..00000000 --- a/vars/RedHat-8.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -mysql_daemon: mariadb -mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' -mysql_hardening_log_dir: '/var/log/mariadb' -mysql_hardening_log_file: 'mariadb.log' - -mysql_python_package: "python3-mysqlclient" diff --git a/vars/RedHat.yml b/vars/RedHat.yml deleted file mode 100644 index af2cd1f1..00000000 --- a/vars/RedHat.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -mysql_daemon: mysqld - -mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' - -mysql_hardening_log_dir: '/var/log/' -mysql_hardening_log_file: 'mysqld.log' - -mysql_hardening_user: 'mysql' # owner of data -mysql_hardening_group: 'mysql' - -mysql_python_package: "MySQL-python" diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml new file mode 100644 index 00000000..fe073795 --- /dev/null +++ b/vars/RedHat_7.yml @@ -0,0 +1,13 @@ +--- +mysql_daemon: mariadb +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' + +mysql_hardening_log_file: '/var/log/mariadb/mariadb.log' + +mysql_python_package: 'MySQL-python' + +mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + +mysql_hardening_group: 'mysql' diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml new file mode 100644 index 00000000..b355bf49 --- /dev/null +++ b/vars/RedHat_8.yml @@ -0,0 +1,12 @@ +--- +mysql_daemon: mariadb +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' +mysql_hardening_log_dir: '/var/log/mariadb/mariadb.log' + +mysql_python_package: 'python3-mysqlclient' + +mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + +mysql_hardening_group: 'mysql' diff --git a/vars/Ubuntu-20.04.yml b/vars/Ubuntu-20.04.yml deleted file mode 100644 index 570bb815..00000000 --- a/vars/Ubuntu-20.04.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -mysql_python_package: "python3-mysqldb" diff --git a/vars/Ubuntu_16.yml b/vars/Ubuntu_16.yml new file mode 100644 index 00000000..78d47000 --- /dev/null +++ b/vars/Ubuntu_16.yml @@ -0,0 +1,11 @@ +--- +mysql_daemon: mysql + +mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' + +mysql_hardening_log_dir: '/var/log/mysql/error.log' + +mysql_hardening_group: 'adm' + +mysql_python_package: "python-mysqldb" diff --git a/vars/Ubuntu_18.yml b/vars/Ubuntu_18.yml new file mode 100644 index 00000000..78d47000 --- /dev/null +++ b/vars/Ubuntu_18.yml @@ -0,0 +1,11 @@ +--- +mysql_daemon: mysql + +mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' + +mysql_hardening_log_dir: '/var/log/mysql/error.log' + +mysql_hardening_group: 'adm' + +mysql_python_package: "python-mysqldb" diff --git a/vars/Ubuntu_20.yml b/vars/Ubuntu_20.yml new file mode 100644 index 00000000..a7777b12 --- /dev/null +++ b/vars/Ubuntu_20.yml @@ -0,0 +1,11 @@ +--- +mysql_daemon: mysql + +mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' +mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' + +mysql_hardening_log_dir: '/var/log/mysql/error.log' + +mysql_hardening_group: 'adm' + +mysql_python_package: "python3-mysqldb" diff --git a/vars/main.yml b/vars/main.yml index e3fb3063..c8e099be 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,3 +1,3 @@ --- -mysql_hardening_log_dir: '/var/log' -mysql_hardening_log_file: 'mysql.log' + +mysql_hardening_user: 'mysql' # owner of data From 25623b0d0b3f3e2bab62ea97facbd82a01748837 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sun, 23 Aug 2020 16:43:49 +0000 Subject: [PATCH 094/115] update changelog --- CHANGELOG.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 48f1e7a0..74639344 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,13 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-08-07) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-08-23) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) +**Implemented enhancements:** + +- Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) + **Merged pull requests:** - update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro)) From 17f214074fa6a9098c4838f544097ee40a0c7da3 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 19 Sep 2020 14:46:19 +0200 Subject: [PATCH 095/115] add modes to template and file tasks also use sane defaults for these modes: no permissions for other Signed-off-by: Sebastian Gumprich --- tasks/configure.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index dcb12d67..1ec65c09 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -3,7 +3,7 @@ - name: protect my.cnf file: path: '{{ mysql_hardening_mysql_conf_file }}' - mode: '0400' + mode: '0640' owner: '{{ mysql_cnf_owner }}' group: '{{ mysql_cnf_owner }}' follow: true @@ -15,6 +15,7 @@ state: directory owner: '{{ mysql_hardening_user }}' group: '{{ mysql_hardening_user }}' + mode: '0750' - name: ensure permissions on mysql-logfile are correct file: @@ -22,6 +23,7 @@ state: file owner: '{{ mysql_hardening_user }}' group: '{{ mysql_hardening_group }}' + mode: '0640' - name: check mysql configuration-directory exists and has right permissions file: @@ -29,7 +31,7 @@ state: directory owner: '{{ mysql_hardening_user }}' group: '{{ mysql_hardening_group }}' - mode: '0570' + mode: '0750' - name: check include-dir directive is present in my.cnf lineinfile: @@ -46,7 +48,7 @@ dest: '{{ mysql_hardening_mysql_hardening_conf_file }}' owner: '{{ mysql_cnf_owner }}' group: '{{ mysql_cnf_group }}' - mode: '0460' + mode: '0640' notify: restart mysql - name: enable mysql From 6eb48877a5c6b850fda93497b82dc9f90d3c339c Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 19 Sep 2020 13:06:06 +0000 Subject: [PATCH 096/115] update changelog --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74639344..4dba5b3f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-08-23) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-09-19) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) @@ -8,6 +8,11 @@ - Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) +**Fixed bugs:** + +- permissions on /etc/mysql/mysql.cnf too restrictive [\#35](https://github.com/dev-sec/ansible-mysql-hardening/issues/35) +- add modes to template and file tasks [\#50](https://github.com/dev-sec/ansible-mysql-hardening/pull/50) ([rndmh3ro](https://github.com/rndmh3ro)) + **Merged pull requests:** - update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro)) From f2a8172593ceea5572783df1048e9007ee94fe55 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sun, 20 Sep 2020 21:59:40 +0200 Subject: [PATCH 097/115] add mode to copy task Signed-off-by: Sebastian Gumprich --- tasks/mysql_secure_installation.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index c1dacc88..3759a1f8 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -39,6 +39,7 @@ copy: src: '{{ item }}.sql' dest: '/tmp/{{ item }}.sql' + mode: '0400' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root From f3edc579f146eb1e6946684b6c6b69161fd45ad5 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Mon, 21 Sep 2020 05:36:12 +0000 Subject: [PATCH 098/115] update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dba5b3f..b984f8a9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,12 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-09-19) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-09-21) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) **Implemented enhancements:** +- add mode to copy task [\#51](https://github.com/dev-sec/ansible-mysql-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) - Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** From 7e2794843310b4a7a2c2c56043d999f75a816f54 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 2 Oct 2020 21:06:46 +0200 Subject: [PATCH 099/115] update readme to new layout for vars Signed-off-by: Sebastian Gumprich --- README.md | 58 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index c88d96cf..9326403e 100644 --- a/README.md +++ b/README.md @@ -35,25 +35,49 @@ This hardening role installs the hardening but expects an existing installation - `mysql_datadir: '/var/lib/mysql'` The MySQL data directory - `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed -## Security Options +## Role Variables -Further information is already available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) +* `mysql_hardening_chroot` + * Default: "" + * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot) +* `mysql_hardening_options.safe-user-create` + * Default: 1 + * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create) +* `mysql_hardening_options.secure-auth` + * Default: 1 + * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth) +* `mysql_hardening_options.skip-symbolic-links` + * Default: 1 + * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links) +* `mysql_hardening_skip_grant_tables:` + * Default: false + * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables) +* `mysql_hardening_skip_show_database` + * Default: 1 + * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database) +* `mysql_hardening_options.local-infile` + * Default: 0 + * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile) +* `mysql_hardening_options.allow-suspicious-udfs` + * Default: 0 + * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs) +* `mysql_hardening_chroot.automatic-sp-privileges` + * Default: 0 + * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges) +* `mysql_hardening_options.secure-file-priv` + * Default: /tmp + * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv) +* `mysql_allow_remote_root` + * Default: false + * Description: delete remote root users +* `mysql_remove_anonymous_users` + * Default: true + * Description: remove users without authentication +* `mysql_remove_test_database` + * Default: true + * Description: remove test database -| Name | Default Value | Description | -| -------------- | ------------- | -----------------------------------| -| `mysql_hardening_chroot` | "" | [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)| -| `mysql_hardening_options.safe-user-create` | 1 | [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)| -| `mysql_hardening_options.secure-auth` | 1 | [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)| -| `mysql_hardening_options.skip-symbolic-links` | 1 | [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)| -| `mysql_hardening_skip_grant_tables:` | false | [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)| -| `mysql_hardening_skip_show_database` | 1 | [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)| -| `mysql_hardening_options.local-infile` | 0 | [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)| -| `mysql_hardening_options.allow-suspicious-udfs` | 0 | [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)| -| `mysql_hardening_chroot.automatic-sp-privileges` | 0 | [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)| -| `mysql_hardening_options.secure-file-priv` | /tmp | [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)| -| `mysql_allow_remote_root` | false | delete remote root users | -| `mysql_remove_anonymous_users` | true | remove users without authentication | -| `mysql_remove_test_database` | true | remove test database | +Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) ## Local Testing From b6e3b59094be448c0d138025798df9cdcda3905c Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 3 Oct 2020 06:25:29 +0000 Subject: [PATCH 100/115] update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b984f8a9..97482dbb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,12 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-09-21) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-03) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) **Implemented enhancements:** +- update readme to new layout for vars [\#53](https://github.com/dev-sec/ansible-mysql-hardening/pull/53) ([rndmh3ro](https://github.com/rndmh3ro)) - add mode to copy task [\#51](https://github.com/dev-sec/ansible-mysql-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) - Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) From 9c32eb38d910f6d4a58e1c24945a66ad7a3880c9 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Fri, 9 Oct 2020 21:20:22 +0200 Subject: [PATCH 101/115] fix missing variables Signed-off-by: Sebastian Gumprich --- vars/Debian.yml | 2 +- vars/Oracle Linux.yml | 2 +- vars/RedHat_8.yml | 2 +- vars/Ubuntu_16.yml | 5 ++++- vars/Ubuntu_18.yml | 5 ++++- vars/Ubuntu_20.yml | 5 ++++- 6 files changed, 15 insertions(+), 6 deletions(-) diff --git a/vars/Debian.yml b/vars/Debian.yml index 8d05ffbb..1c41ad64 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -4,7 +4,7 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' -mysql_hardening_log_dir: '/var/log/mysql/error.log' +mysql_hardening_log_file: '/var/log/mysql/error.log' mysql_hardening_group: 'adm' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 62be6248..51c3590c 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -4,6 +4,6 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' -mysql_hardening_log_dir: '/var/log/mysqld.log' +mysql_hardening_log_file: '/var/log/mysqld.log' mysql_hardening_group: 'adm' diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index b355bf49..8a405c8d 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -2,7 +2,7 @@ mysql_daemon: mariadb mysql_hardening_mysql_conf_file: '/etc/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' -mysql_hardening_log_dir: '/var/log/mariadb/mariadb.log' +mysql_hardening_log_file: '/var/log/mariadb/mariadb.log' mysql_python_package: 'python3-mysqlclient' diff --git a/vars/Ubuntu_16.yml b/vars/Ubuntu_16.yml index 78d47000..f4964242 100644 --- a/vars/Ubuntu_16.yml +++ b/vars/Ubuntu_16.yml @@ -4,8 +4,11 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' -mysql_hardening_log_dir: '/var/log/mysql/error.log' +mysql_hardening_log_file: '/var/log/mysql/error.log' mysql_hardening_group: 'adm' +mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + mysql_python_package: "python-mysqldb" diff --git a/vars/Ubuntu_18.yml b/vars/Ubuntu_18.yml index 78d47000..f4964242 100644 --- a/vars/Ubuntu_18.yml +++ b/vars/Ubuntu_18.yml @@ -4,8 +4,11 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' -mysql_hardening_log_dir: '/var/log/mysql/error.log' +mysql_hardening_log_file: '/var/log/mysql/error.log' mysql_hardening_group: 'adm' +mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + mysql_python_package: "python-mysqldb" diff --git a/vars/Ubuntu_20.yml b/vars/Ubuntu_20.yml index a7777b12..461c959d 100644 --- a/vars/Ubuntu_20.yml +++ b/vars/Ubuntu_20.yml @@ -4,8 +4,11 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' -mysql_hardening_log_dir: '/var/log/mysql/error.log' +mysql_hardening_log_file: '/var/log/mysql/error.log' mysql_hardening_group: 'adm' +mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + mysql_python_package: "python3-mysqldb" From 1d20f0b0077ef97323bb42a49ac8b907aad85bcf Mon Sep 17 00:00:00 2001 From: szEvEz Date: Fri, 9 Oct 2020 17:29:58 +0200 Subject: [PATCH 102/115] Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README WIP Make kitchen work for os familiy redhat Signed-off-by: szEvEz --- .kitchen.vagrant.yml | 1 + .kitchen.yml | 3 +++ Gemfile | 8 +++---- README.md | 36 ++++++++++++++++++----------- ansible.cfg | 1 + files/mysql_remove_remote_root.sql | 1 - requirements.yml | 6 ++++- tasks/mysql_secure_installation.yml | 24 ++++--------------- tests/test.yml | 18 ++++++++++++++- 9 files changed, 58 insertions(+), 40 deletions(-) delete mode 100644 files/mysql_remove_remote_root.sql diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 93ab0b9d..13a4605d 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -13,6 +13,7 @@ provisioner: roles_path: ../ansible-mysql-hardening/ playbook: default.yml requirements_path: requirements.yml + requirements_collection_path: requirements.yml sudo_command: 'sudo -E -H' transport: diff --git a/.kitchen.yml b/.kitchen.yml index 8d4dda71..ebbdfc4d 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -22,6 +22,9 @@ provisioner: http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> requirements_path: requirements.yml + requirements_collection_path: requirements.yml +# ansible_cfg_path: ansible.cfg +# ansible_cfg_overwrite: true sudo_command: 'sudo -E -H' playbook: tests/test.yml galaxy_ignore_certs: true diff --git a/Gemfile b/Gemfile index 32a3bfeb..c062388c 100644 --- a/Gemfile +++ b/Gemfile @@ -3,13 +3,13 @@ source 'https://rubygems.org' group :integration do - gem 'test-kitchen', '~> 1.0' + gem 'test-kitchen' gem 'kitchen-ansible' gem 'kitchen-vagrant' gem 'kitchen-inspec' - gem 'kitchen-sharedtests', '~> 0.2.0' + gem 'kitchen-sharedtests' gem 'kitchen-sync' - gem 'kitchen-transport-rsync' gem 'kitchen-docker' - gem 'inspec', '~> 3' + gem 'inspec' + gem 'aws-sdk' end diff --git a/README.md b/README.md index 9326403e..4f8ff816 100644 --- a/README.md +++ b/README.md @@ -18,22 +18,24 @@ This role focuses on security configuration of MySQL. Therefore you can add this Install the role with ansible-galaxy: -``` +```sh ansible-galaxy install dev-sec.mysql-hardening ``` ### Example Playbook - - hosts: localhost - roles: - - dev-sec.mysql-hardening +```yml +- hosts: localhost + roles: + - dev-sec.mysql-hardening +``` This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: -- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` -- `mysql_hardening_user: 'mysql'` The user that mysql runs as. -- `mysql_datadir: '/var/lib/mysql'` The MySQL data directory -- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed +* `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` +* `mysql_hardening_user: 'mysql'` The user that mysql runs as. +* `mysql_datadir: '/var/lib/mysql'` The MySQL data directory +* `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed ## Role Variables @@ -87,27 +89,32 @@ You can also use vagrant and Virtualbox or VMWare to run tests locally. You will Next install test-kitchen: -```bash +```sh # Install dependencies gem install bundler bundle install ``` ### Testing with Docker -``` + +```sh +# list all available machines +bundle exec kitchen list + # fast test on one machine -bundle exec kitchen test default-ubuntu-1204 +bundle exec kitchen test mysql-centos7-ansible-latest # test on all machines bundle exec kitchen test # for development -bundle exec kitchen create default-ubuntu-1204 -bundle exec kitchen converge default-ubuntu-1204 +bundle exec kitchen create mysql-centos7-ansible-latest +bundle exec kitchen converge mysql-centos7-ansible-latest ``` ### Testing with Virtualbox -``` + +```sh # fast test on one machine KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404 @@ -118,6 +125,7 @@ KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404 KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404 ``` + For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) ## License and Author diff --git a/ansible.cfg b/ansible.cfg index 6c2fb60f..e32d849c 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -10,6 +10,7 @@ [defaults] ansible_managed = Ansible managed: {file} modified by {uid} on {host} roles_path = /vagrant +collections_paths = /tmp/kitchen/collections [ssh_connection] scp_if_ssh = True diff --git a/files/mysql_remove_remote_root.sql b/files/mysql_remove_remote_root.sql deleted file mode 100644 index a95b9901..00000000 --- a/files/mysql_remove_remote_root.sql +++ /dev/null @@ -1 +0,0 @@ -DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); diff --git a/requirements.yml b/requirements.yml index 71b5f0bf..855a0cce 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,2 +1,6 @@ --- -- src: geerlingguy.mysql +collections: + - community.mysql + +roles: + - src: geerlingguy.mysql diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 3759a1f8..afaa0364 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -35,22 +35,8 @@ host_all: true when: mysql_remove_anonymous_users -- name: copy mysql_remove_remote_root - copy: - src: '{{ item }}.sql' - dest: '/tmp/{{ item }}.sql' - mode: '0400' - with_items: - - mysql_remove_remote_root - when: mysql_remove_remote_root - changed_when: false - -- name: apply mysql_remove_remote_root - mysql_db: - name: 'mysql' - state: import - target: '/tmp/{{ item }}.sql' - with_items: - - mysql_remove_remote_root - when: mysql_remove_remote_root - changed_when: false +- name: remove remote root + community.mysql.mysql_query: + query: + - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') + when: mysql_remove_remote_root \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index 23bf5e74..862848f5 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -12,7 +12,7 @@ - name: install procps for debian systems apt: name: procps - state: installed + state: present update_cache: true when: ansible_distribution == 'Debian' - name: set logfile according to OS @@ -23,6 +23,20 @@ set_fact: mysql_log_error: "/var/log/mysqld.log" when: ansible_os_family == "RedHat" + - name: Install pip according to OS + apt: + name: python-pip + state: present + when: ansible_os_family == 'Debian' + - name: Install pip according to OS + yum: + name: python-pip + state: present + when: ansible_os_family == 'RedHat' + - name: Make sure pymysql is present + pip: + name: pymysql + state: present vars: overwrite_global_mycnf: false mysql_root_password: iloverandompasswordsbutthiswilldo @@ -32,3 +46,5 @@ roles: - geerlingguy.mysql - ansible-mysql-hardening + collections: + - community.mysql \ No newline at end of file From 175e38a0166961d4a4ba3b4690fb1e13a8c035c5 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sun, 11 Oct 2020 15:54:51 +0000 Subject: [PATCH 103/115] update changelog --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97482dbb..dcf14803 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,12 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-03) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-11) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) **Implemented enhancements:** +- Use mysql\_query module instead of temporary files [\#56](https://github.com/dev-sec/ansible-mysql-hardening/pull/56) ([szEvEz](https://github.com/szEvEz)) - update readme to new layout for vars [\#53](https://github.com/dev-sec/ansible-mysql-hardening/pull/53) ([rndmh3ro](https://github.com/rndmh3ro)) - add mode to copy task [\#51](https://github.com/dev-sec/ansible-mysql-hardening/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) - Fix linting errors and simplivy vars-handling [\#49](https://github.com/dev-sec/ansible-mysql-hardening/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -15,6 +16,11 @@ - permissions on /etc/mysql/mysql.cnf too restrictive [\#35](https://github.com/dev-sec/ansible-mysql-hardening/issues/35) - add modes to template and file tasks [\#50](https://github.com/dev-sec/ansible-mysql-hardening/pull/50) ([rndmh3ro](https://github.com/rndmh3ro)) +**Closed issues:** + +- Use mysql\_query module instead of temporary files [\#52](https://github.com/dev-sec/ansible-mysql-hardening/issues/52) +- Add Centos 8 support for ansible-mysql-hardening [\#36](https://github.com/dev-sec/ansible-mysql-hardening/issues/36) + **Merged pull requests:** - update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro)) From f0ac6df8df276e9bc53885c4625d86050c484cb3 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Tue, 13 Oct 2020 03:25:02 +0000 Subject: [PATCH 104/115] update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dcf14803..74d9e900 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-11) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-13) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) @@ -14,6 +14,7 @@ **Fixed bugs:** - permissions on /etc/mysql/mysql.cnf too restrictive [\#35](https://github.com/dev-sec/ansible-mysql-hardening/issues/35) +- fix missing variables [\#55](https://github.com/dev-sec/ansible-mysql-hardening/pull/55) ([rndmh3ro](https://github.com/rndmh3ro)) - add modes to template and file tasks [\#50](https://github.com/dev-sec/ansible-mysql-hardening/pull/50) ([rndmh3ro](https://github.com/rndmh3ro)) **Closed issues:** From 99d1d07a96445fd363a51eec1d0aff16726cf9b7 Mon Sep 17 00:00:00 2001 From: szEvEz Date: Tue, 13 Oct 2020 10:25:11 +0200 Subject: [PATCH 105/115] Fix local kitchen runs and travis-ci, replace geerlingguy-mysql with forked dev-sec-mysql Signed-off-by: szEvEz --- .kitchen.vagrant.yml | 6 ------ .kitchen.yml | 16 ++++------------ .travis.yml | 16 +++++----------- Gemfile | 2 +- requirements.yml | 3 ++- tasks/configure.yml | 3 +-- tasks/mysql_secure_installation.yml | 4 ++++ tests/test.yml | 3 ++- vars/Debian.yml | 2 +- vars/RedHat_7.yml | 2 +- vars/RedHat_8.yml | 2 +- vars/Ubuntu_16.yml | 3 +++ vars/Ubuntu_18.yml | 3 +++ vars/Ubuntu_20.yml | 6 +++--- 14 files changed, 31 insertions(+), 40 deletions(-) diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml index 13a4605d..9680c5a6 100644 --- a/.kitchen.vagrant.yml +++ b/.kitchen.vagrant.yml @@ -26,15 +26,9 @@ platforms: - name: ubuntu-18.04 driver_config: box: bento/ubuntu-18.04 - - name: centos-6 - driver_config: - box: bento/centos-6 - name: centos-7 driver_config: box: bento/centos-7 - - name: oracle-6 - driver_config: - box: bento/oracle-6 - name: oracle-7 driver_config: box: bento/oracle-7 diff --git a/.kitchen.yml b/.kitchen.yml index ebbdfc4d..b3755713 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -17,23 +17,16 @@ provisioner: require_ruby_for_busser: false ansible_verbose: true ansible_diff: true - roles_path: ../ansible-mysql-hardening/ http_proxy: <%= ENV['http_proxy'] || nil %> https_proxy: <%= ENV['https_proxy'] || nil %> requirements_path: requirements.yml requirements_collection_path: requirements.yml -# ansible_cfg_path: ansible.cfg -# ansible_cfg_overwrite: true sudo_command: 'sudo -E -H' playbook: tests/test.yml galaxy_ignore_certs: true platforms: - - name: centos6-ansible-latest - driver: - image: rndmh3ro/docker-centos6-ansible:latest - platform: centos - name: centos7-ansible-latest driver: image: rndmh3ro/docker-centos7-ansible:latest @@ -42,20 +35,19 @@ platforms: provision_command: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable sshd.service - - name: oracle6-ansible-latest - driver: - image: rndmh3ro/docker-oracle6-ansible:latest - platform: centos - name: oracle7-ansible-latest driver: image: rndmh3ro/docker-oracle7-ansible:latest run_command: /sbin/init platform: centos provision_command: - - systemctl enable ssh.service + - yum -y install initscripts + - sed -i '/nologin/d' /etc/pam.d/sshd + - systemctl enable sshd.service - name: ubuntu1804-ansible-latest driver: image: rndmh3ro/docker-ubuntu1804-ansible:latest + run_command: /sbin/init platform: ubuntu provision_command: - systemctl enable ssh.service diff --git a/.travis.yml b/.travis.yml index 9abcc5f4..6d9557e8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,20 +2,13 @@ services: docker env: - - distro: centos6 - version: latest - init: /sbin/init - - distro: centos7 init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" version: latest - - distro: oracle6 - version: latest - init: /sbin/init - - distro: oracle7 + version: latest init: /lib/systemd/systemd run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" @@ -54,8 +47,8 @@ before_install: - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' script: - - pip install --user ansible-lint - - ansible-lint ./ + - gem install bundler + - bundle install - container_id=$(mktemp) # Run container in detached state. @@ -63,12 +56,13 @@ script: # Install ansible galaxy requirements - 'docker exec "$(cat ${container_id})" ansible-galaxy install -c -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' + - 'docker exec "$(cat ${container_id})" ansible-galaxy collection install -c community.mysql' # Test role. - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/tests/test.yml' # Verify role - - 'inspec exec https://github.com/dev-sec/mysql-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit' + - 'inspec exec https://github.com/dev-sec/mysql-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit --chef-license=accept' after_failure: # Check MySQL settings. diff --git a/Gemfile b/Gemfile index c062388c..e77d37b7 100644 --- a/Gemfile +++ b/Gemfile @@ -10,6 +10,6 @@ group :integration do gem 'kitchen-sharedtests' gem 'kitchen-sync' gem 'kitchen-docker' - gem 'inspec' + gem 'inspec-bin' gem 'aws-sdk' end diff --git a/requirements.yml b/requirements.yml index 855a0cce..e47bf044 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,4 +3,5 @@ collections: - community.mysql roles: - - src: geerlingguy.mysql + - src: dev-sec.mysql + version: master diff --git a/tasks/configure.yml b/tasks/configure.yml index 1ec65c09..67d8743e 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,11 +1,10 @@ --- - - name: protect my.cnf file: path: '{{ mysql_hardening_mysql_conf_file }}' mode: '0640' owner: '{{ mysql_cnf_owner }}' - group: '{{ mysql_cnf_owner }}' + group: '{{ mysql_cnf_group }}' follow: true state: file diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index afaa0364..6361d478 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -14,6 +14,7 @@ host_all: true password: '{{ mysql_root_password | mandatory }}' state: present + login_unix_socket: "{{ login_unix_socket | default(omit) }}" - name: install .my.cnf with credentials template: @@ -26,6 +27,7 @@ mysql_db: name: test state: absent + login_unix_socket: "{{ login_unix_socket | default(omit) }}" when: mysql_remove_test_database - name: anonymous users are absent @@ -33,10 +35,12 @@ name: '' state: absent host_all: true + login_unix_socket: "{{ login_unix_socket | default(omit) }}" when: mysql_remove_anonymous_users - name: remove remote root community.mysql.mysql_query: query: - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') + login_unix_socket: "{{ login_unix_socket | default(omit) }}" when: mysql_remove_remote_root \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index 862848f5..8c8ae97c 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -43,8 +43,9 @@ mysql_user_password: iloverandompasswordsbutthiswilldo mysql_config_file: /etc/mysql/mariadb.cnf mysql_root_password_update: true + login_unix_socket: "{{ '/var/run/mysqld/mysqld.sock' if ansible_distribution == 'Debian' else '' | default(omit) }}" roles: - - geerlingguy.mysql + - dev-sec.mysql - ansible-mysql-hardening collections: - community.mysql \ No newline at end of file diff --git a/vars/Debian.yml b/vars/Debian.yml index 1c41ad64..9987645f 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -8,7 +8,7 @@ mysql_hardening_log_file: '/var/log/mysql/error.log' mysql_hardening_group: 'adm' -mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files mysql_python_package: "python3-pymysql" diff --git a/vars/RedHat_7.yml b/vars/RedHat_7.yml index fe073795..3ad8a05e 100644 --- a/vars/RedHat_7.yml +++ b/vars/RedHat_7.yml @@ -7,7 +7,7 @@ mysql_hardening_log_file: '/var/log/mariadb/mariadb.log' mysql_python_package: 'MySQL-python' -mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files mysql_hardening_group: 'mysql' diff --git a/vars/RedHat_8.yml b/vars/RedHat_8.yml index 8a405c8d..17e6df2f 100644 --- a/vars/RedHat_8.yml +++ b/vars/RedHat_8.yml @@ -6,7 +6,7 @@ mysql_hardening_log_file: '/var/log/mariadb/mariadb.log' mysql_python_package: 'python3-mysqlclient' -mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files mysql_hardening_group: 'mysql' diff --git a/vars/Ubuntu_16.yml b/vars/Ubuntu_16.yml index f4964242..db04cd2b 100644 --- a/vars/Ubuntu_16.yml +++ b/vars/Ubuntu_16.yml @@ -6,6 +6,9 @@ mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' mysql_hardening_log_file: '/var/log/mysql/error.log' +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + mysql_hardening_group: 'adm' mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files diff --git a/vars/Ubuntu_18.yml b/vars/Ubuntu_18.yml index f4964242..db04cd2b 100644 --- a/vars/Ubuntu_18.yml +++ b/vars/Ubuntu_18.yml @@ -6,6 +6,9 @@ mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' mysql_hardening_log_file: '/var/log/mysql/error.log' +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files +mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files + mysql_hardening_group: 'adm' mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files diff --git a/vars/Ubuntu_20.yml b/vars/Ubuntu_20.yml index 461c959d..1fd8a580 100644 --- a/vars/Ubuntu_20.yml +++ b/vars/Ubuntu_20.yml @@ -6,9 +6,9 @@ mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' mysql_hardening_log_file: '/var/log/mysql/error.log' -mysql_hardening_group: 'adm' - -mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_cnf_owner: 'root' # owner of /etc/mysql/*.cnf files mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files +mysql_hardening_group: 'adm' + mysql_python_package: "python3-mysqldb" From 8d87d120a138515cd2114676eb03f34e5b0ded53 Mon Sep 17 00:00:00 2001 From: szEvEz Date: Sat, 17 Oct 2020 13:47:50 +0200 Subject: [PATCH 106/115] Remove duplicate vars Signed-off-by: szEvEz --- vars/Ubuntu_16.yml | 3 --- vars/Ubuntu_18.yml | 3 --- 2 files changed, 6 deletions(-) diff --git a/vars/Ubuntu_16.yml b/vars/Ubuntu_16.yml index db04cd2b..cb62200c 100644 --- a/vars/Ubuntu_16.yml +++ b/vars/Ubuntu_16.yml @@ -11,7 +11,4 @@ mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files mysql_hardening_group: 'adm' -mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files -mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files - mysql_python_package: "python-mysqldb" diff --git a/vars/Ubuntu_18.yml b/vars/Ubuntu_18.yml index db04cd2b..cb62200c 100644 --- a/vars/Ubuntu_18.yml +++ b/vars/Ubuntu_18.yml @@ -11,7 +11,4 @@ mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files mysql_hardening_group: 'adm' -mysql_cnf_owner: 'mysql' # owner of /etc/mysql/*.cnf files -mysql_cnf_group: 'mysql' # owner of /etc/mysql/*.cnf files - mysql_python_package: "python-mysqldb" From f2ac796ca10ac61ae6eb87d04b03791f21925f26 Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sat, 17 Oct 2020 12:07:26 +0000 Subject: [PATCH 107/115] update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 74d9e900..ed8c2946 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-13) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-17) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) @@ -24,6 +24,7 @@ **Merged pull requests:** +- Fix kitchen and travisci for major distros [\#57](https://github.com/dev-sec/ansible-mysql-hardening/pull/57) ([szEvEz](https://github.com/szEvEz)) - update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro)) ## [2.2.1](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.1) (2020-06-06) From 7f512b383435f00ed569c309c815dc58400c8a82 Mon Sep 17 00:00:00 2001 From: szEvEz Date: Sat, 17 Oct 2020 14:36:55 +0200 Subject: [PATCH 108/115] Run Ansible-lint via github action Signed-off-by: szEvEz --- .github/workflows/ansible-lint.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/ansible-lint.yml diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml new file mode 100644 index 00000000..fec7de42 --- /dev/null +++ b/.github/workflows/ansible-lint.yml @@ -0,0 +1,14 @@ +name: Ansible Lint + +on: [push, pull_request] + +jobs: + build: + runs-on: ubuntu-latest + steps: + # Important: This sets up your GITHUB_WORKSPACE environment variable + - uses: actions/checkout@v2 + - name: Lint Ansible Playbook + uses: ansible/ansible-lint-action@master + with: + targets: "" \ No newline at end of file From bd7a5a6d416dfa3352822c27772a3c71d0504b7f Mon Sep 17 00:00:00 2001 From: szEvEz Date: Sat, 17 Oct 2020 15:21:38 +0200 Subject: [PATCH 109/115] add task name and set directory permissions Signed-off-by: szEvEz --- tests/test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test.yml b/tests/test.yml index 8c8ae97c..906333cd 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -6,9 +6,11 @@ apt: update_cache: true when: ansible_os_family == 'Debian' - - file: + - name: Create mysql directory if it does not exist + file: path: "/etc/mysql" state: directory + mode: 0755 - name: install procps for debian systems apt: name: procps From 0bb24983899a44d5549fa56e6dabc6fa41123e00 Mon Sep 17 00:00:00 2001 From: szEvEz Date: Sat, 17 Oct 2020 15:49:16 +0200 Subject: [PATCH 110/115] Add ansible-lint badge Signed-off-by: szEvEz --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4f8ff816..48442873 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # mysql-hardening (Ansible role) [![Build Status](http://img.shields.io/travis/dev-sec/ansible-mysql-hardening.svg)][1] +![Ansible Lint](https://github.com/dev-sec/ansible-mysql-hardening/workflows/Ansible%20Lint/badge.svg?branch=master) [![Ansible Galaxy](https://img.shields.io/badge/galaxy-mysql--hardening-660198.svg)][3] ## Description From 421fb6da2c726390e82349b4cfe9e4ec828a747d Mon Sep 17 00:00:00 2001 From: dev-sec CI Date: Sun, 18 Oct 2020 12:54:19 +0000 Subject: [PATCH 111/115] update changelog --- CHANGELOG.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed8c2946..15f6b5bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-17) +## [2.2.2](https://github.com/dev-sec/ansible-mysql-hardening/tree/2.2.2) (2020-10-18) [Full Changelog](https://github.com/dev-sec/ansible-mysql-hardening/compare/2.2.1...2.2.2) @@ -24,6 +24,7 @@ **Merged pull requests:** +- Run ansible-lint via github action [\#58](https://github.com/dev-sec/ansible-mysql-hardening/pull/58) ([szEvEz](https://github.com/szEvEz)) - Fix kitchen and travisci for major distros [\#57](https://github.com/dev-sec/ansible-mysql-hardening/pull/57) ([szEvEz](https://github.com/szEvEz)) - update testing [\#48](https://github.com/dev-sec/ansible-mysql-hardening/pull/48) ([rndmh3ro](https://github.com/rndmh3ro)) @@ -59,7 +60,6 @@ - remove eol'd OS and add new [\#34](https://github.com/dev-sec/ansible-mysql-hardening/pull/34) ([rndmh3ro](https://github.com/rndmh3ro)) - replace iteritems with items for python3 support [\#33](https://github.com/dev-sec/ansible-mysql-hardening/pull/33) ([rndmh3ro](https://github.com/rndmh3ro)) - make mysql daemon enabling configurable [\#30](https://github.com/dev-sec/ansible-mysql-hardening/pull/30) ([rndmh3ro](https://github.com/rndmh3ro)) -- Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin)) **Fixed bugs:** @@ -73,9 +73,9 @@ **Implemented enhancements:** - Add CentOS7 with MariaDB support [\#23](https://github.com/dev-sec/ansible-mysql-hardening/issues/23) +- Fix ansible.cfg settings [\#29](https://github.com/dev-sec/ansible-mysql-hardening/pull/29) ([fazlearefin](https://github.com/fazlearefin)) - Add CentOS7 with MariaDB support [\#27](https://github.com/dev-sec/ansible-mysql-hardening/pull/27) ([chrispoupart](https://github.com/chrispoupart)) - - renamed 'mysql\_hardening\_mysql\_conf' var to 'mysql\_hardening\_mysql\_… [\#22](https://github.com/dev-sec/ansible-mysql-hardening/pull/22) ([agno01](https://github.com/agno01)) -- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) **Fixed bugs:** @@ -91,6 +91,7 @@ **Implemented enhancements:** +- add follow=yes to my.cnf protect task, incase its a symlink. fixes \#20 [\#21](https://github.com/dev-sec/ansible-mysql-hardening/pull/21) ([rndmh3ro](https://github.com/rndmh3ro)) - add changelog generator [\#7](https://github.com/dev-sec/ansible-mysql-hardening/pull/7) ([chris-rock](https://github.com/chris-rock)) **Closed issues:** From 5e6da728a482e47a61c31c532a76afa18bfe7a19 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 28 Oct 2020 20:42:53 +0100 Subject: [PATCH 112/115] WIP - update for collection Signed-off-by: Sebastian Gumprich --- .github/ISSUE_TEMPLATE/bug_report.md | 40 -------- .github/ISSUE_TEMPLATE/feature_request.md | 17 ---- .github/workflows/ansible-lint.yml | 14 --- .github/workflows/release.yml | 69 -------------- .kitchen.vagrant.yml | 52 ----------- .kitchen.yml | 85 ----------------- .travis.yml | 73 --------------- CONTRIBUTING.md | 85 ----------------- Gemfile | 15 --- README.md | 106 ++++------------------ Rakefile | 11 --- ansible.cfg | 16 ---- requirements.yml | 7 -- tests/test.yml | 53 ----------- 14 files changed, 19 insertions(+), 624 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md delete mode 100644 .github/workflows/ansible-lint.yml delete mode 100644 .github/workflows/release.yml delete mode 100644 .kitchen.vagrant.yml delete mode 100644 .kitchen.yml delete mode 100644 .travis.yml delete mode 100644 CONTRIBUTING.md delete mode 100644 Gemfile delete mode 100644 Rakefile delete mode 100644 ansible.cfg delete mode 100644 requirements.yml delete mode 100644 tests/test.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 43f045d2..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Actual behavior** - -```paste below - -``` -**Example Playbook** - -```paste below - -``` - -**OS / Environment** - - -**Ansible Version** - -```paste below - -``` - -**Role Version** - -```paste below - -``` - -**Additional context** -Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index 066b2d92..00000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml deleted file mode 100644 index fec7de42..00000000 --- a/.github/workflows/ansible-lint.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Ansible Lint - -on: [push, pull_request] - -jobs: - build: - runs-on: ubuntu-latest - steps: - # Important: This sets up your GITHUB_WORKSPACE environment variable - - uses: actions/checkout@v2 - - name: Lint Ansible Playbook - uses: ansible/ansible-lint-action@master - with: - targets: "" \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index e5486562..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -name: New release - -on: # yamllint disable-line rule:truthy - push: - branches: - - master - -jobs: - generate_changelog: - runs-on: ubuntu-latest - name: create release draft - steps: - - uses: actions/checkout@v1 - - - name: 'Get Previous tag' - id: previoustag - uses: "WyriHaximus/github-action-get-previous-tag@master" - env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - - - name: calculate next version - id: version - uses: patrickjahns/version-drafter-action@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Generate changelog - uses: charmixer/auto-changelog-action@8095796 - with: - token: ${{ secrets.GITHUB_TOKEN }} - future_release: ${{ steps.version.outputs.next-version }} - - - name: Generate changelog for the release - uses: charmixer/auto-changelog-action@8095796 - with: - token: ${{ secrets.GITHUB_TOKEN }} - since_tag: ${{ steps.previoustag.outputs.tag }} - future_release: ${{ steps.version.outputs.next-version }} - output: CHANGELOGRELEASE.md - - - name: push changelog - uses: github-actions-x/commit@v2.6 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - push-branch: 'master' - commit-message: 'update changelog' - force-add: 'true' - files: CHANGELOG.md - name: dev-sec CI - email: hello@dev-sec.io - - - name: Read CHANGELOG.md - id: package - uses: juliangruber/read-file-action@v1 - with: - path: ./CHANGELOGRELEASE.md - - - name: Create Release draft - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - release_name: ${{ steps.version.outputs.next-version }} - tag_name: ${{ steps.version.outputs.next-version }} - body: | - ${{ steps.package.outputs.content }} - draft: true diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml deleted file mode 100644 index 9680c5a6..00000000 --- a/.kitchen.vagrant.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -driver: - name: vagrant - -provisioner: - name: ansible_playbook - hosts: all - require_ansible_repo: false - require_ansible_omnibus: true - require_chef_for_busser: false - require_ruby_for_busser: false - ansible_verbose: true - roles_path: ../ansible-mysql-hardening/ - playbook: default.yml - requirements_path: requirements.yml - requirements_collection_path: requirements.yml - sudo_command: 'sudo -E -H' - -transport: - max_ssh_sessions: 5 - -platforms: - - name: ubuntu-16.04 - driver_config: - box: bento/ubuntu-16.04 - - name: ubuntu-18.04 - driver_config: - box: bento/ubuntu-18.04 - - name: centos-7 - driver_config: - box: bento/centos-7 - - name: oracle-7 - driver_config: - box: bento/oracle-7 - - name: debian-9 - driver_config: - box: bento/debian-9 - - name: debian-10 - driver_config: - box: bento/debian-10 - - name: amazon - driver_config: - box: bento/amazonlinux-2 - -verifier: - name: inspec - sudo: true - inspec_tests: - - https://github.com/dev-sec/mysql-baseline/ - -suites: - - name: mysql diff --git a/.kitchen.yml b/.kitchen.yml deleted file mode 100644 index b3755713..00000000 --- a/.kitchen.yml +++ /dev/null @@ -1,85 +0,0 @@ ---- -driver: - name: docker - use_sudo: false - privileged: true - http_proxy: <%= ENV['http_proxy'] || nil %> - https_proxy: <%= ENV['https_proxy'] || nil %> - -transport: - max_ssh_sessions: 5 - -provisioner: - name: ansible_playbook - hosts: all - require_ansible_repo: false - require_chef_for_busser: false - require_ruby_for_busser: false - ansible_verbose: true - ansible_diff: true - roles_path: ../ansible-mysql-hardening/ - http_proxy: <%= ENV['http_proxy'] || nil %> - https_proxy: <%= ENV['https_proxy'] || nil %> - requirements_path: requirements.yml - requirements_collection_path: requirements.yml - sudo_command: 'sudo -E -H' - playbook: tests/test.yml - galaxy_ignore_certs: true - -platforms: - - name: centos7-ansible-latest - driver: - image: rndmh3ro/docker-centos7-ansible:latest - platform: centos - run_command: /sbin/init - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service - - name: oracle7-ansible-latest - driver: - image: rndmh3ro/docker-oracle7-ansible:latest - run_command: /sbin/init - platform: centos - provision_command: - - yum -y install initscripts - - sed -i '/nologin/d' /etc/pam.d/sshd - - systemctl enable sshd.service - - name: ubuntu1804-ansible-latest - driver: - image: rndmh3ro/docker-ubuntu1804-ansible:latest - run_command: /sbin/init - platform: ubuntu - provision_command: - - systemctl enable ssh.service - - name: debian9-ansible-latest - driver: - image: rndmh3ro/docker-debian9-ansible:latest - platform: debian - run_command: /sbin/init - provision_command: - - apt install -y systemd-sysv - - systemctl enable ssh.service - - name: debian10-ansible-latest - driver: - image: rndmh3ro/docker-debian10-ansible:latest - platform: debian - run_command: /sbin/init - provision_command: - - apt install -y systemd-sysv - - systemctl enable ssh.service - - name: amazon-ansible-latest - driver: - image: rndmh3ro/docker-amazon-ansible:latest - platform: centos - run_command: /sbin/init - provision_command: - - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - - systemctl enable sshd.service -verifier: - name: inspec - sudo: true - inspec_tests: - - https://github.com/dev-sec/mysql-baseline - -suites: - - name: mysql diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 6d9557e8..00000000 --- a/.travis.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -services: docker - -env: - - distro: centos7 - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - version: latest - - - distro: oracle7 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: ubuntu1604 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: ubuntu1804 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian9 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: debian10 - version: latest - init: /lib/systemd/systemd - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: amazon - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - - - distro: fedora - init: /lib/systemd/systemd - version: latest - run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro" - -before_install: - # Pull container - - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}' - -script: - - gem install bundler - - bundle install - - - container_id=$(mktemp) - # Run container in detached state. - - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-mysql-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"' - - # Install ansible galaxy requirements - - 'docker exec "$(cat ${container_id})" ansible-galaxy install -c -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/' - - 'docker exec "$(cat ${container_id})" ansible-galaxy collection install -c community.mysql' - - # Test role. - - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/tests/test.yml' - - # Verify role - - 'inspec exec https://github.com/dev-sec/mysql-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit --chef-license=accept' - -after_failure: - # Check MySQL settings. - - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql/error.log' - - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql.err' - - 'docker exec --tty ${container_id} env TERM=xterm cat /var/log/mysql.log' -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index 783c10fb..00000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,85 +0,0 @@ -# Contributor Guideline - -This document provides an overview of how you can participate in improving this project or extending it. We are grateful for all your help: bug reports and fixes, code contributions, documentation or ideas. Feel free to join, we appreciate your support!! - -## Communication - -### GitHub repositories - -Much of the issues, goals and ideas are tracked in the respective projects in GitHub. Please use this channel to report bugs and post ideas. - -## git and GitHub - -In order to contribute code please: - -1. Fork the project on GitHub -2. Clone the project -3. Add changes (and tests) -4. Commit and push -5. Create a merge-request - -To have your code merged, see the expectations listed below. - -You can find a well-written guide [here](https://help.github.com/articles/fork-a-repo). - -Please follow common commit best-practices. Be explicit, have a short summary, a well-written description and references. This is especially important for the merge-request. - -Some great guidelines can be found [here](https://wiki.openstack.org/wiki/GitCommitMessages) and [here](http://robots.thoughtbot.com/5-useful-tips-for-a-better-commit-message). - - -## Expectations - -### Don't reinvent the wheel - -This hardening project doesn't intend to reinvent the configuration stack for services. Aim to use official configuration projects first and provide hardening as a layer on top. The goal is remove the need for a user to configure all aspects of services and maintain security configuration. This way, the user can still configure a service using the interface provided by the official project. - -* For Chef refer to the official [opscode community cookbooks](http://community.opscode.com/cookbooks). -* For Puppet head to the [Puppet Forge](https://forge.puppetlabs.com/) and take a node of the Puppet supported modules. -* For Ansible check the [Ansible Module Index](http://docs.ansible.com/list_of_all_modules.html) - -These projects are generally hosted on GitHub as well. - -In some cases, we in fact create the full rollout stack, but this is generally the exception ([os-hardening](https://github.com/TelekomLabs/chef-os-hardening), [nginx-hardening](https://github.com/TelekomLabs/chef-nginx-hardening)). - - -### Be explicit - -* Please avoid using nonsensical property and variable names. -* Use self-describing attribute names for user configuration. -* In case of failures, communicate what happened and why a failure occurs to the user. Make it easy to track the code or action that produced the error. Try to catch and handle errors if possible to provide improved failure messages. - - -### Add tests - -The security review of this project is done using integration tests. - -Whenever you add a new security configuration, please start by writing a test that checks for this configuration. For example: If you want to set a new attribute in a configuration file, write a test that expects the value to be set first. Then implement your change. - -You may add a new feature request by creating a test for whatever value you need. - -All tests will be reviewed internally for their validity and overall project direction. - - -### Document your code - -As code is more often read than written, please provide documentation in all projects. - -Adhere to the respective guidelines for documentation: - -* Chef generally documents code based explicit readme files. For code documentation please use [yard-chef](https://github.com/rightscale/yard-chef) -* [Puppet module documentation](http://docs.puppetlabs.com/puppet/latest/reference/modules_documentation.html) - - -### Follow coding styles - -We generally include test for coding guidelines: - -* Chef follows [Foodcritic](http://acrmp.github.io/foodcritic/) -* Puppet is checked with [puppet-lint](http://puppet-lint.com/checks/) -* Ansible is checked by running the playbook with the syntax-check option, e.g. `ansible-playbook foo.yml --syntax-check` - -Remember: Code is generally read much more often than written. - -### Use Markdown - -Wherever possible, please refrain from any other formats and stick to simple markdown. diff --git a/Gemfile b/Gemfile deleted file mode 100644 index e77d37b7..00000000 --- a/Gemfile +++ /dev/null @@ -1,15 +0,0 @@ -# encoding: utf-8 - -source 'https://rubygems.org' - -group :integration do - gem 'test-kitchen' - gem 'kitchen-ansible' - gem 'kitchen-vagrant' - gem 'kitchen-inspec' - gem 'kitchen-sharedtests' - gem 'kitchen-sync' - gem 'kitchen-docker' - gem 'inspec-bin' - gem 'aws-sdk' -end diff --git a/README.md b/README.md index 48442873..248a922b 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,37 @@ -# mysql-hardening (Ansible role) +# devsec.mysql_hardening -[![Build Status](http://img.shields.io/travis/dev-sec/ansible-mysql-hardening.svg)][1] -![Ansible Lint](https://github.com/dev-sec/ansible-mysql-hardening/workflows/Ansible%20Lint/badge.svg?branch=master) -[![Ansible Galaxy](https://img.shields.io/badge/galaxy-mysql--hardening-660198.svg)][3] +![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg) + +## Looking for the old ansible-mysql-hardening role? + +This role is now part of the hardening-collection. You can find the old role in the branch `legacy`. ## Description -Provides security configurations for MySQL. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the [DevSec MySQL Baseline](https://github.com/dev-sec/mysql-baseline). +This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the [DevSec MySQL Baseline](https://github.com/dev-sec/mysql-baseline). -This role focuses on security configuration of MySQL. Therefore you can add this hardening role alongside your existing MySQL configuration in Ansible. +It configures: + +* Permissions for the various configuration files and folders +* Removes anonymous users, root-users without a password and test databases +* various hardening options inside MySQL ## Requirements -* Ansible -* Set up `mysql_root_password` variable +* Ansible 2.9.0 +* An existing MySQL installation -## Installation - -Install the role with ansible-galaxy: - -```sh -ansible-galaxy install dev-sec.mysql-hardening -``` - -### Example Playbook +### Example playbook ```yml - hosts: localhost + collections: + - devsec.hardening roles: - - dev-sec.mysql-hardening + - devsec.mysql_hardening ``` -This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: +This role expects an existing installation of MySQL or MariaDB. Please ensure that the following variables are set accordingly: * `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` * `mysql_hardening_user: 'mysql'` The user that mysql runs as. @@ -81,71 +81,3 @@ This hardening role installs the hardening but expects an existing installation * Description: remove test database Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step) - -## Local Testing - -The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system. - -You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). - -Next install test-kitchen: - -```sh -# Install dependencies -gem install bundler -bundle install -``` - -### Testing with Docker - -```sh -# list all available machines -bundle exec kitchen list - -# fast test on one machine -bundle exec kitchen test mysql-centos7-ansible-latest - -# test on all machines -bundle exec kitchen test - -# for development -bundle exec kitchen create mysql-centos7-ansible-latest -bundle exec kitchen converge mysql-centos7-ansible-latest -``` - -### Testing with Virtualbox - -```sh -# fast test on one machine -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404 - -# test on all machines -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test - -# for development -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404 -KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404 -``` - -For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) - -## License and Author - -* Author:: Sebastian Gumprich -* Author:: Anton Lugovoi - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - -[1]: http://travis-ci.org/dev-sec/ansible-mysql-hardening -[2]: https://gitter.im/dev-sec/general -[3]: https://galaxy.ansible.com/dev-sec/mysql-hardening/ diff --git a/Rakefile b/Rakefile deleted file mode 100644 index 02c58212..00000000 --- a/Rakefile +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env rake -# encoding: utf-8 - -# Automatically generate a changelog for this project. Only loaded if -# the necessary gem is installed. -begin - require 'github_changelog_generator/task' - GitHubChangelogGenerator::RakeTask.new :changelog -rescue LoadError - puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' -end diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index e32d849c..00000000 --- a/ansible.cfg +++ /dev/null @@ -1,16 +0,0 @@ -# config file for ansible -- http://ansible.com/ -# ============================================== - -# nearly all parameters can be overridden in ansible-playbook -# or with command line flags. ansible will read ANSIBLE_CONFIG, -# ansible.cfg in the current working directory, .ansible.cfg in -# the home directory or /etc/ansible/ansible.cfg, whichever it -# finds first - -[defaults] -ansible_managed = Ansible managed: {file} modified by {uid} on {host} -roles_path = /vagrant -collections_paths = /tmp/kitchen/collections - -[ssh_connection] -scp_if_ssh = True diff --git a/requirements.yml b/requirements.yml deleted file mode 100644 index e47bf044..00000000 --- a/requirements.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -collections: - - community.mysql - -roles: - - src: dev-sec.mysql - version: master diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 906333cd..00000000 --- a/tests/test.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: wrapper playbook for kitchen testing "ansible-mysql-hardening" - hosts: localhost - pre_tasks: - - name: Run the equivalent of "apt-get update" as a separate step - apt: - update_cache: true - when: ansible_os_family == 'Debian' - - name: Create mysql directory if it does not exist - file: - path: "/etc/mysql" - state: directory - mode: 0755 - - name: install procps for debian systems - apt: - name: procps - state: present - update_cache: true - when: ansible_distribution == 'Debian' - - name: set logfile according to OS - set_fact: - mysql_log_error: "/var/log/mysql.log" - when: ansible_os_family == "Debian" - - name: set logfile according to OS - set_fact: - mysql_log_error: "/var/log/mysqld.log" - when: ansible_os_family == "RedHat" - - name: Install pip according to OS - apt: - name: python-pip - state: present - when: ansible_os_family == 'Debian' - - name: Install pip according to OS - yum: - name: python-pip - state: present - when: ansible_os_family == 'RedHat' - - name: Make sure pymysql is present - pip: - name: pymysql - state: present - vars: - overwrite_global_mycnf: false - mysql_root_password: iloverandompasswordsbutthiswilldo - mysql_user_password: iloverandompasswordsbutthiswilldo - mysql_config_file: /etc/mysql/mariadb.cnf - mysql_root_password_update: true - login_unix_socket: "{{ '/var/run/mysqld/mysqld.sock' if ansible_distribution == 'Debian' else '' | default(omit) }}" - roles: - - dev-sec.mysql - - ansible-mysql-hardening - collections: - - community.mysql \ No newline at end of file From 0a8e2ccea53dd87c90e190d58a06b5195095972f Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 28 Oct 2020 21:04:19 +0100 Subject: [PATCH 113/115] remove note about legacy branch Signed-off-by: Sebastian Gumprich --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index 248a922b..2daaa9fb 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,6 @@ ![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg) -## Looking for the old ansible-mysql-hardening role? - -This role is now part of the hardening-collection. You can find the old role in the branch `legacy`. - ## Description This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the [DevSec MySQL Baseline](https://github.com/dev-sec/mysql-baseline). From 05da4330e2146b47ec40b1ca7d43749126ce90c2 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Wed, 28 Oct 2020 21:08:59 +0100 Subject: [PATCH 114/115] fix badge Signed-off-by: Sebastian Gumprich --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2daaa9fb..5b2eeaa3 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # devsec.mysql_hardening -![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg) +![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg) ## Description From a10e4d7c1a517ba4a323de911733573b95216362 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Sat, 7 Nov 2020 21:48:10 +0100 Subject: [PATCH 115/115] merge mysql-hardening role into collection --- CHANGELOG.md => roles/mysql_hardening/CHANGELOG.md | 0 README.md => roles/mysql_hardening/README.md | 0 {defaults => roles/mysql_hardening/defaults}/main.yml | 0 {handlers => roles/mysql_hardening/handlers}/main.yml | 0 {meta => roles/mysql_hardening/meta}/main.yml | 0 {tasks => roles/mysql_hardening/tasks}/configure.yml | 0 {tasks => roles/mysql_hardening/tasks}/main.yml | 0 .../mysql_hardening/tasks}/mysql_secure_installation.yml | 0 {templates => roles/mysql_hardening/templates}/hardening.cnf.j2 | 0 {templates => roles/mysql_hardening/templates}/my.cnf.j2 | 0 {vars => roles/mysql_hardening/vars}/Debian.yml | 0 {vars => roles/mysql_hardening/vars}/Fedora.yml | 0 {vars => roles/mysql_hardening/vars}/Oracle Linux.yml | 0 {vars => roles/mysql_hardening/vars}/RedHat_7.yml | 0 {vars => roles/mysql_hardening/vars}/RedHat_8.yml | 0 {vars => roles/mysql_hardening/vars}/Ubuntu_16.yml | 0 {vars => roles/mysql_hardening/vars}/Ubuntu_18.yml | 0 {vars => roles/mysql_hardening/vars}/Ubuntu_20.yml | 0 {vars => roles/mysql_hardening/vars}/main.yml | 0 19 files changed, 0 insertions(+), 0 deletions(-) rename CHANGELOG.md => roles/mysql_hardening/CHANGELOG.md (100%) rename README.md => roles/mysql_hardening/README.md (100%) rename {defaults => roles/mysql_hardening/defaults}/main.yml (100%) rename {handlers => roles/mysql_hardening/handlers}/main.yml (100%) rename {meta => roles/mysql_hardening/meta}/main.yml (100%) rename {tasks => roles/mysql_hardening/tasks}/configure.yml (100%) rename {tasks => roles/mysql_hardening/tasks}/main.yml (100%) rename {tasks => roles/mysql_hardening/tasks}/mysql_secure_installation.yml (100%) rename {templates => roles/mysql_hardening/templates}/hardening.cnf.j2 (100%) rename {templates => roles/mysql_hardening/templates}/my.cnf.j2 (100%) rename {vars => roles/mysql_hardening/vars}/Debian.yml (100%) rename {vars => roles/mysql_hardening/vars}/Fedora.yml (100%) rename {vars => roles/mysql_hardening/vars}/Oracle Linux.yml (100%) rename {vars => roles/mysql_hardening/vars}/RedHat_7.yml (100%) rename {vars => roles/mysql_hardening/vars}/RedHat_8.yml (100%) rename {vars => roles/mysql_hardening/vars}/Ubuntu_16.yml (100%) rename {vars => roles/mysql_hardening/vars}/Ubuntu_18.yml (100%) rename {vars => roles/mysql_hardening/vars}/Ubuntu_20.yml (100%) rename {vars => roles/mysql_hardening/vars}/main.yml (100%) diff --git a/CHANGELOG.md b/roles/mysql_hardening/CHANGELOG.md similarity index 100% rename from CHANGELOG.md rename to roles/mysql_hardening/CHANGELOG.md diff --git a/README.md b/roles/mysql_hardening/README.md similarity index 100% rename from README.md rename to roles/mysql_hardening/README.md diff --git a/defaults/main.yml b/roles/mysql_hardening/defaults/main.yml similarity index 100% rename from defaults/main.yml rename to roles/mysql_hardening/defaults/main.yml diff --git a/handlers/main.yml b/roles/mysql_hardening/handlers/main.yml similarity index 100% rename from handlers/main.yml rename to roles/mysql_hardening/handlers/main.yml diff --git a/meta/main.yml b/roles/mysql_hardening/meta/main.yml similarity index 100% rename from meta/main.yml rename to roles/mysql_hardening/meta/main.yml diff --git a/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml similarity index 100% rename from tasks/configure.yml rename to roles/mysql_hardening/tasks/configure.yml diff --git a/tasks/main.yml b/roles/mysql_hardening/tasks/main.yml similarity index 100% rename from tasks/main.yml rename to roles/mysql_hardening/tasks/main.yml diff --git a/tasks/mysql_secure_installation.yml b/roles/mysql_hardening/tasks/mysql_secure_installation.yml similarity index 100% rename from tasks/mysql_secure_installation.yml rename to roles/mysql_hardening/tasks/mysql_secure_installation.yml diff --git a/templates/hardening.cnf.j2 b/roles/mysql_hardening/templates/hardening.cnf.j2 similarity index 100% rename from templates/hardening.cnf.j2 rename to roles/mysql_hardening/templates/hardening.cnf.j2 diff --git a/templates/my.cnf.j2 b/roles/mysql_hardening/templates/my.cnf.j2 similarity index 100% rename from templates/my.cnf.j2 rename to roles/mysql_hardening/templates/my.cnf.j2 diff --git a/vars/Debian.yml b/roles/mysql_hardening/vars/Debian.yml similarity index 100% rename from vars/Debian.yml rename to roles/mysql_hardening/vars/Debian.yml diff --git a/vars/Fedora.yml b/roles/mysql_hardening/vars/Fedora.yml similarity index 100% rename from vars/Fedora.yml rename to roles/mysql_hardening/vars/Fedora.yml diff --git a/vars/Oracle Linux.yml b/roles/mysql_hardening/vars/Oracle Linux.yml similarity index 100% rename from vars/Oracle Linux.yml rename to roles/mysql_hardening/vars/Oracle Linux.yml diff --git a/vars/RedHat_7.yml b/roles/mysql_hardening/vars/RedHat_7.yml similarity index 100% rename from vars/RedHat_7.yml rename to roles/mysql_hardening/vars/RedHat_7.yml diff --git a/vars/RedHat_8.yml b/roles/mysql_hardening/vars/RedHat_8.yml similarity index 100% rename from vars/RedHat_8.yml rename to roles/mysql_hardening/vars/RedHat_8.yml diff --git a/vars/Ubuntu_16.yml b/roles/mysql_hardening/vars/Ubuntu_16.yml similarity index 100% rename from vars/Ubuntu_16.yml rename to roles/mysql_hardening/vars/Ubuntu_16.yml diff --git a/vars/Ubuntu_18.yml b/roles/mysql_hardening/vars/Ubuntu_18.yml similarity index 100% rename from vars/Ubuntu_18.yml rename to roles/mysql_hardening/vars/Ubuntu_18.yml diff --git a/vars/Ubuntu_20.yml b/roles/mysql_hardening/vars/Ubuntu_20.yml similarity index 100% rename from vars/Ubuntu_20.yml rename to roles/mysql_hardening/vars/Ubuntu_20.yml diff --git a/vars/main.yml b/roles/mysql_hardening/vars/main.yml similarity index 100% rename from vars/main.yml rename to roles/mysql_hardening/vars/main.yml