mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 05:11:53 +00:00
move mysql install to prepare step to create a password-less user
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
This commit is contained in:
parent
73cdd973d7
commit
e1f0efb220
3 changed files with 30 additions and 39 deletions
|
@ -22,9 +22,6 @@
|
|||
- mysql_python_package_debian is not defined
|
||||
- ansible_distribution != "Ubuntu"
|
||||
- ansible_distribution_major_version|int < 20
|
||||
- include_role:
|
||||
name: dev-sec.mysql
|
||||
|
||||
- include_role:
|
||||
name: mysql_hardening
|
||||
vars:
|
||||
|
|
|
@ -25,3 +25,33 @@
|
|||
file:
|
||||
path: "/etc/mysql/conf.d"
|
||||
state: directory
|
||||
|
||||
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
|
||||
set_fact:
|
||||
mysql_python_package_debian: "python3-pymysql"
|
||||
when:
|
||||
- mysql_python_package_debian is not defined
|
||||
- ansible_distribution == "Ubuntu"
|
||||
- ansible_distribution_major_version|int > 19
|
||||
|
||||
- name: Determine required MySQL Python libraries.
|
||||
set_fact:
|
||||
mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
|
||||
when:
|
||||
- mysql_python_package_debian is not defined
|
||||
- ansible_distribution != "Ubuntu"
|
||||
- ansible_distribution_major_version|int < 20
|
||||
- include_role:
|
||||
name: dev-sec.mysql
|
||||
|
||||
- name: create a user with an empty password
|
||||
community.mysql.mysql_query:
|
||||
query:
|
||||
- "CREATE USER foo@bar;"
|
||||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
vars:
|
||||
overwrite_global_mycnf: false
|
||||
mysql_root_password: iloverandompasswordsbutthiswilldo
|
||||
mysql_user_password: iloverandompasswordsbutthiswilldo
|
||||
mysql_config_file: /etc/mysql/mariadb.cnf
|
||||
mysql_root_password_update: true
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
---
|
||||
- name: check which mysql version is used
|
||||
community.mysql.mysql_info:
|
||||
filter: version
|
||||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
register: mysql_version
|
||||
|
||||
- name: get all users that have no password or authentication_string on MySQL version >= 5.7.6
|
||||
community.mysql.mysql_query:
|
||||
query:
|
||||
- select user,host,password from mysql.user where (length(password)=0 or password="") and (length(authentication_string)=0 or authentication_string="") and user NOT IN ('mysql.sys', 'mysqlxsys', 'mariadb.sys');
|
||||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
register: mysql_users_wo_passwords_or_auth_string
|
||||
when:
|
||||
- mysql_version.version.full is version('5.7.6', '>=')
|
||||
|
||||
- name: assert that there are no users that have no password or authentication_string on MySQL version >= 5.7.6
|
||||
assert:
|
||||
that:
|
||||
- users_wo_password_or_auth_string == ""
|
||||
|
||||
- name: get all users that have no password on MySQL version < 5.7.6
|
||||
community.mysql.mysql_query:
|
||||
query:
|
||||
- select user,host,password from mysql.user where (length(password)=0 or password="") and user NOT IN ('mysql.sys', 'mysqlxsys', 'mariadb.sys');
|
||||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
register: mysql_users_wo_passwords
|
||||
when:
|
||||
- mysql_version.version.full is version('5.7.6', '<')
|
||||
|
||||
- name: assert that there are no users that have no password on MySQL version < 5.7.6
|
||||
assert:
|
||||
that:
|
||||
- users_wo_password == ""
|
||||
when:
|
||||
- mysql_version.version.full is version('5.7.6', '<')
|
Loading…
Reference in a new issue