The `os_unused_filesystems` was lacking sorting, making the task not
idempotent. This was especially apparent and random in Molecule tests
when this collection was added as a dependency.
Signed-off-by: Aki Kanellis <hello@akikanellis.com>
This is a breaking change, since the default variable is now a string instead of a bool
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
* add testing and support for current versions of Fedora and FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add waivers for FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* use original fedora images
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* also harden /home mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* also harden /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* test mock efi directory
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* remove mock
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* umount efi
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add /tmp to special mountpoints
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* set options for /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* create /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* create /tmp mount and mount it ...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* make fewer changes to default test run
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* use correct Ansible var
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify).
MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.
ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.
Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf
This role is shown as a user, it has however a new is_role-flag.
MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User | Host | is_role |
+-----------------------+-----------+---------+
| mariadb.sys | localhost | N |
| root | localhost | N |
| mysql | localhost | N |
| PUBLIC | | Y |
| monitoring | % | N |
| monitoring | localhost | N |
| galera_mariadb_backup | % | N |
+-----------------------+-----------+---------+
Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Gather facts when os_hardening role is executed with tags
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* better when condition
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* update links to new Ansible Galaxy
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* remove dead link
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
