There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify).
MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.
ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.
Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf
This role is shown as a user, it has however a new is_role-flag.
MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User | Host | is_role |
+-----------------------+-----------+---------+
| mariadb.sys | localhost | N |
| root | localhost | N |
| mysql | localhost | N |
| PUBLIC | | Y |
| monitoring | % | N |
| monitoring | localhost | N |
| galera_mariadb_backup | % | N |
+-----------------------+-----------+---------+
Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Gather facts when os_hardening role is executed with tags
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* better when condition
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* update links to new Ansible Galaxy
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* remove dead link
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove variable in variable as it cannot be used in argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix wrong syntax
* fix spelling errors
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* cannot use vars before arg-spec validation
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* yamllint the arg-spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back variable
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove redundant setting in tests
* fix descriptions in mysql hardening to betterreflect what they do
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove duplicate empty line
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* set correct defaults on to ssl options
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove left-over hidepid argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove license and author infos, this lives in the collection readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix styling
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* update some descriptions and sort them in the readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* make template overrideable
by referencing the auditd.conf.j2 template, a custom template can be provided to the role.
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
* extend auditd config
make freq and log_file configurable
implement write_logs with it's default value in order to be able to disable log writing
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
* Extend README.md documentation by new variables
reorder `os_auditd_log_format` to keep sequence from defaults
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
---------
Signed-off-by: Dennis Lerch <dennis.lerch@mercedes-benz.com>
* Replace ssh_keys group in Fedora with root
In Fedora 38, the `ssh_keys` group was removed. root is used now, in accordance to upstream.
See: https://www.spinics.net/lists/fedora-devel/msg307707.html
See: https://src.fedoraproject.org/rpms/openssh/pull-request/37#
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* change host key mode and owner in fedora and rhel9
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add missing host mode for rhel7
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* harden all ssh host keys
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* skip linting rule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* correct grp for bsd is wheel
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add testing for OpenBSD and FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make python work
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove jinja template ...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make verify work
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct verify
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use right vm name for connect
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add a bit of documentation
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove sudo
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add weird OpenSBD workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* make verify playbook more consistent
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rename nonlinux to BSD
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use openbsd7 for testing
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct use openbsd7 everywhere
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add waivers
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* update waiver descriptions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use docker for inspec
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* keep looking right ;)
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* correct path to waivers
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use ephemeral directory in docker
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use bsd inspec profile
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove openbsd workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* re-add openbsd workaround
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* commit suggestions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add supportet OS to metadata
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use current python
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add check mode to molecule tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* bail on undefined variables
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* execute tasks in check mode
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix error in check mode on SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use when condition on task
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use rowcount to determine mysql results
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use correct list level
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove json_query
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove intermediate vars
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add check for count
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* drop condition, since one result must exist
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* move rowcount in condition
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* do loop in ansible to report each deleted user
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add idempotency check
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* additional tests to verify user deletion
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* actually iterate the whole user list when deleting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* fix tests for SuSE
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* adopt suggestions
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* add remaining platforms to test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* remove unneccessary tasks for test
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* use current opensuse version
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* disable sysctl for missing yama in opensuse
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* rewrite user home dir hardening
* delete duplicate var that was missed in a merge conflict
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add tests for home rewrites
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Apply suggestions from code review
Co-authored-by: schurzi <github@drachen-server.de>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>