* Update Ubuntu compatability
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* reload systemd when disabling ssh socket
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* manage systemd files
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Create privsep directory for Debian
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Use working Ubuntu 24.04 image for vm tests
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* Remove deprecated Debian 10
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* do not force type of gatewayports-var
this way it can be a bool or a string. we also now test for it
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
* replace yum with dnf
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
---------
Signed-off-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
This is a breaking change, since the default variable is now a string instead of a bool
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@telekom.de>
* add testing and support for current versions of Fedora and FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add waivers for FreeBSD
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* use original fedora images
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* also harden /home mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* also harden /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* test mock efi directory
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* remove mock
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* umount efi
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* add /tmp to special mountpoints
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* set options for /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* create /tmp mount
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* create /tmp mount and mount it ...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* make fewer changes to default test run
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
* use correct Ansible var
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
---------
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify).
MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.
ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.
Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf
This role is shown as a user, it has however a new is_role-flag.
MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User | Host | is_role |
+-----------------------+-----------+---------+
| mariadb.sys | localhost | N |
| root | localhost | N |
| mysql | localhost | N |
| PUBLIC | | Y |
| monitoring | % | N |
| monitoring | localhost | N |
| galera_mariadb_backup | % | N |
+-----------------------+-----------+---------+
Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add role argument spec for os, ssh, mysql
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove variable in variable as it cannot be used in argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix wrong syntax
* fix spelling errors
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* cannot use vars before arg-spec validation
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* yamllint the arg-spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add back variable
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove redundant setting in tests
* fix descriptions in mysql hardening to betterreflect what they do
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove duplicate empty line
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* set correct defaults on to ssl options
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove left-over hidepid argument spec
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove license and author infos, this lives in the collection readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix styling
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* update some descriptions and sort them in the readme
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* some more linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add debian 12 support
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* temp disable pam-checks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* remove debian12 from vagrant tests as there's no box yet
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use new pam-tester from pip
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* use new pam-tester from pip
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add setuptoolks to pam-tester install
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add setuptoolks to pam-tester install
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add setuptoolks to pam-tester install
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* add setuptoolks to pam-tester install
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* install pam-tester with python3 and use full path to it
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* install python3-setupttools in verify-tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* fix path for pam-tester in all tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* set python interpreter to 3 for verify-tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
* Revert "set python interpreter to 3 for verify-tests"
This reverts commit 00b6556e33.
* add back accidentally deleted tasks
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---------
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>