0bf528d83b
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify). MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case. ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in. Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf This role is shown as a user, it has however a new is_role-flag. MariaDB [(none)]> select user, host, is_role from mysql.user; +-----------------------+-----------+---------+ | User | Host | is_role | +-----------------------+-----------+---------+ | mariadb.sys | localhost | N | | root | localhost | N | | mysql | localhost | N | | PUBLIC | | Y | | monitoring | % | N | | monitoring | localhost | N | | galera_mariadb_backup | % | N | +-----------------------+-----------+---------+ Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails. Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> |
||
---|---|---|
.config | ||
.github | ||
meta | ||
molecule | ||
roles | ||
.aar_doc.yml | ||
.gitattributes | ||
.gitignore | ||
.gitmodules | ||
.prettierignore | ||
CHANGELOG.md | ||
CONTRIBUTING.md | ||
galaxy.yml | ||
LICENSE | ||
OS_HARDENING_CHANGELOG.md | ||
README.md | ||
renovate.json | ||
requirements.txt |
Ansible Collection - devsec.hardening
Description
This collection provides battle tested hardening for:
- Linux operating systems:
- CentOS 7/8/9
- Rocky Linux 8/9
- Debian 10/11/12
- Ubuntu 18.04/20.04/22.04
- Amazon Linux (some roles supported)
- Arch Linux (some roles supported)
- Fedora 37/38 (some roles supported)
- Suse Tumbleweed (some roles supported)
- MySQL
- MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17
- MySQL >= 5.7.31, >= 8.0.3
- Nginx 1.0.16 or later
- OpenSSH 5.3 and later
The hardening is intended to be compliant with the Inspec DevSec Baselines:
- https://github.com/dev-sec/linux-baseline
- https://github.com/dev-sec/mysql-baseline
- https://github.com/dev-sec/nginx-baseline
- https://github.com/dev-sec/ssh-baseline
Looking for the old roles?
The roles are now part of the hardening-collection.
We have kept the old releases of the os-hardening
role in this repository, so you can find the them by exploring older tags.
The last release of the standalone role was 6.2.0.
The other roles are in separate archives repositories:
Minimum required Ansible-version
- Ansible >= 2.9.10
Included content
In progress, not working:
Installation
Install the collection via ansible-galaxy:
ansible-galaxy collection install devsec.hardening
Using this collection
Please refer to the examples in the readmes of the role.
See Ansible Using collections for more details.
Contributing to this collection
See the contributor guideline.
Release notes
See the changelog.
Roadmap
Todos:
- Work on apache_hardening and windows_hardening
- Add support for more operating systems
More information
General information:
- Ansible Collection overview
- Ansible User guide
- Ansible Developer guide
- Ansible Collections Checklist
- Ansible Community code of conduct
- The Bullhorn (the Ansible Contributor newsletter)
- Changes impacting Contributors
Licensing
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.