Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 05:11:53 +00:00
Code Issues Projects Releases Packages Wiki Activity
No description
2035 commits 12 branches 56 tags 3.7 MiB
Jinja 100%
Find a file
Sebastian Gumprich 0bf528d83b do not try to drop roles in mysql hardening 
There's a new feature in mariadb 10.1 (https://mariadb.org/grant-to-public-in-mariadb/) and mysql 8 (need to verify).

    MariaDB has quite a complex privilege system. Most of it is based on the SQL Standard spec; however we do have some specific MariaDB extensions. GRANT ... TO PUBLIC (MDEV-5215) is a standard feature that is now available as a preview in MariaDB 10.11.0. It is related to ROLES and DEFAULT ROLE, but it covers a different use case.

    ROLES are effectively “privilege packages” that you can enable and disable as a user. One can also set which “privilege package” will be enabled at connect time by setting a DEFAULT ROLE per user. This is all quite useful, however it is missing one key feature. For a DBA, it would be quite useful to state only once that all users need to have a certain set of privileges. This is where GRANT ... TO PUBLIC comes in.

Some more information here: https://mariadb.org/wp-content/uploads/2018/07/MariaDB-Roles-Tampere-Unconference-2018.pdf

This role is shown as a user, it has however a new is_role-flag.

MariaDB [(none)]> select user, host, is_role from mysql.user;
+-----------------------+-----------+---------+
| User                  | Host      | is_role |
+-----------------------+-----------+---------+
| mariadb.sys           | localhost | N       |
| root                  | localhost | N       |
| mysql                 | localhost | N       |
| PUBLIC                |           | Y       |
| monitoring            | %         | N       |
| monitoring            | localhost | N       |
| galera_mariadb_backup | %         | N       |
+-----------------------+-----------+---------+

Since this "user" does not have a password or authentication_string, the ansible-role tries to delete it but fails.

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-11-11 15:34:33 +01:00
.config Replace ssh_keys group in Fedora with root (#677) 2023-06-10 08:04:04 +02:00
.github fix: roles-readme action default value (#706) 2023-10-26 10:43:10 +02:00
meta linting (#603) 2023-01-24 12:40:27 +01:00
molecule do not try to drop roles in mysql hardening 2023-11-11 15:34:33 +01:00
roles do not try to drop roles in mysql hardening 2023-11-11 15:34:33 +01:00
.aar_doc.yml feat: workflow for roles readme (#705) 2023-10-25 15:10:02 +02:00
.gitattributes update changelog 2017-06-28 16:00:41 +02:00
.gitignore Add full support for Debian 11 (#538) 2022-08-16 15:02:27 +02:00
.gitmodules remove os submodule 2020-11-07 21:49:25 +01:00
.prettierignore add restart handler variable for mysql role (#399) 2021-02-10 15:54:57 +01:00
CHANGELOG.md update changelog 2023-11-01 14:57:36 +00:00
CONTRIBUTING.md add notice to sign-off work to contributor guideline 2022-11-17 13:47:11 +01:00
galaxy.yml update galaxy.yml with new version 2023-08-04 11:32:54 +00:00
LICENSE Create LICENSE 2021-08-06 13:08:55 +02:00
OS_HARDENING_CHANGELOG.md fix spelling errors 2023-04-14 23:51:53 +02:00
README.md add debian 12 support (#684) 2023-08-04 12:59:40 +02:00
renovate.json add custom renovate config 2023-03-30 18:05:39 +02:00
requirements.txt use new molecule-plugins 2023-04-28 13:48:45 +02:00

README.md

Ansible Collection - devsec.hardening

devsec.os_hardening devsec.os_hardening VM devsec.ssh_hardening devsec.nginx_hardening devsec.mysql_hardening

Description

This collection provides battle tested hardening for:

  • Linux operating systems:
    • CentOS 7/8/9
    • Rocky Linux 8/9
    • Debian 10/11/12
    • Ubuntu 18.04/20.04/22.04
    • Amazon Linux (some roles supported)
    • Arch Linux (some roles supported)
    • Fedora 37/38 (some roles supported)
    • Suse Tumbleweed (some roles supported)
  • MySQL
    • MariaDB >= 5.5.65, >= 10.1.45, >= 10.3.17
    • MySQL >= 5.7.31, >= 8.0.3
  • Nginx 1.0.16 or later
  • OpenSSH 5.3 and later

The hardening is intended to be compliant with the Inspec DevSec Baselines:

Looking for the old roles?

The roles are now part of the hardening-collection. We have kept the old releases of the os-hardening role in this repository, so you can find the them by exploring older tags. The last release of the standalone role was 6.2.0.

The other roles are in separate archives repositories:

Minimum required Ansible-version

  • Ansible >= 2.9.10

Included content

In progress, not working:

Installation

Install the collection via ansible-galaxy:

ansible-galaxy collection install devsec.hardening

Using this collection

Please refer to the examples in the readmes of the role.

See Ansible Using collections for more details.

Contributing to this collection

See the contributor guideline.

Release notes

See the changelog.

Roadmap

Todos:

More information

General information:

Licensing

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.