No description
Find a file
2020-10-11 15:54:51 +00:00
.github fix linting errors 2020-08-23 13:21:46 +02:00
defaults simplify vars-handling 2020-08-23 13:56:44 +02:00
handlers New role layout. Fix #6 2016-01-08 17:00:57 +01:00
meta remove eol'd OS and add new 2019-04-29 17:15:39 +02:00
tasks Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
templates replace iteritems with items for python3 support 2018-10-30 20:44:41 +01:00
tests Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
vars simplify vars-handling 2020-08-23 13:56:44 +02:00
.gitignore update gitignore, gemfile 2017-04-25 08:52:22 +02:00
.kitchen.vagrant.yml Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
.kitchen.yml Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
.travis.yml update testing 2020-08-07 19:30:58 +02:00
ansible.cfg Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
CHANGELOG.md update changelog 2020-10-11 15:54:51 +00:00
CONTRIBUTING.md INITIAL 2015-07-02 18:32:22 +00:00
Gemfile Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
Rakefile add changelog generator 2015-12-06 16:59:05 +01:00
README.md Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00
requirements.yml Use mysql_query module instead of temporary files, update Gems, fix test playbook, update README 2020-10-11 16:07:00 +02:00

mysql-hardening (Ansible role)

Build Status Ansible Galaxy

Description

Provides security configurations for MySQL. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.

This role focuses on security configuration of MySQL. Therefore you can add this hardening role alongside your existing MySQL configuration in Ansible.

Requirements

  • Ansible
  • Set up mysql_root_password variable

Installation

Install the role with ansible-galaxy:

ansible-galaxy install dev-sec.mysql-hardening

Example Playbook

- hosts: localhost
  roles:
    - dev-sec.mysql-hardening

This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly:

  • mysql_hardening_enabled: yes role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"
  • mysql_hardening_user: 'mysql' The user that mysql runs as.
  • mysql_datadir: '/var/lib/mysql' The MySQL data directory
  • mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf' The path to the configuration file where the hardening will be performed

Role Variables

  • mysql_hardening_chroot
    • Default: ""
    • Description: chroot
  • mysql_hardening_options.safe-user-create
  • mysql_hardening_options.secure-auth
  • mysql_hardening_options.skip-symbolic-links
  • mysql_hardening_skip_grant_tables:
  • mysql_hardening_skip_show_database
  • mysql_hardening_options.local-infile
  • mysql_hardening_options.allow-suspicious-udfs
  • mysql_hardening_chroot.automatic-sp-privileges
  • mysql_hardening_options.secure-file-priv
  • mysql_allow_remote_root
    • Default: false
    • Description: delete remote root users
  • mysql_remove_anonymous_users
    • Default: true
    • Description: remove users without authentication
  • mysql_remove_test_database
    • Default: true
    • Description: remove test database

Further information is available at Deutsche Telekom (German) and Symantec

Local Testing

The preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See Get started for a Docker package suitable to for your system.

You can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See Vagrant Downloads for a vagrant package suitable for your system. For all our tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

Next install test-kitchen:

# Install dependencies
gem install bundler
bundle install

Testing with Docker

# list all available machines
bundle exec kitchen list

# fast test on one machine
bundle exec kitchen test mysql-centos7-ansible-latest

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create mysql-centos7-ansible-latest
bundle exec kitchen converge mysql-centos7-ansible-latest

Testing with Virtualbox

# fast test on one machine
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test default-ubuntu-1404

# test on all machines
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen test

# for development
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen create default-ubuntu-1404
KITCHEN_YAML=".kitchen.vagrant.yml" bundle exec kitchen converge default-ubuntu-1404

For more information see test-kitchen

License and Author

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.