ansible-collection-hardening/roles/mysql_hardening
Sebastian Gumprich bb588bd777
linting (#603)
* linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* more linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* change line length issues

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* replace yes with true in tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* use manual line-wrapping because ansible-lint does not support it correctly.

see https://github.com/ansible/ansible-lint/issues/2522

* use manual line-wrapping because ansible-lint does not support it correctly.

see https://github.com/ansible/ansible-lint/issues/2522

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* use manual line-wrapping because ansible-lint does not support it correctly.

see https://github.com/ansible/ansible-lint/issues/2522

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add exception for task

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove trailing whitespace

* add back deleted params

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add back deleted params

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add back tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-24 12:40:27 +01:00
..
defaults linting (#603) 2023-01-24 12:40:27 +01:00
handlers linting (#603) 2023-01-24 12:40:27 +01:00
meta linting (#603) 2023-01-24 12:40:27 +01:00
tasks linting (#603) 2023-01-24 12:40:27 +01:00
templates add "role" to comment 2021-01-20 11:23:40 +01:00
vars linting (#603) 2023-01-24 12:40:27 +01:00
CHANGELOG.md Prettified Code! 2020-11-08 10:20:25 +00:00
README.md Add OpenSUSE support (#605) 2022-11-29 15:09:27 +01:00

devsec.mysql_hardening

devsec.mysql_hardening

Description

This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.

It configures:

  • Permissions for the various configuration files and folders
  • Removes anonymous users, users without a password or authentication_string and test databases
  • various hardening options inside MySQL

Requirements

  • Ansible 2.9.0
  • An existing MySQL installation
  • python-jmespath on the ansible host

Example playbook

- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - mysql_hardening

This role expects an existing installation of MySQL or MariaDB. Changes of options log_error or datadir in mysql_hardening_options will not be checked for correct permissions. Please change/set log_error or datadir with the installation role of MySQL before running this role, or you can run this role twice.
Please ensure that the following variables are set accordingly:

  • mysql_hardening_enabled: yes role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"
  • mysql_hardening_user: 'mysql' The user that mysql runs as.
  • mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf' The path to the configuration file where the hardening will be performed
  • deprecated: mysql_datadir: '/var/lib/mysql' The MySQL data directory
    • mysql_datadir is no longer necessary, as MySQL data directory is automatically taken from mysql_info. But it can still be defined and will also be checked for correct permissions.

Role Variables

  • mysql_hardening_chroot
    • Default: ""
    • Description: chroot
  • mysql_hardening_options.safe-user-create
  • mysql_hardening_options.secure-auth
  • mysql_hardening_options.skip-symbolic-links
  • mysql_hardening_skip_grant_tables:
  • mysql_hardening_skip_show_database
  • mysql_hardening_options.local-infile
  • mysql_hardening_options.allow-suspicious-udfs
  • mysql_hardening_chroot.automatic-sp-privileges
  • mysql_hardening_options.secure-file-priv
  • mysql_allow_remote_root
    • Default: false
    • Description: delete remote root users
  • mysql_remove_anonymous_users
    • Default: true
    • Description: remove users without authentication
  • mysql_remove_test_database
    • Default: true
    • Description: remove test database
  • mysql_hardening_restart_mysql
    • Default: true
    • Description: Restart mysql after running this role

Further information is available at Deutsche Telekom (German) and Symantec