mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-11-10 09:14:18 +00:00

History

Sebastian Gumprich be0d501bc8 update minimum ansible version for roles fixes #407 Signed-off-by: rndmh3ro <github@gumpri.ch>		2021-10-20 20:42:05 +02:00
..
defaults	Use log_error/datadir from database settings instead of default variable (#478 )	2021-08-25 12:57:46 +02:00
handlers	Uppercased first letter of task names. (#422 )	2021-03-25 13:52:56 +01:00
meta	update minimum ansible version for roles	2021-10-20 20:42:05 +02:00
tasks	Use log_error/datadir from database settings instead of default variable (#478 )	2021-08-25 12:57:46 +02:00
templates	add "role" to comment	2021-01-20 11:23:40 +01:00
vars	Use log_error/datadir from database settings instead of default variable (#478 )	2021-08-25 12:57:46 +02:00
CHANGELOG.md	Prettified Code!	2020-11-08 10:20:25 +00:00
README.md	Prettified Code!	2021-08-25 10:58:16 +00:00

README.md

devsec.mysql_hardening

Description

This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.

It configures:

Permissions for the various configuration files and folders
Removes anonymous users, users without a password or authentication_string and test databases
various hardening options inside MySQL

Requirements

Ansible 2.9.0
An existing MySQL installation

Example playbook

- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - mysql_hardening

This role expects an existing installation of MySQL or MariaDB. Changes of options log_error or datadir in mysql_hardening_options will not be checked for correct permissions. Please change/set log_error or datadir with the installation role of MySQL before running this role, or you can run this role twice.
Please ensure that the following variables are set accordingly:

mysql_hardening_enabled: yes role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"
mysql_hardening_user: 'mysql' The user that mysql runs as.
mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf' The path to the configuration file where the hardening will be performed
deprecated: mysql_datadir: '/var/lib/mysql' The MySQL data directory
- mysql_datadir is no longer necessary, as MySQL data directory is automatically taken from mysql_info. But it can still be defined and will also be checked for correct permissions.

Role Variables

mysql_hardening_chroot
- Default: ""
- Description: chroot
mysql_hardening_options.safe-user-create
- Default: 1
- Description: safe-user-create
mysql_hardening_options.secure-auth
- Default: 1
- Description: secure-auth
mysql_hardening_options.skip-symbolic-links
- Default: 1
- Description: skip-symbolic-links
mysql_hardening_skip_grant_tables:
- Default: false
- Description: skip-grant-tables
mysql_hardening_skip_show_database
- Default: 1
- Description: skip-show-database
mysql_hardening_options.local-infile
- Default: 0
- Description: local-infile
mysql_hardening_options.allow-suspicious-udfs
- Default: 0
- Description: allow-suspicious-udfs
mysql_hardening_chroot.automatic-sp-privileges
- Default: 0
- Description: automatic_sp_privileges
mysql_hardening_options.secure-file-priv
- Default: /tmp
- Description: secure-file-priv
mysql_allow_remote_root
- Default: false
- Description: delete remote root users
mysql_remove_anonymous_users
- Default: true
- Description: remove users without authentication
mysql_remove_test_database
- Default: true
- Description: remove test database
mysql_hardening_restart_mysql
- Default: true
- Description: Restart mysql after running this role

Further information is available at Deutsche Telekom (German) and Symantec