ansible-collection-hardening/roles/mysql_hardening
schurzi 69ab9e47ad
Update Debian compatibility (#784)
* Update Ubuntu compatability

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* reload systemd when disabling ssh socket

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* manage systemd files

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Create privsep directory for Debian

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Use working Ubuntu 24.04 image for vm tests

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

* Remove deprecated Debian 10

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2024-08-06 13:11:32 +02:00
..
defaults add role argument spec for os, ssh, mysql (#687) 2023-08-07 14:30:59 +02:00
handlers linting (#603) 2023-01-24 12:40:27 +01:00
meta Update Debian compatibility (#784) 2024-08-06 13:11:32 +02:00
tasks one last time ... 2023-11-11 15:37:26 +01:00
templates add "role" to comment 2021-01-20 11:23:40 +01:00
vars linting (#603) 2023-01-24 12:40:27 +01:00
CHANGELOG.md fix spelling errors 2023-04-14 23:51:53 +02:00
README.md Prettified Code! 2024-07-28 11:45:51 +00:00

devsec.mysql_hardening

devsec.mysql_hardening

Description

This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.

It configures:

  • Permissions for the various configuration files and folders
  • Removes anonymous users, users without a password or authentication_string and test databases
  • various hardening options inside MySQL

Changes of options log_error or datadir in mysql_hardening_options will not be checked for correct permissions. Please change/set log_error or datadir with the installation role of MySQL before running this role, or you can run this role twice.

Further information is available at Deutsche Telekom (German) and Symantec

Requirements

  • An existing installation of MySQL or MariaDB.
  • python-jmespath on the ansible host

Supported Operating Systems

  • EL
    • 8, 9
  • Ubuntu
    • bionic, focal, jammy
  • Debian
    • bullseye, buster
  • Amazon
  • opensuse

Role Variables

  • mysql_daemon_enabled
    • Default: true
    • Description: Whether to enable the MySQL-service so it starts on boot
    • Type: bool
    • Required: no
  • mysql_hardening_chroot
    • Default: ``
    • Description: chroot
    • Type: str
    • Required: no
  • mysql_hardening_chroot.automatic-sp-privileges
  • mysql_hardening_enabled
    • Default: true
    • Description: Whether to run the hardening
    • Type: bool
    • Required: no
  • mysql_hardening_options.allow-suspicious-udfs
  • mysql_hardening_options.local-infile
    • Default: 0
    • Description: local-infile
    • Type: int
    • Required: no
  • mysql_hardening_options.safe-user-create
  • mysql_hardening_options.secure-auth
    • Default: 1
    • Description: secure-auth
    • Type: int
    • Required: no
  • mysql_hardening_options.secure-file-priv
  • mysql_hardening_options.skip-symbolic-links
  • mysql_hardening_restart_mysql
    • Default: true
    • Description: Restart mysql after running this role
    • Type: bool
    • Required: no
  • mysql_hardening_skip_grant_tables:
  • mysql_hardening_skip_show_database
  • mysql_remove_anonymous_users
    • Default: true
    • Description: Set to false to keep users without authentication
    • Type: bool
    • Required: no
  • mysql_remove_remote_root
    • Default: true
    • Description: If true, root can only connect from localhost. Set to false to not remove remote root users.
    • Type: bool
    • Required: no
  • mysql_remove_test_database
    • Default: true
    • Description: Set to false to keep the test database
    • Type: bool
    • Required: no
  • mysql_root_password
    • Default: -----====>SetR00tPa$$wordH3r3!!!<====-----
    • Description: The default password. Please change or overwrite it
    • Type: str
    • Required: no
  • mysql_user_home
    • Default: {{ ansible_env.HOME }}
    • Description: The path where the .my.cnf will be stored
    • Type: str
    • Required: no

Dependencies

None.

Example Playbook

- hosts: all
  roles:
    - name: devsec.hardening.mysql_hardening