mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
69ab9e47ad
* Update Ubuntu compatability Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * reload systemd when disabling ssh socket Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * manage systemd files Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * Create privsep directory for Debian Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * Use working Ubuntu 24.04 image for vm tests Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> * Remove deprecated Debian 10 Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> --------- Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de> |
||
---|---|---|
.. | ||
defaults | ||
handlers | ||
meta | ||
tasks | ||
templates | ||
vars | ||
CHANGELOG.md | ||
README.md |
devsec.mysql_hardening
Description
This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.
It configures:
- Permissions for the various configuration files and folders
- Removes anonymous users, users without a password or authentication_string and test databases
- various hardening options inside MySQL
Changes of options log_error
or datadir
in mysql_hardening_options
will not be checked for correct permissions. Please change/set log_error
or datadir
with the installation role of MySQL before running this role, or you can run this role twice.
Further information is available at Deutsche Telekom (German) and Symantec
Requirements
- An existing installation of MySQL or MariaDB.
- python-jmespath on the ansible host
Supported Operating Systems
- EL
- 8, 9
- Ubuntu
- bionic, focal, jammy
- Debian
- bullseye, buster
- Amazon
- opensuse
Role Variables
mysql_daemon_enabled
- Default:
true
- Description: Whether to enable the MySQL-service so it starts on boot
- Type: bool
- Required: no
- Default:
mysql_hardening_chroot
- Default: ``
- Description: chroot
- Type: str
- Required: no
mysql_hardening_chroot.automatic-sp-privileges
- Default:
0
- Description: automatic_sp_privileges
- Type: int
- Required: no
- Default:
mysql_hardening_enabled
- Default:
true
- Description: Whether to run the hardening
- Type: bool
- Required: no
- Default:
mysql_hardening_options.allow-suspicious-udfs
- Default:
0
- Description: allow-suspicious-udfs
- Type: int
- Required: no
- Default:
mysql_hardening_options.local-infile
- Default:
0
- Description: local-infile
- Type: int
- Required: no
- Default:
mysql_hardening_options.safe-user-create
- Default:
1
- Description: safe-user-create
- Type: int
- Required: no
- Default:
mysql_hardening_options.secure-auth
- Default:
1
- Description: secure-auth
- Type: int
- Required: no
- Default:
mysql_hardening_options.secure-file-priv
- Default:
/tmp
- Description: secure-file-priv
- Type: str
- Required: no
- Default:
mysql_hardening_options.skip-symbolic-links
- Default:
1
- Description: skip-symbolic-links
- Type: int
- Required: no
- Default:
mysql_hardening_restart_mysql
- Default:
true
- Description: Restart mysql after running this role
- Type: bool
- Required: no
- Default:
mysql_hardening_skip_grant_tables:
- Default:
false
- Description: skip-grant-tables
- Type: bool
- Required: no
- Default:
mysql_hardening_skip_show_database
- Default:
1
- Description: skip-show-database
- Type: int
- Required: no
- Default:
mysql_remove_anonymous_users
- Default:
true
- Description: Set to
false
to keep users without authentication - Type: bool
- Required: no
- Default:
mysql_remove_remote_root
- Default:
true
- Description: If
true
, root can only connect from localhost. Set tofalse
to not remove remote root users. - Type: bool
- Required: no
- Default:
mysql_remove_test_database
- Default:
true
- Description: Set to
false
to keep the test database - Type: bool
- Required: no
- Default:
mysql_root_password
- Default:
-----====>SetR00tPa$$wordH3r3!!!<====-----
- Description: The default password. Please change or overwrite it
- Type: str
- Required: no
- Default:
mysql_user_home
- Default:
{{ ansible_env.HOME }}
- Description: The path where the
.my.cnf
will be stored - Type: str
- Required: no
- Default:
Dependencies
None.
Example Playbook
- hosts: all
roles:
- name: devsec.hardening.mysql_hardening