mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
f295397611
* add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove variable in variable as it cannot be used in argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix wrong syntax * fix spelling errors Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * cannot use vars before arg-spec validation Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * yamllint the arg-spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * add back variable Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove redundant setting in tests * fix descriptions in mysql hardening to betterreflect what they do Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove duplicate empty line Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * set correct defaults on to ssl options Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove left-over hidepid argument spec Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * remove license and author infos, this lives in the collection readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * fix styling Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * update some descriptions and sort them in the readme Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> * some more linting Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> --------- Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com> Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
5 KiB
5 KiB
devsec.mysql_hardening
Description
This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.
It configures:
- Permissions for the various configuration files and folders
- Removes anonymous users, users without a password or authentication_string and test databases
- various hardening options inside MySQL
Changes of options log_error or datadir in mysql_hardening_options will not be checked for correct permissions. Please change/set log_error or datadir with the installation role of MySQL before running this role, or you can run this role twice.
Further information is available at Deutsche Telekom (German) and Symantec
Requirements
- An existing installation of MySQL or MariaDB.
- python-jmespath on the ansible host
Supported Operating Systems
| Platform | Versions |
|---|---|
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | bullseye, buster |
| Amazon | |
| opensuse |
Role Variables
mysql_daemon_enabled- Default:
true - Description: Whether to enable the MySQL-service so it starts on boot
- Type: bool
- Required: no
- Default:
mysql_hardening_chroot- Default: ``
- Description: chroot
- Type: str
- Required: no
mysql_hardening_chroot.automatic-sp-privileges- Default:
0 - Description: automatic_sp_privileges
- Type: int
- Required: no
- Default:
mysql_hardening_enabled- Default:
true - Description: Whether to run the hardening
- Type: bool
- Required: no
- Default:
mysql_hardening_options.allow-suspicious-udfs- Default:
0 - Description: allow-suspicious-udfs
- Type: int
- Required: no
- Default:
mysql_hardening_options.local-infile- Default:
0 - Description: local-infile
- Type: int
- Required: no
- Default:
mysql_hardening_options.safe-user-create- Default:
1 - Description: safe-user-create
- Type: int
- Required: no
- Default:
mysql_hardening_options.secure-auth- Default:
1 - Description: secure-auth
- Type: int
- Required: no
- Default:
mysql_hardening_options.secure-file-priv- Default:
/tmp - Description: secure-file-priv
- Type: str
- Required: no
- Default:
mysql_hardening_options.skip-symbolic-links- Default:
1 - Description: skip-symbolic-links
- Type: int
- Required: no
- Default:
mysql_hardening_restart_mysql- Default:
true - Description: Restart mysql after running this role
- Type: bool
- Required: no
- Default:
mysql_hardening_skip_grant_tables:- Default:
false - Description: skip-grant-tables
- Type: bool
- Required: no
- Default:
mysql_hardening_skip_show_database- Default:
1 - Description: skip-show-database
- Type: int
- Required: no
- Default:
mysql_remove_anonymous_users- Default:
true - Description: Set to
falseto keep users without authentication - Type: bool
- Required: no
- Default:
mysql_remove_remote_root- Default:
true - Description: If
true, root can only connect from localhost. Set tofalseto not remove remote root users. - Type: bool
- Required: no
- Default:
mysql_remove_test_database- Default:
true - Description: Set to
falseto keep the test database - Type: bool
- Required: no
- Default:
mysql_root_password- Default:
-----====>SetR00tPa$$wordH3r3!!!<====----- - Description: The default password. Please change or overwrite it
- Type: str
- Required: no
- Default:
mysql_user_home- Default:
{{ ansible_env.HOME }} - Description: The path where the
.my.cnfwill be stored - Type: str
- Required: no
- Default:
Dependencies
None.
Example Playbook
- hosts: all
roles:
- name: devsec.hardening.mysql_hardening