Skip to content

Commit

Permalink
add role argument spec for os, ssh, mysql (#687)
Browse files Browse the repository at this point in the history
* add role argument spec for os, ssh, mysql

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add role argument spec for os, ssh, mysql

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove variable in variable as it cannot be used in argument spec

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix wrong syntax

* fix spelling errors

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* cannot use vars before arg-spec validation

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* yamllint the arg-spec

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add back variable

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove redundant setting in tests

* fix descriptions in mysql hardening to betterreflect what they do

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove duplicate empty line

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* set correct defaults on to ssl options

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove left-over hidepid argument spec

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* remove license and author infos, this lives in the collection readme

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix styling

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* update some descriptions and sort them in the readme

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* some more linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
  • Loading branch information
rndmh3ro and Sebastian Gumprich authored Aug 7, 2023
1 parent 96ba9d1 commit f295397
Show file tree
Hide file tree
Showing 14 changed files with 2,942 additions and 926 deletions.
5 changes: 0 additions & 5 deletions molecule/ssh_hardening_custom_tests/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,6 @@
- path: "/etc/ssh/auth_principals/root"
principals:
- "root"
owner: "{{ ssh_owner }}"
group: "{{ ssh_group }}"
directoryowner: "{{ ssh_owner }}"
directorygroup: "{{ ssh_group }}"
directorymode: "0700"
network_ipv6_enable: true
ssh_allow_tcp_forwarding: 'yes'
ssh_gateway_ports: true
Expand Down
178 changes: 116 additions & 62 deletions roles/mysql_hardening/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# devsec.mysql_hardening

![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg)
![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.mysql_hardening/badge.svg)

## Description

Expand All @@ -12,74 +12,128 @@ It configures:
- Removes anonymous users, users without a password or authentication_string and test databases
- various hardening options inside MySQL

Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice.

Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)

## Requirements

- Ansible 2.9.0
- An existing MySQL installation
- An existing installation of MySQL or MariaDB.
- python-jmespath on the ansible host

### Example playbook
<!-- BEGIN_ANSIBLE_DOCS -->
## Supported Operating Systems
| Platform | Versions |
| -------- | -------- |
| EL | 7, 8, 9 |
| Ubuntu | bionic, focal, jammy |
| Debian | bullseye, buster |
| Amazon | |
| opensuse | |

```yml
- hosts: localhost
collections:
- devsec.hardening
roles:
- mysql_hardening
```
## Role Variables

This role expects an existing installation of MySQL or MariaDB. Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice.
Please ensure that the following variables are set accordingly:
* `mysql_daemon_enabled`
* Default: `true`
* Description: Whether to enable the MySQL-service so it starts on boot
* Type: bool
* Required: no
* `mysql_hardening_chroot`
* Default: ``
* Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
* Type: str
* Required: no
* `mysql_hardening_chroot.automatic-sp-privileges`
* Default: `0`
* Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
* Type: int
* Required: no
* `mysql_hardening_enabled`
* Default: `true`
* Description: Whether to run the hardening
* Type: bool
* Required: no
* `mysql_hardening_options.allow-suspicious-udfs`
* Default: `0`
* Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
* Type: int
* Required: no
* `mysql_hardening_options.local-infile`
* Default: `0`
* Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
* Type: int
* Required: no
* `mysql_hardening_options.safe-user-create`
* Default: `1`
* Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
* Type: int
* Required: no
* `mysql_hardening_options.secure-auth`
* Default: `1`
* Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
* Type: int
* Required: no
* `mysql_hardening_options.secure-file-priv`
* Default: `/tmp`
* Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
* Type: str
* Required: no
* `mysql_hardening_options.skip-symbolic-links`
* Default: `1`
* Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
* Type: int
* Required: no
* `mysql_hardening_restart_mysql`
* Default: `true`
* Description: Restart mysql after running this role
* Type: bool
* Required: no
* `mysql_hardening_skip_grant_tables:`
* Default: `false`
* Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
* Type: bool
* Required: no
* `mysql_hardening_skip_show_database`
* Default: `1`
* Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
* Type: int
* Required: no
* `mysql_remove_anonymous_users`
* Default: `true`
* Description: Set to `false` to keep users without authentication
* Type: bool
* Required: no
* `mysql_remove_remote_root`
* Default: `true`
* Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users.
* Type: bool
* Required: no
* `mysql_remove_test_database`
* Default: `true`
* Description: Set to `false` to keep the test database
* Type: bool
* Required: no
* `mysql_root_password`
* Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----`
* Description: The default password. Please change or overwrite it
* Type: str
* Required: no
* `mysql_user_home`
* Default: `{{ ansible_env.HOME }}`
* Description: The path where the `.my.cnf` will be stored
* Type: str
* Required: no

- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"`
- `mysql_hardening_user: 'mysql'` The user that mysql runs as.
- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed
- _deprecated: `mysql_datadir: '/var/lib/mysql'` The MySQL data directory_
- `mysql_datadir` is no longer necessary, as MySQL data directory is automatically taken from `mysql_info`. But it can still be defined and will also be checked for correct permissions.
## Dependencies

## Role Variables
None.

- `mysql_hardening_chroot`
- Default: ""
- Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
- `mysql_hardening_options.safe-user-create`
- Default: 1
- Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
- `mysql_hardening_options.secure-auth`
- Default: 1
- Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
- `mysql_hardening_options.skip-symbolic-links`
- Default: 1
- Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
- `mysql_hardening_skip_grant_tables:`
- Default: false
- Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
- `mysql_hardening_skip_show_database`
- Default: 1
- Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
- `mysql_hardening_options.local-infile`
- Default: 0
- Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
- `mysql_hardening_options.allow-suspicious-udfs`
- Default: 0
- Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
- `mysql_hardening_chroot.automatic-sp-privileges`
- Default: 0
- Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
- `mysql_hardening_options.secure-file-priv`
- Default: /tmp
- Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
- `mysql_allow_remote_root`
- Default: false
- Description: delete remote root users
- `mysql_remove_anonymous_users`
- Default: true
- Description: remove users without authentication
- `mysql_remove_test_database`
- Default: true
- Description: remove test database
- `mysql_hardening_restart_mysql`
- Default: true
- Description: Restart mysql after running this role
## Example Playbook

```
- hosts: all
roles:
- name: devsec.hardening.mysql_hardening
```
<!-- END_ANSIBLE_DOCS -->

Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
2 changes: 0 additions & 2 deletions roles/mysql_hardening/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ mysql_daemon_enabled: true

mysql_hardening_restart_mysql: true

# general configuration
mysql_hardening_mysql_hardening_conf_file: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf"
# You have to change this to your own strong enough mysql root password
mysql_root_password: "-----====>SetR00tPa$$wordH3r3!!!<====-----"
# There .my.cnf with mysql root credentials will be installed
Expand Down
79 changes: 79 additions & 0 deletions roles/mysql_hardening/meta/argument_specs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
argument_specs:
main:
short_description: The main entry point for the mysql hardening role.
version_added: 8.8.0
options:
mysql_hardening_chroot:
default: ''
type: str
description: '[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)'
mysql_hardening_options.safe-user-create:
default: 1
type: int
description: '[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)'
mysql_hardening_options.secure-auth:
default: 1
type: int
description: '[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)'
mysql_hardening_options.skip-symbolic-links:
default: 1
type: int
description: '[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)'
'mysql_hardening_skip_grant_tables:':
default: false
type: bool
description: '[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)'
mysql_hardening_skip_show_database:
default: 1
type: int
description: '[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)'
mysql_hardening_options.local-infile:
default: 0
type: int
description: '[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)'
mysql_hardening_options.allow-suspicious-udfs:
default: 0
type: int
description: '[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)'
mysql_hardening_chroot.automatic-sp-privileges:
default: 0
type: int
description: '[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)'
mysql_hardening_options.secure-file-priv:
default: /tmp
type: str
description: '[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)'
mysql_remove_anonymous_users:
default: true
type: bool
description: Set to `false` to keep users without authentication
mysql_remove_test_database:
default: true
type: bool
description: Set to `false` to keep the test database
mysql_hardening_restart_mysql:
default: true
type: bool
description: Restart mysql after running this role
mysql_hardening_enabled:
default: true
type: bool
description: Whether to run the hardening
mysql_daemon_enabled:
default: true
type: bool
description: Whether to enable the MySQL-service so it starts on boot
mysql_root_password:
default: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
type: str
description: The default password. Please change or overwrite it
mysql_user_home:
default: '{{ ansible_env.HOME }}'
type: str
description: The path where the `.my.cnf` will be stored
mysql_remove_remote_root:
default: true
type: bool
description: If `true`, root can only connect from localhost. Set to `false`
to not remove remote root users.
2 changes: 1 addition & 1 deletion roles/mysql_hardening/tasks/configure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
- name: Apply hardening configuration
ansible.builtin.template:
src: hardening.cnf.j2
dest: "{{ mysql_hardening_mysql_hardening_conf_file }}"
dest: "{{ mysql_hardening_mysql_confd_dir + '/hardening.cnf' }}"
owner: "{{ mysql_cnf_owner }}"
group: "{{ mysql_cnf_group }}"
mode: "0640"
Expand Down
Loading

0 comments on commit f295397

Please sign in to comment.