From 0cd5205c23ebc69c01d68d7d9e015f7276559708 Mon Sep 17 00:00:00 2001 From: Andrej Golis Date: Fri, 14 Oct 2016 17:07:46 +0200 Subject: [PATCH 1/3] - renamed 'mysql_hardening_mysql_conf' var to 'mysql_hardening_mysql_conf_file' - introduced 'mysql_hardening_mysql_conf_dir' variable - set default value of 'mysql_hardening_mysql_conf_dir' variable for RedHat, OracleLinux, Debian - changed default hardcoded full path in 'mysql_hardening_hardening_conf' var to be based on 'mysql_hardening_mysql_conf_dir' var --- defaults/main.yml | 2 +- tasks/configure.yml | 6 +++--- vars/Debian.yml | 3 ++- vars/Oracle Linux.yml | 3 ++- vars/RedHat.yml | 3 ++- 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 32b0ea0..3f545b8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,7 +5,7 @@ mysql_hardening_enabled: yes mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' -mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' +mysql_hardening_hardening_conf: '{{mysql_hardening_mysql_conf_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # There .my.cnf with mysql root credentials will be installed diff --git a/tasks/configure.yml b/tasks/configure.yml index 699fbee..fa755bc 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,16 +1,16 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root follow=yes + file: path='{{mysql_hardening_mysql_conf_file}}' mode=0600 owner=root group=root follow=yes - name: ensure permissions on mysql-datadir are correct file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - name: check mysql configuration-directory exists and has right permissions - file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 + file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 - name: check include-dir directive is present in my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='EOF' state=present backup=yes + lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_conf_dir}}' insertafter='EOF' state=present backup=yes notify: restart mysql - name: apply hardening configuration diff --git a/vars/Debian.yml b/vars/Debian.yml index 3f8056b..6513df3 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,2 +1,3 @@ mysql_daemon: mysql -mysql_hardening_mysql_conf: '/etc/mysql/my.cnf' +mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' +mysql_hardening_mysql_conf_dir: '/etc/mysql/conf.d' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index 230225b..f091e6c 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,2 +1,3 @@ mysql_daemon: mysqld -mysql_hardening_mysql_conf: '/etc/my.cnf' +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 230225b..f091e6c 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,2 +1,3 @@ mysql_daemon: mysqld -mysql_hardening_mysql_conf: '/etc/my.cnf' +mysql_hardening_mysql_conf_file: '/etc/my.cnf' +mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' From 6a9ff3492c1d0be36e2be289e05da1645408d3c0 Mon Sep 17 00:00:00 2001 From: Andrej Golis Date: Sat, 15 Oct 2016 16:32:22 +0200 Subject: [PATCH 2/3] - added owner executable bit on my.cnf.d dir to allow mysql process to list files and apply custom configuration, otherwise it doesn't apply it --- tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/configure.yml b/tasks/configure.yml index fa755bc..59b1ba5 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -7,7 +7,7 @@ file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - name: check mysql configuration-directory exists and has right permissions - file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 + file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 - name: check include-dir directive is present in my.cnf lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_conf_dir}}' insertafter='EOF' state=present backup=yes From 6fa57844e92834900293419ec3c205f01a631dcd Mon Sep 17 00:00:00 2001 From: Andrej Golis Date: Fri, 21 Oct 2016 13:36:58 +0200 Subject: [PATCH 3/3] aligned more var names to be consistent, changed hardcoded owner/group values to use vars instead --- README.md | 2 +- defaults/main.yml | 2 +- tasks/configure.yml | 8 ++++---- vars/Debian.yml | 2 +- vars/Oracle Linux.yml | 2 +- vars/RedHat.yml | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index fac45d1..ec27898 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ This hardening role installs the hardening but expects an existing installation - `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` - `mysql_hardening_user: 'mysql'` The user that mysql runs as. - `mysql_datadir: '/var/lib/mysql'` The MySQL data directory -- `mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed +- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed ## Security Options diff --git a/defaults/main.yml b/defaults/main.yml index 3f545b8..a2a87f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,7 +5,7 @@ mysql_hardening_enabled: yes mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' -mysql_hardening_hardening_conf: '{{mysql_hardening_mysql_conf_dir}}/hardening.cnf' +mysql_hardening_mysql_hardening_conf_file: '{{mysql_hardening_mysql_confd_dir}}/hardening.cnf' # You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # There .my.cnf with mysql root credentials will be installed diff --git a/tasks/configure.yml b/tasks/configure.yml index 59b1ba5..e0b8edb 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,18 +1,18 @@ --- - name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf_file}}' mode=0600 owner=root group=root follow=yes + file: path='{{mysql_hardening_mysql_conf_file}}' mode=0400 owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' follow=yes - name: ensure permissions on mysql-datadir are correct file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - name: check mysql configuration-directory exists and has right permissions - file: path='{{mysql_hardening_mysql_conf_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 + file: path='{{mysql_hardening_mysql_confd_dir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0570 - name: check include-dir directive is present in my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_conf_dir}}' insertafter='EOF' state=present backup=yes + lineinfile: dest='{{mysql_hardening_mysql_conf_file}}' line='!includedir {{mysql_hardening_mysql_confd_dir}}' insertafter='EOF' state=present backup=yes notify: restart mysql - name: apply hardening configuration - template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 + template: src='hardening.cnf.j2' dest='{{mysql_hardening_mysql_hardening_conf_file}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 notify: restart mysql diff --git a/vars/Debian.yml b/vars/Debian.yml index 6513df3..e96ea36 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -1,3 +1,3 @@ mysql_daemon: mysql mysql_hardening_mysql_conf_file: '/etc/mysql/my.cnf' -mysql_hardening_mysql_conf_dir: '/etc/mysql/conf.d' +mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d' diff --git a/vars/Oracle Linux.yml b/vars/Oracle Linux.yml index f091e6c..8165061 100644 --- a/vars/Oracle Linux.yml +++ b/vars/Oracle Linux.yml @@ -1,3 +1,3 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d' diff --git a/vars/RedHat.yml b/vars/RedHat.yml index f091e6c..8165061 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,3 +1,3 @@ mysql_daemon: mysqld mysql_hardening_mysql_conf_file: '/etc/my.cnf' -mysql_hardening_mysql_conf_dir: '/etc/my.cnf.d' +mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'