alt version initial commit

[fitz123]

No description provided.

[fitz123]

I'm not sure about it, but don't know more secure way to pass values like that

[rndmh3ro]

We could use a separate variables-file that only contains the password and encrypt this file with vault. Or something along these lines.

[fitz123]

Checks are failed because of "python-mysqldb" package installation and probably because of requirement of env variable

[fitz123]

everything here is copy-paste from old main.yml excluding last part with sql importing

[rndmh3ro]

Thanks for these improvements. I'll test them locally this weekend and see if anything fails.

[fitz123]

I've tested it on one on my mariadb instances and at first view - it looks fine. Gonna test on galera cluster soon and fix if something will fail. So basically "mysql_secure_installation.yml" I've been used quite a long time already and never had issues with it, but "mysql_hardening_options" dict includes a lot of variables I've never used and not sure how it can affect servers, so gonna test them as well, but slowly

[fitz123]

And it'd be great if you can find a way to fix travis checks)

[rndmh3ro]

And it'd be great if you can find a way to fix travis checks)

The problem is that the package-module is only supported from ansible 2.0 on. So we're going to have to stick to yum and apt tasks for now. See here: https://github.com/dev-sec/ansible-os-hardening/blob/master/tasks/pam.yml#L9-L15 on how to do it.

[rndmh3ro]

I think disabling the role by default is counter-intuitive.
If I would use this role, I'd expect that it would work out-of-the-box (like os and ssh hardening), not that I should still have to activate it. Because that's already what I'm doing when I'm including this role into one of my playbooks.

[fitz123]

Up to you, but usually roles are deactivated by default to not accidentally fail builds. For os and ssh that's different, probably because you can successfully execute it on almost build, but mysql have to be executed on mysql-enabled instances only. My use case: I'm using 1 playbook for almost everything, and having group-specific variables that control which roles are enabled (except roles like os/ssh-hardening which can be safelly enabled for all (at least my) instances, so they're enabled by default, though it's an exclusion). We can do the opposite, if you still want. though I think it's better not to leave it disabled and force user to manually activate it

[rndmh3ro]

I don't understand the distinction between configure.yml and mysql_secure_installation.yml. Why are these both separated?

And why does mysql_secure_installation.yml only runs, when mysql_root_password != ''?
The secure installation should run even if the root-password is set. For example when some admin set a root-password but did not delete the test-database. Or when he forgot to remove the test users?

[rndmh3ro]

for rhel that's MySQL-python.

[rndmh3ro]

I tested the role successfully on a fresh centos 6.5 system and it works great!
I'm going to test it on ubuntu, debian and oracle systems next week.
If this is sucsessful and we can work on the remaining comments, this could be done by next week.

[rndmh3ro]

I'll update the travis file, too, because right now there isn't much testing going on at all.

[fitz123]

Could you also test on ubuntu, as far as I know for apt module to work "python-apt" package is required. I have it installed in all templates since I start using ansible, so not super easy to test)

[fitz123]

I don't understand the distinction between configure.yml and mysql_secure_installation.yml. Why are these both separated?

I separated them mostly logically/functionally, configure.yml responses for configuration hardening, and mysql_secure_installation.yml almost copies mysql-secure-installation script's functionality (https://dev.mysql.com/doc/refman/5.7/en/mysql-secure-installation.html)

And why does mysql_secure_installation.yml only runs, when mysql_root_password != ''?
The secure installation should run even if the root-password is set. For example when some admin set a root-password but did not delete the test-database. Or when he forgot to remove the test users?

It does (at least I guess it's) opposite, it doesn't run if you didn't pass root password as a parameter, because mysql_db module have to have credentials for "import" to work, ether passed as parameters or in .my.cnf.
But you have a point, if one doesn't want to set root password at all. So we need to have such an option into defaults, and check somehow if real root password is '', and user don't want to set it, just run the rest of tasks. Currently I'm assuming that setting root password is mandatory

[rndmh3ro]

We should set this to "yes", because my expectation is that a role just works when I include it into my playbook. Also I've never seen another role you have to "enable" with an additional variable.

[fitz123]

done

[rndmh3ro]

Currently I'm assuming that setting root password is mandatory

Yes and we should force this, because if no password is set, than you have a huge gaping security hole, no matter if the installation is secured otherwise.

What I'd like to see:

• make the role just work without having to set another variable
• make the root password mandatory
• please rebase against master
• make a variable for mysql-user home, so the .my.cnf is in the correct location.

[fitz123]

@rndmh3ro,
Sorry, but I not completely get the idea of 1st 2 points. It sounds controversial for me.
Currently I set default mysql root password and show notification during execution about it

I can change behaviour to ether:

• do not set root password (comment variable out), make variable 'mandatory' and fail if variable is not defined. It means role will fail by default. Doesn't sound good
• do not set root password and do not fail. Show notification about it, try run the rest of tasks without root password (probably user already has .my.cnf, or want to keep empty password). This is better way to go than previous approach, but I'd prefer to stick to current approach (setting default password) if there're no arguments against

[fitz123]

any other comments?

[rndmh3ro]

Everything's fine now!
I'm in the process of testing the role right now, could take some time though.

[rndmh3ro]

So I tested the role:

• Ubuntu 12.04
• Ubuntu 14.04
• Ubuntu 16.04
• Oracle 6
• Centos 6
• Centos 7
• Debian 7
• Debian 8

There is a minor issue with RedHat that I will fix after merging this.
Also Oracle is a pain in the ass to test.