Skip to content

mysql_hardening

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

mysql_hardening

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
defaults
defaults
 
 
handlers
handlers
 
 
meta
meta
 
 
tasks
tasks
 
 
templates
templates
 
 
vars
vars
 
 
CHANGELOG.md
CHANGELOG.md
 
 
README.md
README.md
 
 

README.md

devsec.mysql_hardening

devsec.mysql_hardening

Description

This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.

It configures:

  • Permissions for the various configuration files and folders
  • Removes anonymous users, users without a password or authentication_string and test databases
  • various hardening options inside MySQL

Requirements

  • Ansible 2.9.0
  • An existing MySQL installation

Example playbook

- hosts: localhost
  collections:
    - devsec.hardening
  roles:
    - mysql_hardening

This role expects an existing installation of MySQL or MariaDB. Changes of options log_error or datadir in mysql_hardening_options will not be checked for correct permissions. Please change/set log_error or datadir with the installation role of MySQL before running this role, or you can run this role twice.
Please ensure that the following variables are set accordingly:

  • mysql_hardening_enabled: yes role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"
  • mysql_hardening_user: 'mysql' The user that mysql runs as.
  • mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf' The path to the configuration file where the hardening will be performed
  • deprecated: mysql_datadir: '/var/lib/mysql' The MySQL data directory
    • mysql_datadir is no longer necessary, as MySQL data directory is automatically taken from mysql_info. But it can still be defined and will also be checked for correct permissions.

Role Variables

  • mysql_hardening_chroot
    • Default: ""
    • Description: chroot
  • mysql_hardening_options.safe-user-create
  • mysql_hardening_options.secure-auth
  • mysql_hardening_options.skip-symbolic-links
  • mysql_hardening_skip_grant_tables:
  • mysql_hardening_skip_show_database
  • mysql_hardening_options.local-infile
  • mysql_hardening_options.allow-suspicious-udfs
  • mysql_hardening_chroot.automatic-sp-privileges
  • mysql_hardening_options.secure-file-priv
  • mysql_allow_remote_root
    • Default: false
    • Description: delete remote root users
  • mysql_remove_anonymous_users
    • Default: true
    • Description: remove users without authentication
  • mysql_remove_test_database
    • Default: true
    • Description: remove test database
  • mysql_hardening_restart_mysql
    • Default: true
    • Description: Restart mysql after running this role

Further information is available at Deutsche Telekom (German) and Symantec