dynamically define mysql datadir and log_error (#54)

* dynamically define mysql datadir and log_error

Signed-off-by: Sebastian Gumprich <[email protected]>

* simplify sql command checks

Signed-off-by: Sebastian Gumprich <[email protected]>

* fix linting issues

Signed-off-by: Sebastian Gumprich <[email protected]>

* check for param before assigning it

Signed-off-by: Sebastian Gumprich <[email protected]>

Author: rndmh3ro

controls/mysql_conf.rb

@@ -18,24 +18,33 @@
 
 mysql_hardening_file = '/etc/mysql/conf.d/hardening.cnf'
 
+user = attribute('User', description: 'MySQL database user', value: 'root', required: true)
+pass = attribute('Password', description: 'MySQL database password', value: 'iloverandompasswordsbutthiswilldo', required: true)
+
+# get datadir and logfile-path from settings in the configuration if it is defined or from mysql itself
+
+mysql_data_path = if mysql_conf.params.mysqld && mysql_conf.params.mysqld.datadir
+                    mysql_conf.params.mysqld.datadir
+                  else
+                    command("mysql -u#{user} -p#{pass} -sN -e \"select @@GLOBAL.datadir\";").stdout.strip
+                  end
+
+mysql_log_file = if mysql_conf.params.mysqld && mysql_conf.params.mysqld.log_error
+                   mysql_conf.params.mysqld.log_error
+                 else
+                   command("mysql -u#{user} -p#{pass} -sN -e \"select @@GLOBAL.log_error\";").stdout.strip
+                 end
+
 # set OS-dependent filenames and paths
 case os[:family]
 when 'ubuntu', 'debian'
   mysql_config_path = '/etc/mysql/'
   mysql_config_file = mysql_config_path + 'my.cnf'
-  mysql_data_path = '/var/lib/mysql/'
-  mysql_log_path = '/var/log/'
-  mysql_log_file = 'mysql.log'
   mysql_log_group = 'adm'
   service_name = 'mysql'
 when 'redhat', 'fedora'
   mysql_config_path = '/etc/'
   mysql_config_file = mysql_config_path + 'my.cnf'
-  mysql_data_path = '/var/lib/mysql/'
-  mysql_log_path = '/var/log/'
-  mysql_log_path = '/var/log/mariadb/' if os[:release] >= '7'
-  mysql_log_file = 'mysqld.log'
-  mysql_log_file = 'mariadb.log' if os[:release] >= '7'
   mysql_log_group = 'mysql'
   service_name = 'mysqld'
   service_name = 'mariadb' if os[:release] >= '7'
@@ -103,7 +112,7 @@
 control 'mysql-conf-06' do
   impact 0.5
   title 'ensure log file is owned by mysql user'
-  describe file("#{mysql_log_path}/#{mysql_log_file}") do
+  describe file(mysql_log_file) do
     it { should be_owned_by 'mysql' }
     it { should be_grouped_into mysql_log_group }
     it { should_not be_readable.by('others') }

controls/mysql_db.rb

@@ -22,63 +22,63 @@
 control 'mysql-db-01' do
   impact 0.3
   title 'use supported mysql version in production'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select version();' | tail -1") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select version();'") do
     its(:stdout) { should_not match(/Community/) }
   end
 end
 
 control 'mysql-db-02' do
   impact 0.5
   title 'use mysql version 5 or higher'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select substring_index(version(),\".\",1);'") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select substring_index(version(),\".\",1);'") do
     its(:stdout) { should cmp >= 5 }
   end
 end
 
 control 'mysql-db-03' do
   impact 1.0
   title 'test database must be deleted'
-  describe command("mysql -u#{user} -p#{pass} -s -e 'show databases like \"test\";'") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'show databases like \"test\";'") do
     its(:stdout) { should_not match(/test/) }
   end
 end
 
 control 'mysql-db-04' do
   impact 1.0
   title 'deactivate annonymous user names'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where user=\"\";' | tail -1") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where user=\"\";'") do
     its(:stdout) { should match(/^0/) }
   end
 end
 
 control 'mysql-db-05' do
   impact 1.0
   title 'default passwords must be changed'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where length(password)=0 or password=\"\";' | tail -1") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where length(password)=0 or password=\"\";'") do
     its(:stdout) { should match(/^0/) }
   end
 end
 
 control 'mysql-db-06' do
   impact 0.5
   title 'the grant option must not be used'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where grant_priv=\"y\" and User!=\"root\" and User!=\"debian-sys-maint\";' | tail -1") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where grant_priv=\"y\" and User!=\"root\" and User!=\"debian-sys-maint\";'") do
     its(:stdout) { should match(/^0/) }
   end
 end
 
 control 'mysql-db-07' do
   impact 0.5
   title 'ensure no wildcards are used for hostnames'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where host=\"%\"' | tail -1") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where host=\"%\"'") do
     its(:stdout) { should match(/^0/) }
   end
 end
 
 control 'mysql-db-08' do
   impact 0.5
   title 'it must be ensured that superuser can login via localhost only'
-  describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where user=\"root\" and host not in (\"localhost\",\"127.0.0.1\",\"::1\")' | tail -1") do
+  describe command("mysql -u#{user} -p#{pass} -sN -e 'select count(*) from mysql.user where user=\"root\" and host not in (\"localhost\",\"127.0.0.1\",\"::1\")'") do
     its(:stdout) { should match(/^0/) }
   end
 end