Merge branch 'dev-sec:master' into extended_net_hardening

.github/workflows/mysql_hardening.yml

@@ -37,7 +37,7 @@ jobs:
           - debian11
           # - amazon  # geerlingguy.mysql does not support fedora
           # - arch  # needs to be fixed
-          # - opensuse_tumbleweed  # needs to be fixed
+          - opensuse_tumbleweed  # needs to be fixed
           # - fedora  # geerlingguy.mysql does not support fedora
     steps:
       - name: Checkout repo

CHANGELOG.md

@@ -1,11 +1,12 @@
 # Changelog
 
-## [8.3.1](https://github.com/dev-sec/ansible-collection-hardening/tree/8.3.1) (2022-11-24)
+## [8.4.0](https://github.com/dev-sec/ansible-collection-hardening/tree/8.4.0) (2022-11-29)
 
-[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/8.3.0...8.3.1)
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/8.3.0...8.4.0)
 
 **Implemented enhancements:**
 
+- Add OpenSUSE support  [\#605](https://github.com/dev-sec/ansible-collection-hardening/pull/605) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] ([rndmh3ro](https://github.com/rndmh3ro))
 - Allow ssh\_allow\_tcp\_forwarding to be a boolean [\#600](https://github.com/dev-sec/ansible-collection-hardening/pull/600) [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([crisbal](https://github.com/crisbal))
 - OpenBSD does not support GSSAPI Authentication [\#598](https://github.com/dev-sec/ansible-collection-hardening/pull/598) [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] ([dennisse](https://github.com/dennisse))
 - add Ansible specific templates for issues [\#596](https://github.com/dev-sec/ansible-collection-hardening/pull/596) ([schurzi](https://github.com/schurzi))

molecule/mysql_hardening/converge.yml

@@ -24,6 +24,13 @@
         - mysql_python_package_debian is not defined
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
+
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
+
     - include_role:
         name: mysql_hardening
   vars:

molecule/mysql_hardening/prepare.yml

@@ -15,6 +15,12 @@
         - ansible_distribution == 'Debian'
         - ansible_distribution_major_version|int >= 11
 
+    - name: Use Python 3 on Suse
+      set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when:
+        - ansible_os_family == 'Suse'
+
     - name: Use Python 2 on Debian 10
       set_fact:
         ansible_python_interpreter: /usr/bin/python
@@ -29,11 +35,9 @@
         update_cache: true
       when: ansible_os_family == 'Debian'
 
-    - name: install required tools on SuSE
-      community.general.zypper:
-        name: "python-xml"
-        state: present
-      when: ansible_facts.os_family == 'Suse'
+    - name: Install required python packages on Suse
+      ansible.builtin.shell: zypper -n install python-xml python3-rpm python3-PyMySQL
+      when: ansible_os_family == 'Suse'
 
     - name: create missing directory
       file:
@@ -56,7 +60,6 @@
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
 
-
     - include_role:
         name: dev-sec.mysql
 

roles/mysql_hardening/README.md

@@ -16,6 +16,7 @@ It configures:
 
 - Ansible 2.9.0
 - An existing MySQL installation
+- python-jmespath on the ansible host
 
 ### Example playbook
 

roles/mysql_hardening/vars/Suse.yml

@@ -0,0 +1,10 @@
+---
+mysql_daemon: mariadb
+mysql_hardening_mysql_conf_file: '/etc/my.cnf'
+mysql_hardening_mysql_confd_dir: '/etc/my.cnf.d'
+
+mysql_cnf_owner: 'root'  # owner of /etc/my.cnf.d/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/my.cnf.d/*.cnf files
+
+mysql_hardening_group: 'mysql'
+login_unix_socket: '/run/mysql/mysql.sock'