add role argument spec for os, ssh, mysql (#687)

* add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <[email protected]> * add role argument spec for os, ssh, mysql Signed-off-by: Sebastian Gumprich <[email protected]> * remove variable in variable as it cannot be used in argument spec Signed-off-by: Sebastian Gumprich <[email protected]> * fix wrong syntax * fix spelling errors Signed-off-by: Sebastian Gumprich <[email protected]> * cannot use vars before arg-spec validation Signed-off-by: Sebastian Gumprich <[email protected]> * yamllint the arg-spec Signed-off-by: Sebastian Gumprich <[email protected]> * add back variable Signed-off-by: Sebastian Gumprich <[email protected]> * remove redundant setting in tests * fix descriptions in mysql hardening to betterreflect what they do Signed-off-by: Sebastian Gumprich <[email protected]> * remove duplicate empty line Signed-off-by: Sebastian Gumprich <[email protected]> * set correct defaults on to ssl options Signed-off-by: Sebastian Gumprich <[email protected]> * remove left-over hidepid argument spec Signed-off-by: Sebastian Gumprich <[email protected]> * remove license and author infos, this lives in the collection readme Signed-off-by: Sebastian Gumprich <[email protected]> * fix styling Signed-off-by: Sebastian Gumprich <[email protected]> * update some descriptions and sort them in the readme Signed-off-by: Sebastian Gumprich <[email protected]> * some more linting Signed-off-by: Sebastian Gumprich <[email protected]> --------- Signed-off-by: Sebastian Gumprich <[email protected]> Co-authored-by: Sebastian Gumprich <[email protected]>
dev-sec · Aug 7, 2023 · f295397 · f295397
1 parent 96ba9d1
commit f295397
Show file tree

Hide file tree

Showing 14 changed files with 2,942 additions and 926 deletions.
diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml
@@ -20,11 +20,6 @@
       - path: "/etc/ssh/auth_principals/root"
         principals:
           - "root"
-        owner: "{{ ssh_owner }}"
-        group: "{{ ssh_group }}"
-        directoryowner: "{{ ssh_owner }}"
-        directorygroup: "{{ ssh_group }}"
-        directorymode: "0700"
     network_ipv6_enable: true
     ssh_allow_tcp_forwarding: 'yes'
     ssh_gateway_ports: true

diff --git a/roles/mysql_hardening/README.md b/roles/mysql_hardening/README.md
@@ -1,6 +1,6 @@
 # devsec.mysql_hardening
 
-![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg)
+![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.mysql_hardening/badge.svg)
 
 ## Description
 
@@ -12,74 +12,128 @@ It configures:
 - Removes anonymous users, users without a password or authentication_string and test databases
 - various hardening options inside MySQL
 
+Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice.
+
+Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
+
 ## Requirements
 
-- Ansible 2.9.0
-- An existing MySQL installation
+- An existing installation of MySQL or MariaDB.
 - python-jmespath on the ansible host
 
-### Example playbook
+<!-- BEGIN_ANSIBLE_DOCS -->
+## Supported Operating Systems
+| Platform | Versions |
+| -------- | -------- |
+| EL | 7, 8, 9 |
+| Ubuntu | bionic, focal, jammy |
+| Debian | bullseye, buster |
+| Amazon |  |
+| opensuse |  |
 
-```yml
-- hosts: localhost
-  collections:
-    - devsec.hardening
-  roles:
-    - mysql_hardening
-```
+## Role Variables
 
-This role expects an existing installation of MySQL or MariaDB. Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice.  
-Please ensure that the following variables are set accordingly:
+* `mysql_daemon_enabled`
+  * Default: `true`
+  * Description: Whether to enable the MySQL-service so it starts on boot
+  * Type: bool
+  * Required: no
+* `mysql_hardening_chroot`
+  * Default: ``
+  * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
+  * Type: str
+  * Required: no
+* `mysql_hardening_chroot.automatic-sp-privileges`
+  * Default: `0`
+  * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
+  * Type: int
+  * Required: no
+* `mysql_hardening_enabled`
+  * Default: `true`
+  * Description: Whether to run the hardening
+  * Type: bool
+  * Required: no
+* `mysql_hardening_options.allow-suspicious-udfs`
+  * Default: `0`
+  * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
+  * Type: int
+  * Required: no
+* `mysql_hardening_options.local-infile`
+  * Default: `0`
+  * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
+  * Type: int
+  * Required: no
+* `mysql_hardening_options.safe-user-create`
+  * Default: `1`
+  * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
+  * Type: int
+  * Required: no
+* `mysql_hardening_options.secure-auth`
+  * Default: `1`
+  * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
+  * Type: int
+  * Required: no
+* `mysql_hardening_options.secure-file-priv`
+  * Default: `/tmp`
+  * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
+  * Type: str
+  * Required: no
+* `mysql_hardening_options.skip-symbolic-links`
+  * Default: `1`
+  * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
+  * Type: int
+  * Required: no
+* `mysql_hardening_restart_mysql`
+  * Default: `true`
+  * Description: Restart mysql after running this role
+  * Type: bool
+  * Required: no
+* `mysql_hardening_skip_grant_tables:`
+  * Default: `false`
+  * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
+  * Type: bool
+  * Required: no
+* `mysql_hardening_skip_show_database`
+  * Default: `1`
+  * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
+  * Type: int
+  * Required: no
+* `mysql_remove_anonymous_users`
+  * Default: `true`
+  * Description: Set to `false` to keep users without authentication
+  * Type: bool
+  * Required: no
+* `mysql_remove_remote_root`
+  * Default: `true`
+  * Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users.
+  * Type: bool
+  * Required: no
+* `mysql_remove_test_database`
+  * Default: `true`
+  * Description: Set to `false` to keep the test database
+  * Type: bool
+  * Required: no
+* `mysql_root_password`
+  * Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----`
+  * Description: The default password. Please change or overwrite it
+  * Type: str
+  * Required: no
+* `mysql_user_home`
+  * Default: `{{ ansible_env.HOME }}`
+  * Description: The path where the `.my.cnf` will be stored
+  * Type: str
+  * Required: no
 
-- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"`
-- `mysql_hardening_user: 'mysql'` The user that mysql runs as.
-- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed
-- _deprecated: `mysql_datadir: '/var/lib/mysql'` The MySQL data directory_
-  - `mysql_datadir` is no longer necessary, as MySQL data directory is automatically taken from `mysql_info`. But it can still be defined and will also be checked for correct permissions.
+## Dependencies
 
-## Role Variables
+None.
 
-- `mysql_hardening_chroot`
-  - Default: ""
-  - Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
-- `mysql_hardening_options.safe-user-create`
-  - Default: 1
-  - Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
-- `mysql_hardening_options.secure-auth`
-  - Default: 1
-  - Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
-- `mysql_hardening_options.skip-symbolic-links`
-  - Default: 1
-  - Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
-- `mysql_hardening_skip_grant_tables:`
-  - Default: false
-  - Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
-- `mysql_hardening_skip_show_database`
-  - Default: 1
-  - Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
-- `mysql_hardening_options.local-infile`
-  - Default: 0
-  - Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
-- `mysql_hardening_options.allow-suspicious-udfs`
-  - Default: 0
-  - Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
-- `mysql_hardening_chroot.automatic-sp-privileges`
-  - Default: 0
-  - Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
-- `mysql_hardening_options.secure-file-priv`
-  - Default: /tmp
-  - Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
-- `mysql_allow_remote_root`
-  - Default: false
-  - Description: delete remote root users
-- `mysql_remove_anonymous_users`
-  - Default: true
-  - Description: remove users without authentication
-- `mysql_remove_test_database`
-  - Default: true
-  - Description: remove test database
-- `mysql_hardening_restart_mysql`
-  - Default: true
-  - Description: Restart mysql after running this role
+## Example Playbook
+
+```
+- hosts: all
+  roles:
+    - name: devsec.hardening.mysql_hardening
+```
+<!-- END_ANSIBLE_DOCS -->
 
-Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
diff --git a/roles/mysql_hardening/defaults/main.yml b/roles/mysql_hardening/defaults/main.yml
@@ -6,8 +6,6 @@ mysql_daemon_enabled: true
 
 mysql_hardening_restart_mysql: true
 
-# general configuration
-mysql_hardening_mysql_hardening_conf_file: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf"
 # You have to change this to your own strong enough mysql root password
 mysql_root_password: "-----====>SetR00tPa$$wordH3r3!!!<====-----"
 # There .my.cnf with mysql root credentials will be installed

diff --git a/roles/mysql_hardening/meta/argument_specs.yml b/roles/mysql_hardening/meta/argument_specs.yml
@@ -0,0 +1,79 @@
+---
+argument_specs:
+  main:
+    short_description: The main entry point for the mysql hardening role.
+    version_added: 8.8.0
+    options:
+      mysql_hardening_chroot:
+        default: ''
+        type: str
+        description: '[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)'
+      mysql_hardening_options.safe-user-create:
+        default: 1
+        type: int
+        description: '[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)'
+      mysql_hardening_options.secure-auth:
+        default: 1
+        type: int
+        description: '[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)'
+      mysql_hardening_options.skip-symbolic-links:
+        default: 1
+        type: int
+        description: '[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)'
+      'mysql_hardening_skip_grant_tables:':
+        default: false
+        type: bool
+        description: '[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)'
+      mysql_hardening_skip_show_database:
+        default: 1
+        type: int
+        description: '[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)'
+      mysql_hardening_options.local-infile:
+        default: 0
+        type: int
+        description: '[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)'
+      mysql_hardening_options.allow-suspicious-udfs:
+        default: 0
+        type: int
+        description: '[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)'
+      mysql_hardening_chroot.automatic-sp-privileges:
+        default: 0
+        type: int
+        description: '[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)'
+      mysql_hardening_options.secure-file-priv:
+        default: /tmp
+        type: str
+        description: '[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)'
+      mysql_remove_anonymous_users:
+        default: true
+        type: bool
+        description: Set to `false` to keep users without authentication
+      mysql_remove_test_database:
+        default: true
+        type: bool
+        description: Set to `false` to keep the test database
+      mysql_hardening_restart_mysql:
+        default: true
+        type: bool
+        description: Restart mysql after running this role
+      mysql_hardening_enabled:
+        default: true
+        type: bool
+        description: Whether to run the hardening
+      mysql_daemon_enabled:
+        default: true
+        type: bool
+        description: Whether to enable the MySQL-service so it starts on boot
+      mysql_root_password:
+        default: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
+        type: str
+        description: The default password. Please change or overwrite it
+      mysql_user_home:
+        default: '{{ ansible_env.HOME }}'
+        type: str
+        description: The path where the `.my.cnf` will be stored
+      mysql_remove_remote_root:
+        default: true
+        type: bool
+        description: If `true`, root can only connect from localhost. Set to `false`
+          to not remove remote root users.
diff --git a/roles/mysql_hardening/tasks/configure.yml b/roles/mysql_hardening/tasks/configure.yml
@@ -56,7 +56,7 @@
 - name: Apply hardening configuration
   ansible.builtin.template:
     src: hardening.cnf.j2
-    dest: "{{ mysql_hardening_mysql_hardening_conf_file }}"
+    dest: "{{ mysql_hardening_mysql_confd_dir + '/hardening.cnf' }}"
     owner: "{{ mysql_cnf_owner }}"
     group: "{{ mysql_cnf_group }}"
     mode: "0640"