{"id":13753433,"url":"https://github.com/dev-sec/ansible-mysql-hardening","last_synced_at":"2025-05-09T21:34:43.889Z","repository":{"id":34502996,"uuid":"38443903","full_name":"dev-sec/ansible-mysql-hardening","owner":"dev-sec","description":"This Ansible role provides security configuration for MySQL.","archived":true,"fork":false,"pushed_at":"2020-11-16T19:54:29.000Z","size":111,"stargazers_count":140,"open_issues_count":0,"forks_count":29,"subscribers_count":28,"default_branch":"master","last_synced_at":"2024-11-16T06:30:20.735Z","etag":null,"topics":["ansible","database","hardening","mysql","mysql-hardening","playbook","protection","role","security"],"latest_commit_sha":null,"homepage":"http://dev-sec.io/","language":"Ruby","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dev-sec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-07-02T16:28:08.000Z","updated_at":"2024-09-30T15:28:05.000Z","dependencies_parsed_at":"2022-09-01T08:20:38.255Z","dependency_job_id":null,"html_url":"https://github.com/dev-sec/ansible-mysql-hardening","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fansible-mysql-hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fansible-mysql-hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fansible-mysql-hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fansible-mysql-hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dev-sec","download_url":"https://codeload.github.com/dev-sec/ansible-mysql-hardening/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253328849,"owners_count":21891538,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","database","hardening","mysql","mysql-hardening","playbook","protection","role","security"],"created_at":"2024-08-03T09:01:22.076Z","updated_at":"2025-05-09T21:34:43.549Z","avatar_url":"https://github.com/dev-sec.png","language":"Ruby","funding_links":[],"categories":["Ruby","security"],"sub_categories":[],"readme":"# mysql-hardening (Ansible role)\n\n\n**Attention:** This role has been migrated to our hardening-collection:\n* https://github.com/dev-sec/ansible-os-hardening/\n* https://galaxy.ansible.com/devsec/hardening\n\n\n## Requirements\n\n* Ansible\n* Set up `mysql_root_password` variable\n\n## Installation\n\nInstall the role with ansible-galaxy:\n\n```sh\nansible-galaxy install dev-sec.mysql-hardening\n```\n\n### Example Playbook\n\n```yml\n- hosts: localhost\n  roles:\n    - dev-sec.mysql-hardening\n```\n\nThis hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly:\n\n* `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: \"{{ true if mysql_enabled else false }}\"`\n* `mysql_hardening_user: 'mysql'` The user that mysql runs as.\n* `mysql_datadir: '/var/lib/mysql'` The MySQL data directory\n* `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed\n\n## Role Variables\n\n* `mysql_hardening_chroot`\n  * Default: \"\"\n  * Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)\n* `mysql_hardening_options.safe-user-create`\n  * Default: 1\n  * Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)\n* `mysql_hardening_options.secure-auth`\n  * Default: 1\n  * Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)\n* `mysql_hardening_options.skip-symbolic-links`\n  * Default: 1\n  * Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)\n* `mysql_hardening_skip_grant_tables:`\n  * Default: false\n  * Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)\n* `mysql_hardening_skip_show_database`\n  * Default: 1\n  * Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)\n* `mysql_hardening_options.local-infile`\n  * Default: 0\n  * Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)\n* `mysql_hardening_options.allow-suspicious-udfs`\n  * Default: 0\n  * Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)\n* `mysql_hardening_chroot.automatic-sp-privileges`\n  * Default: 0\n  * Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)\n* `mysql_hardening_options.secure-file-priv`\n  * Default: /tmp\n  * Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)\n* `mysql_allow_remote_root`\n  * Default: false\n  * Description: delete remote root users\n* `mysql_remove_anonymous_users`\n  * Default: true\n  * Description: remove users without authentication\n* `mysql_remove_test_database`\n  * Default: true\n  * Description: remove test database\n\nFurther information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)\n\n## Local Testing\n\nThe preferred way of locally testing the role is to use Docker. You will have to install Docker on your system. See [Get started](https://docs.docker.com/) for a Docker package suitable to for your system.\n\nYou can also use vagrant and Virtualbox or VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started).\n\nNext install test-kitchen:\n\n```sh\n# Install dependencies\ngem install bundler\nbundle install\n```\n\n### Testing with Docker\n\n```sh\n# list all available machines\nbundle exec kitchen list\n\n# fast test on one machine\nbundle exec kitchen test mysql-centos7-ansible-latest\n\n# test on all machines\nbundle exec kitchen test\n\n# for development\nbundle exec kitchen create mysql-centos7-ansible-latest\nbundle exec kitchen converge mysql-centos7-ansible-latest\n```\n\n### Testing with Virtualbox\n\n```sh\n# fast test on one machine\nKITCHEN_YAML=\".kitchen.vagrant.yml\" bundle exec kitchen test default-ubuntu-1404\n\n# test on all machines\nKITCHEN_YAML=\".kitchen.vagrant.yml\" bundle exec kitchen test\n\n# for development\nKITCHEN_YAML=\".kitchen.vagrant.yml\" bundle exec kitchen create default-ubuntu-1404\nKITCHEN_YAML=\".kitchen.vagrant.yml\" bundle exec kitchen converge default-ubuntu-1404\n```\n\nFor more information see [test-kitchen](http://kitchen.ci/docs/getting-started)\n\n## License and Author\n\n* Author:: Sebastian Gumprich\n* Author:: Anton Lugovoi \u003canton.lugovoi@outlook.com\u003e\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n[1]: http://travis-ci.org/dev-sec/ansible-mysql-hardening\n[2]: https://gitter.im/dev-sec/general\n[3]: https://galaxy.ansible.com/dev-sec/mysql-hardening/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdev-sec%2Fansible-mysql-hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdev-sec%2Fansible-mysql-hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdev-sec%2Fansible-mysql-hardening/lists"}