{"id":28481414,"url":"https://github.com/dev-sec/chef-mysql-hardening","last_synced_at":"2025-07-09T14:02:48.956Z","repository":{"id":16023825,"uuid":"18767493","full_name":"dev-sec/chef-mysql-hardening","owner":"dev-sec","description":"This chef cookbook provides security configuration for mysql.","archived":false,"fork":false,"pushed_at":"2025-06-20T16:03:43.000Z","size":101,"stargazers_count":27,"open_issues_count":4,"forks_count":9,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-06-20T17:23:21.073Z","etag":null,"topics":["chef","chef-cookbook","devops","hardening","mysql","security"],"latest_commit_sha":null,"homepage":"http://dev-sec.io/","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"javers/javers","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dev-sec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2014-04-14T16:16:26.000Z","updated_at":"2025-06-20T16:03:45.000Z","dependencies_parsed_at":"2024-07-10T14:15:31.401Z","dependency_job_id":"f9fa41d1-9383-457a-9d12-1b6d519d9b89","html_url":"https://github.com/dev-sec/chef-mysql-hardening","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/dev-sec/chef-mysql-hardening","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fchef-mysql-hardening","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fchef-mysql-hardening/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fchef-mysql-hardening/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fchef-mysql-hardening/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dev-sec","download_url":"https://codeload.github.com/dev-sec/chef-mysql-hardening/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dev-sec%2Fchef-mysql-hardening/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263606300,"owners_count":23487603,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chef","chef-cookbook","devops","hardening","mysql","security"],"created_at":"2025-06-07T20:07:20.076Z","updated_at":"2025-07-04T19:30:21.728Z","avatar_url":"https://github.com/dev-sec.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# mysql-hardening (Chef cookbook)\n\n[![Supermarket](http://img.shields.io/cookbook/v/mysql-hardening.svg)][1]\n[![Build Status](http://img.shields.io/travis/hardening-io/chef-mysql-hardening.svg)][2]\n[![Code Coverage](http://img.shields.io/coveralls/hardening-io/chef-mysql-hardening.svg)][3]\n[![Dependencies](http://img.shields.io/gemnasium/hardening-io/chef-mysql-hardening.svg)][4]\n[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][5]\n\n## Description\n\nProvides security configurations for mysql. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers.\n\nThis cookbook focus security configuration of mysql and reuses the [mysql cookbook](https://github.com/opscode-cookbooks/mysql) for the installation. Therefore you can add this hardening layer on top of your existing mysql configuration in Chef.\n\nWe optimized this cookbook to work with [os-hardening](https://github.com/TelekomLabs/chef-os-hardening) and [ssh-hardening](https://github.com/TelekomLabs/chef-ssh-hardening) without a hassle. It will play well without, but you need to ensure all preconditions like `apt-get update` or `yum update` are met.\n\n## Requirements\n\n* Opscode chef\n\n## Usage\n\nA sample role may look like:\n\n```json\n{\n    \"name\": \"mysql\",\n    \"default_attributes\": { },\n    \"override_attributes\": { },\n    \"json_class\": \"Chef::Role\",\n    \"description\": \"MySql Hardened Server Test Role\",\n    \"chef_type\": \"role\",\n    \"default_attributes\" : {\n      \"mysql\": {\n        \"server_root_password\": \"iloverandompasswordsbutthiswilldo\",\n        \"server_debian_password\": \"iloverandompasswordsbutthiswilldo\"\n      }\n    },\n    \"run_list\": [\n        \"recipe[chef-solo-search]\",\n        \"recipe[apt]\",\n        \"recipe[mysql::server]\",\n        \"recipe[mysql-hardening]\"\n    ]\n}\n```\n\n## Recipes\n\n### mysql-hardening::hardening (default)\n\nThis recipe is an overley recipe for the [mysql cookbook](https://github.com/opscode-cookbooks/mysql)) and applies `mysql-hardening::hardening`\n\nAdd the following to your runlist and customize security option attributes\n\n```bash\n  \"recipe[mysql::server]\",\n  \"recipe[mysql-hardening]\"\n```\n\nThis hardening recipe installs the hardening but expects an existing installation of Mysql, MariaDB or Percona. If you are not using the mysql cookbook, you may need to adapt the attributes:\n\n- `node['mysql']['service_name']` = 'default'\n- `node['mysql']['data_dir']` = '/var/lib/mysql'\n- `node['mysql-hardening']['conf-file'] = '/etc/mysql/conf.d/hardening.cnf'` \n- `node['mysql-hardening']['user'] = 'mysql'`\n\n## Security Options\n\nFurther information is already available at [Deutsche Telekom (German)](https://web.archive.org/web/20140809063527/http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=e424fa89-758d-42ec-a272-a0c285d887ac\u0026CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68) \n\n * default['mysql']['security']['chroot'] - [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)\n * default['mysql']['security']['safe_user_create'] - [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)\n * default['mysql']['security']['secure_auth'] - [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/connection-options.html#option_general_secure-auth)\n * default['mysql']['security']['skip_symbolic_links'] - [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)\n * default['mysql']['security']['skip_show_database'] - [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-showh-database)\n * default['mysql']['security']['local_infile'] - [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)\n * default['mysql']['security']['allow-suspicious-udfs'] - [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)\n * default['mysql']['security']['automatic_sp_privileges'] - [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)\n * default['mysql']['security']['secure-file-priv'] - [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_secure_file_priv)\n\n## Security Configuration\n\nThis setup sets the following parameters by default\n\n    user = mysql\n    port = 3306\n    bind-address = X.Y.Z.W\n\n    # via ['mysql']['security']['local_infile']\n    local-infile = 0\n\n    # via ['mysql']['security']['safe_user_create']\n    safe-user-create = 1\n\n    # via ['mysql']['security']['secure_auth']\n    secure-auth = 1\n\n    # via ['mysql']['security']['skip_show_database']\n    skip-show-database\n\n    # via ['mysql']['security']['skip_symbolic_links']\n    skip-symbolic-links\n\n    # via ['mysql']['security']['automatic_sp_privileges']\n    automatic_sp_privileges = 0\n\n    # via ['mysql']['security']['secure-file-priv']\n    secure-file-priv = /tmp\n\n\nAdditionally it ensures that the following parameters are not set\n\n * deactivate old-passwords via `['mysql']['security']['secure_auth']`\n * deactivate allow-suspicious-udfs via `node['mysql']['security']['allow-suspicious-udfs']`\n * skip-grant-tables\n * chroot (instead we prefer AppArmor for Ubuntu)\n\nFurthermore the permission of `/var/lib/mysql` is limited to `mysql` user.\n\n## Tests\n\n```bash\n# Install dependencies\ngem install bundler\nbundle install\n\n# Do lint checks\nbundle exec rake lint\n\n# Fetch tests\ngit clone https://github.com/dev-sec/tests-mysql-hardening test/integration\n\n# fast test on one machine\nbundle exec kitchen test default-ubuntu-1204\n\n# test on all machines\nbundle exec kitchen test\n\n# for development\nbundle exec kitchen create default-ubuntu-1204\nbundle exec kitchen converge default-ubuntu-1204\n```\n\nThis cookbook comes with a [guard](https://github.com/guard/guard) file for easy development. During development guard watches the folders and runs footcritic and robocop.\n\n```\n# list all plugins\nbundle exec guard list\n\n# run guard with foodcritic and robocop\nbundle exec guard -P Foodcritic Rubocop\n```\n\n## Tested Operating Systems\n\n* Ubuntu 12.04\n* Ubuntu 14.04\n* CentOS 6.4\n* CentOS 6.5\n* Oracle 6.4\n* Oracle 6.5\n* Debian 7\n\n## Contributors + Kudos\n\n* Dominik Richter\n* Christoph Hartmann\n* Patrick Meier\n* Edmund Haselwanter\n\n## License and Author\n\n* Author:: Deutsche Telekom AG\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n\n[1]: https://supermarket.getchef.com/cookbooks/mysql-hardening\n[2]: http://travis-ci.org/hardening-io/chef-mysql-hardening\n[3]: https://coveralls.io/r/hardening-io/chef-mysql-hardening\n[4]: https://gemnasium.com/hardening-io/chef-mysql-hardening\n[5]: https://gitter.im/hardening-io/general\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdev-sec%2Fchef-mysql-hardening","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdev-sec%2Fchef-mysql-hardening","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdev-sec%2Fchef-mysql-hardening/lists"}