cookbook 'mysql-hardening', '~> 1.2.1'
mysql-hardening (3) Versions 1.2.1 Follow9
Installs and configures a secure mysql server
cookbook 'mysql-hardening', '~> 1.2.1', :supermarket
knife supermarket install mysql-hardening
knife supermarket download mysql-hardening
mysql-hardening (Chef cookbook)
Description
Provides security configurations for mysql. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers.
This cookbook focus security configuration of mysql and reuses the mysql cookbook for the installation. Therefore you can add this hardening layer on top of your existing mysql configuration in Chef.
We optimized this cookbook to work with os-hardening and ssh-hardening without a hassle. It will play well without, but you need to ensure all preconditions like apt-get update
or yum update
are met.
Requirements
- Opscode chef
Usage
A sample role may look like:
{ "name": "mysql", "default_attributes": { }, "override_attributes": { }, "json_class": "Chef::Role", "description": "MySql Hardened Server Test Role", "chef_type": "role", "default_attributes" : { "mysql": { "server_root_password": "iloverandompasswordsbutthiswilldo", "server_debian_password": "iloverandompasswordsbutthiswilldo" } }, "run_list": [ "recipe[chef-solo-search]", "recipe[apt]", "recipe[mysql::server]", "recipe[mysql-hardening]" ] }
Recipes
mysql-hardening::hardening (default)
This recipe is an overley recipe for the mysql cookbook) and applies mysql-hardening::hardening
Add the following to your runlist and customize security option attributes
"recipe[mysql::server]", "recipe[mysql-hardening]"
This hardening recipe installs the hardening but expects an existing installation of Mysql, MariaDB or Percona. If you are not using the mysql cookbook, you may need to adapt the attributes:
-
node['mysql']['service_name']
= 'default' -
node['mysql']['data_dir']
= '/var/lib/mysql' -
node['mysql-hardening']['conf-file'] = '/etc/mysql/conf.d/hardening.cnf'
node['mysql-hardening']['user'] = 'mysql'
Security Options
Further information is already available at Deutsche Telekom (German) and Symantec
- default['mysql']['security']['chroot'] - chroot
- default['mysql']['security']['safe_user_create'] - safe-user-create
- default['mysql']['security']['secure_auth'] - secure-auth
- default['mysql']['security']['skip_symbolic_links'] - skip-symbolic-links
- default['mysql']['security']['skip_show_database'] - skip-show-database
- default['mysql']['security']['local_infile'] - local-infile
- default['mysql']['security']['allow-suspicious-udfs'] - allow-suspicious-udfs
- default['mysql']['security']['automatic_sp_privileges'] - automatic_sp_privileges
- default['mysql']['security']['secure-file-priv'] - secure-file-priv
Security Configuration
This setup sets the following parameters by default
user = mysql
port = 3306
bind-address = X.Y.Z.W
# via ['mysql']['security']['local_infile']
local-infile = 0
# via ['mysql']['security']['safe_user_create']
safe-user-create = 1
# via ['mysql']['security']['secure_auth']
secure-auth = 1
# via ['mysql']['security']['skip_show_database']
skip-show-database
# via ['mysql']['security']['skip_symbolic_links']
skip-symbolic-links
# via ['mysql']['security']['automatic_sp_privileges']
automatic_sp_privileges = 0
# via ['mysql']['security']['secure-file-priv']
secure-file-priv = /tmp
Additionally it ensures that the following parameters are not set
- deactivate old-passwords via
['mysql']['security']['secure_auth']
- deactivate allow-suspicious-udfs via
node['mysql']['security']['allow-suspicious-udfs']
- skip-grant-tables
- chroot (instead we prefer AppArmor for Ubuntu)
Furthermore the permission of /var/lib/mysql
is limited to mysql
user.
Tests
# Install dependencies gem install bundler bundle install # Do lint checks bundle exec rake lint # Fetch tests git clone https://github.com/dev-sec/tests-mysql-hardening test/integration # fast test on one machine bundle exec kitchen test default-ubuntu-1204 # test on all machines bundle exec kitchen test # for development bundle exec kitchen create default-ubuntu-1204 bundle exec kitchen converge default-ubuntu-1204
This cookbook comes with a guard file for easy development. During development guard watches the folders and runs footcritic and robocop.
# list all plugins
bundle exec guard list
# run guard with foodcritic and robocop
bundle exec guard -P Foodcritic Rubocop
Tested Operating Systems
- Ubuntu 12.04
- Ubuntu 14.04
- CentOS 6.4
- CentOS 6.5
- Oracle 6.4
- Oracle 6.5
- Debian 7
Contributors + Kudos
- Dominik Richter
- Christoph Hartmann
- Patrick Meier
- Edmund Haselwanter
License and Author
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
mysql ~>5.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Change Log
v1.2.1 (2017-01-03)
Implemented enhancements:
- migrate to new inspec test suite #33 (chris-rock)
v1.2.0 (2016-08-18)
Merged pull requests:
- update berkshelf and change role to recipe in kitchen.yml #31 (chris-rock)
- update common kitchen.yml platforms #30 (chris-rock)
- update common Gemfile for chef11+12 #29 (arlimus)
- common files: centos7 + rubocop #28 (arlimus)
- update travis tests for chef 11 and chef 12 #27 (chris-rock)
- update common kitchen.yml platforms #26 (arlimus)
- update common readme badges #25 (arlimus)
- Typo Debain=>Debian #24 (sgrossberndt)
- support version > 5.2 and < 6 #23 (chris-rock)
- updating common files #21 (arlimus)
- add badges to readme #20 (chris-rock)
- add chefspec and rubocop #19 (ehaselwanter)
- use the file resource, not file type #18 (ehaselwanter)
- update project to new project defaults, tested against the updated serverspec2 test files #17 (ehaselwanter)
- updating common files #16 (arlimus)
- improvement: switch to site location in berkshelf #15 (chris-rock)
v1.1.0 (2014-09-02)
Merged pull requests:
- Overlay #14 (chris-rock)
- Seperate server installation from hardening configuration #13 (chris-rock)
v1.0.0 (2014-07-29)
Closed issues:
- more tests #1
Merged pull requests:
- add more documentation #12 (chris-rock)
- fixes to meet our hardening tests #11 (ehaselwanter)
- update rubocop, add default task, add it to travis, add spec for default task #10 (ehaselwanter)
- update with common run_all_linters task #9 (ehaselwanter)
- add openstack group #8 (chris-rock)
- add utf8 header #7 (chris-rock)
- add Gemfile.lock to ignore list and remove it from tree #6 (ehaselwanter)
- streamline .rubocop.yml #5 (ehaselwanter)
- fix rubocop warnings #4 (ehaselwanter)
- add linting tooling #3 (ehaselwanter)
- add shared test repo tooling, update .gitignore, add gemfile* #2 (ehaselwanter)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
1.2.1 passed this metric
Contributing File Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.2.1 passed this metric
No Binaries Metric
1.2.1 passed this metric
Testing File Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.2.1 passed this metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.2.1 passed this metric
No Binaries Metric
1.2.1 passed this metric
Testing File Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.2.1 passed this metric
1.2.1 passed this metric
Testing File Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.2.1 failed this metric
1.2.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number