Merge branch 'master' into fix_pam

Author: rndmh3ro

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [8.9.0](https://github.com/dev-sec/ansible-collection-hardening/tree/8.9.0) (2023-08-07)
+
+[Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/8.8.0...8.9.0)
+
+**Breaking changes:**
+
+- add role argument spec for os, ssh, mysql [\#687](https://github.com/dev-sec/ansible-collection-hardening/pull/687) [[mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/mysql_hardening)] [[os_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/os_hardening)] [[ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/ssh_hardening)] [[nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/labels/nginx_hardening)] ([rndmh3ro](https://github.com/rndmh3ro))
+
 ## [8.8.0](https://github.com/dev-sec/ansible-collection-hardening/tree/8.8.0) (2023-08-04)
 
 [Full Changelog](https://github.com/dev-sec/ansible-collection-hardening/compare/8.7.0...8.8.0)

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: devsec
 name: hardening
-version: 8.7.0
+version: 8.8.0
 readme: README.md
 authors:
   - dev-sec <hello@dev-sec.io>

molecule/os_hardening_vm/verify.yml

@@ -8,9 +8,10 @@
     no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
   tasks:
 
-    - name: include PAM tests
-      include_tasks: verify_tasks/pam.yml
-      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
+# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
+#    - name: include PAM tests
+#      include_tasks: verify_tasks/pam.yml
+#      when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
 
     - name: include YUM tests
       include_tasks: verify_tasks/yum.yml

molecule/ssh_hardening_custom_tests/converge.yml

@@ -20,11 +20,6 @@
       - path: "/etc/ssh/auth_principals/root"
         principals:
           - "root"
-        owner: "{{ ssh_owner }}"
-        group: "{{ ssh_group }}"
-        directoryowner: "{{ ssh_owner }}"
-        directorygroup: "{{ ssh_group }}"
-        directorymode: "0700"
     network_ipv6_enable: true
     ssh_allow_tcp_forwarding: 'yes'
     ssh_gateway_ports: true

roles/mysql_hardening/README.md

@@ -1,6 +1,6 @@
 # devsec.mysql_hardening
 
-![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg)
+![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/workflows/devsec.mysql_hardening/badge.svg)
 
 ## Description
 
@@ -12,74 +12,130 @@ It configures:
 - Removes anonymous users, users without a password or authentication_string and test databases
 - various hardening options inside MySQL
 
+Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice.
+
+Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
+
 ## Requirements
 
-- Ansible 2.9.0
-- An existing MySQL installation
+- An existing installation of MySQL or MariaDB.
 - python-jmespath on the ansible host
 
-### Example playbook
+<!-- BEGIN_ANSIBLE_DOCS -->
 
-```yml
-- hosts: localhost
-  collections:
-    - devsec.hardening
-  roles:
-    - mysql_hardening
-```
+## Supported Operating Systems
 
-This role expects an existing installation of MySQL or MariaDB. Changes of options `log_error` or `datadir` in `mysql_hardening_options` will not be checked for correct permissions. Please change/set `log_error` or `datadir` with the installation role of MySQL before running this role, or you can run this role twice.  
-Please ensure that the following variables are set accordingly:
-
-- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"`
-- `mysql_hardening_user: 'mysql'` The user that mysql runs as.
-- `mysql_hardening_mysql_hardening_conf_file: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed
-- _deprecated: `mysql_datadir: '/var/lib/mysql'` The MySQL data directory_
-  - `mysql_datadir` is no longer necessary, as MySQL data directory is automatically taken from `mysql_info`. But it can still be defined and will also be checked for correct permissions.
+| Platform | Versions             |
+| -------- | -------------------- |
+| EL       | 7, 8, 9              |
+| Ubuntu   | bionic, focal, jammy |
+| Debian   | bullseye, buster     |
+| Amazon   |                      |
+| opensuse |                      |
 
 ## Role Variables
 
+- `mysql_daemon_enabled`
+  - Default: `true`
+  - Description: Whether to enable the MySQL-service so it starts on boot
+  - Type: bool
+  - Required: no
 - `mysql_hardening_chroot`
-  - Default: ""
+  - Default: ``
   - Description: [chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)
+  - Type: str
+  - Required: no
+- `mysql_hardening_chroot.automatic-sp-privileges`
+  - Default: `0`
+  - Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
+  - Type: int
+  - Required: no
+- `mysql_hardening_enabled`
+  - Default: `true`
+  - Description: Whether to run the hardening
+  - Type: bool
+  - Required: no
+- `mysql_hardening_options.allow-suspicious-udfs`
+  - Default: `0`
+  - Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
+  - Type: int
+  - Required: no
+- `mysql_hardening_options.local-infile`
+  - Default: `0`
+  - Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
+  - Type: int
+  - Required: no
 - `mysql_hardening_options.safe-user-create`
-  - Default: 1
+  - Default: `1`
   - Description: [safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)
+  - Type: int
+  - Required: no
 - `mysql_hardening_options.secure-auth`
-  - Default: 1
+  - Default: `1`
   - Description: [secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)
+  - Type: int
+  - Required: no
+- `mysql_hardening_options.secure-file-priv`
+  - Default: `/tmp`
+  - Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
+  - Type: str
+  - Required: no
 - `mysql_hardening_options.skip-symbolic-links`
-  - Default: 1
+  - Default: `1`
   - Description: [skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)
+  - Type: int
+  - Required: no
+- `mysql_hardening_restart_mysql`
+  - Default: `true`
+  - Description: Restart mysql after running this role
+  - Type: bool
+  - Required: no
 - `mysql_hardening_skip_grant_tables:`
-  - Default: false
+  - Default: `false`
   - Description: [skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)
+  - Type: bool
+  - Required: no
 - `mysql_hardening_skip_show_database`
-  - Default: 1
+  - Default: `1`
   - Description: [skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)
-- `mysql_hardening_options.local-infile`
-  - Default: 0
-  - Description: [local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)
-- `mysql_hardening_options.allow-suspicious-udfs`
-  - Default: 0
-  - Description: [allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)
-- `mysql_hardening_chroot.automatic-sp-privileges`
-  - Default: 0
-  - Description: [automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)
-- `mysql_hardening_options.secure-file-priv`
-  - Default: /tmp
-  - Description: [secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)
-- `mysql_allow_remote_root`
-  - Default: false
-  - Description: delete remote root users
+  - Type: int
+  - Required: no
 - `mysql_remove_anonymous_users`
-  - Default: true
-  - Description: remove users without authentication
+  - Default: `true`
+  - Description: Set to `false` to keep users without authentication
+  - Type: bool
+  - Required: no
+- `mysql_remove_remote_root`
+  - Default: `true`
+  - Description: If `true`, root can only connect from localhost. Set to `false` to not remove remote root users.
+  - Type: bool
+  - Required: no
 - `mysql_remove_test_database`
-  - Default: true
-  - Description: remove test database
-- `mysql_hardening_restart_mysql`
-  - Default: true
-  - Description: Restart mysql after running this role
+  - Default: `true`
+  - Description: Set to `false` to keep the test database
+  - Type: bool
+  - Required: no
+- `mysql_root_password`
+  - Default: `-----====>SetR00tPa$$wordH3r3!!!<====-----`
+  - Description: The default password. Please change or overwrite it
+  - Type: str
+  - Required: no
+- `mysql_user_home`
+  - Default: `{{ ansible_env.HOME }}`
+  - Description: The path where the `.my.cnf` will be stored
+  - Type: str
+  - Required: no
 
-Further information is available at [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si) and [Symantec](http://www.symantec.com/connect/articles/securing-mysql-step-step)
+## Dependencies
+
+None.
+
+## Example Playbook
+
+```
+- hosts: all
+  roles:
+    - name: devsec.hardening.mysql_hardening
+```
+
+<!-- END_ANSIBLE_DOCS -->

roles/mysql_hardening/defaults/main.yml

@@ -6,8 +6,6 @@ mysql_daemon_enabled: true
 
 mysql_hardening_restart_mysql: true
 
-# general configuration
-mysql_hardening_mysql_hardening_conf_file: "{{ mysql_hardening_mysql_confd_dir }}/hardening.cnf"
 # You have to change this to your own strong enough mysql root password
 mysql_root_password: "-----====>SetR00tPa$$wordH3r3!!!<====-----"
 # There .my.cnf with mysql root credentials will be installed

roles/mysql_hardening/meta/argument_specs.yml

@@ -0,0 +1,79 @@
+---
+argument_specs:
+  main:
+    short_description: The main entry point for the mysql hardening role.
+    version_added: 8.8.0
+    options:
+      mysql_hardening_chroot:
+        default: ''
+        type: str
+        description: '[chroot](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_chroot)'
+      mysql_hardening_options.safe-user-create:
+        default: 1
+        type: int
+        description: '[safe-user-create](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create)'
+      mysql_hardening_options.secure-auth:
+        default: 1
+        type: int
+        description: '[secure-auth](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth)'
+      mysql_hardening_options.skip-symbolic-links:
+        default: 1
+        type: int
+        description: '[skip-symbolic-links](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links)'
+      'mysql_hardening_skip_grant_tables:':
+        default: false
+        type: bool
+        description: '[skip-grant-tables](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-grant-tables)'
+      mysql_hardening_skip_show_database:
+        default: 1
+        type: int
+        description: '[skip-show-database](http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database)'
+      mysql_hardening_options.local-infile:
+        default: 0
+        type: int
+        description: '[local-infile](http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile)'
+      mysql_hardening_options.allow-suspicious-udfs:
+        default: 0
+        type: int
+        description: '[allow-suspicious-udfs](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs)'
+      mysql_hardening_chroot.automatic-sp-privileges:
+        default: 0
+        type: int
+        description: '[automatic_sp_privileges](https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges)'
+      mysql_hardening_options.secure-file-priv:
+        default: /tmp
+        type: str
+        description: '[secure-file-priv](https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv)'
+      mysql_remove_anonymous_users:
+        default: true
+        type: bool
+        description: Set to `false` to keep users without authentication
+      mysql_remove_test_database:
+        default: true
+        type: bool
+        description: Set to `false` to keep the test database
+      mysql_hardening_restart_mysql:
+        default: true
+        type: bool
+        description: Restart mysql after running this role
+      mysql_hardening_enabled:
+        default: true
+        type: bool
+        description: Whether to run the hardening
+      mysql_daemon_enabled:
+        default: true
+        type: bool
+        description: Whether to enable the MySQL-service so it starts on boot
+      mysql_root_password:
+        default: '-----====>SetR00tPa$$wordH3r3!!!<====-----'
+        type: str
+        description: The default password. Please change or overwrite it
+      mysql_user_home:
+        default: '{{ ansible_env.HOME }}'
+        type: str
+        description: The path where the `.my.cnf` will be stored
+      mysql_remove_remote_root:
+        default: true
+        type: bool
+        description: If `true`, root can only connect from localhost. Set to `false`
+          to not remove remote root users.

roles/mysql_hardening/tasks/configure.yml

@@ -56,7 +56,7 @@
 - name: Apply hardening configuration
   ansible.builtin.template:
     src: hardening.cnf.j2
-    dest: "{{ mysql_hardening_mysql_hardening_conf_file }}"
+    dest: "{{ mysql_hardening_mysql_confd_dir + '/hardening.cnf' }}"
     owner: "{{ mysql_cnf_owner }}"
     group: "{{ mysql_cnf_group }}"
     mode: "0640"