From 43b5e1ec947f51fcf622ff674224d97d1980f8bf Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 17:48:18 +0700 Subject: [PATCH 01/17] alt version initial commit --- defaults/main.yml | 3 ++ tasks/configure.yml | 18 ++++++++++++ tasks/main.yml | 32 +++++++------------- tasks/mysql_secure_installation.yml | 45 +++++++++++++++++++++++++++++ templates/my.cnf.j2 | 4 +++ 5 files changed, 80 insertions(+), 22 deletions(-) create mode 100644 tasks/configure.yml create mode 100644 tasks/mysql_secure_installation.yml create mode 100644 templates/my.cnf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 297a736..61a5ac0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,10 @@ +mysql_hardening_enabled: yes # general configuration mysql_hardening_user: 'mysql' +mysql_hardening_group: 'mysql' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' +mysql_root_password: "{{ lookup('env','mysql_root_password') }}" # ensure the following parameters are set properly mysql_allow_remote_root: false diff --git a/tasks/configure.yml b/tasks/configure.yml new file mode 100644 index 0000000..6c3ec94 --- /dev/null +++ b/tasks/configure.yml @@ -0,0 +1,18 @@ +--- + +- name: protect my.cnf + file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root + +- name: ensure permissions on mysql-datadir are correct + file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' + +- name: check mysql configuration-directory exists and has right permissions + file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0470 + +- name: check include-dir directive is present in my.cnf + lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='EOF' state=present backup=yes + notify: restart mysql + +- name: apply hardening configuration + template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' group='{{mysql_hardening_group}}' mode=0460 + notify: restart mysql diff --git a/tasks/main.yml b/tasks/main.yml index fb69230..995202d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,25 +4,13 @@ include_vars: "{{ ansible_os_family }}.yml" tags: always -- name: protect my.cnf - file: path='{{mysql_hardening_mysql_conf}}' mode=0600 owner=root group=root - -- name: ensure permissions on mysql-datadir are correct - file: path='{{mysql_datadir}}' state=directory owner='{{mysql_hardening_user}}' group='{{mysql_hardening_user}}' - -- name: create mysql configuration-directory - file: path='/etc/mysql/conf.d' state=directory owner='{{mysql_hardening_user}}' mode=0600 - -- name: add include-dir directive to my.cnf - lineinfile: dest='{{mysql_hardening_mysql_conf}}' line='!includedir /etc/mysql/conf.d/' insertafter='^\[mysql\]' state=present backup=yes - -- name: apply hardening configuration - template: src='hardening.cnf.j2' dest='{{mysql_hardening_hardening_conf}}' owner='{{mysql_hardening_user}}' mode=0750 - notify: restart mysql - -# Copy database dump file to remote host and restore it to database 'my_db' -- name: copy the sql-script to the remote host - copy: src='mysql_grants.sql' dest='/tmp/' - -- name: run the mysql_grants.sql script - mysql_db: name='mysql' state=import target='/tmp/mysql_grants.sql' +- include: configure.yml + when: mysql_hardening_enabled + tags: + - mysql_hardening + +- include: mysql_secure_installation.yml + when: mysql_hardening_enabled and mysql_root_password != '' + tags: + - mysql_hardening + - mysql_secure_installation diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml new file mode 100644 index 0000000..8491da0 --- /dev/null +++ b/tasks/mysql_secure_installation.yml @@ -0,0 +1,45 @@ +--- + +- name: Install python-mysqldb for Ansible + package: pkg=python-mysqldb state=present + +- name: root password is present + mysql_user: name=root host={{ item }} password={{ mysql_root_password }} state=present + with_items: + - '::1' + - '127.0.0.1' + - 'localhost' + +- name: root has .my.cnf + template: src=my.cnf.j2 dest=/root/.my.cnf + owner=root group=root mode=0600 + tags: my_cnf + +# Can use only if ansible ver => 2.1 +#- name: anonymous users are absent +# mysql_user: name='' state=absent host_all=yes +# when: mysql_remove_anonymous_users +- name: anonymous users are absent + command: 'mysql -ne "{{ item }}"' + with_items: + - DELETE FROM mysql.user WHERE User='' + when: mysql_remove_anonymous_users + changed_when: false + +- name: remote root login is restricted + command: 'mysql -ne "{{ item }}"' + with_items: + - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') + when: not mysql_allow_remote_root + changed_when: false + +- name: test database is absent + mysql_db: name=test state=absent + when: mysql_remove_test_database + +- name: access to test database is absent + command: 'mysql -ne "{{ item }}"' + with_items: + - DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%' + when: mysql_remove_test_database + changed_when: false diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2 new file mode 100644 index 0000000..3996fff --- /dev/null +++ b/templates/my.cnf.j2 @@ -0,0 +1,4 @@ +[client] +user=root +password='{{ mysql_root_password }}' +#ssl From 8986cd94504696c4d930c5930487f274228a53d0 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 18:11:03 +0700 Subject: [PATCH 02/17] remove .sql file --- files/mysql_grants.sql | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 files/mysql_grants.sql diff --git a/files/mysql_grants.sql b/files/mysql_grants.sql deleted file mode 100644 index 5312c5a..0000000 --- a/files/mysql_grants.sql +++ /dev/null @@ -1,4 +0,0 @@ -DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); -DELETE FROM mysql.user WHERE User=''; -DROP DATABASE IF EXISTS test; -DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%'; From 2a8f03d0cc8726dcab3da34cf5cb8a464150f702 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 21:03:36 +0700 Subject: [PATCH 03/17] replace all mysql-client related tasks by ansible mysql modules tasks --- defaults/main.yml | 2 +- files/mysql_remove_anonymous_users.sql | 1 + files/mysql_remove_remote_root.sql | 1 + tasks/mysql_secure_installation.yml | 48 ++++++++++++++++++-------- 4 files changed, 36 insertions(+), 16 deletions(-) create mode 100644 files/mysql_remove_anonymous_users.sql create mode 100644 files/mysql_remove_remote_root.sql diff --git a/defaults/main.yml b/defaults/main.yml index 61a5ac0..e0ebd84 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' mysql_root_password: "{{ lookup('env','mysql_root_password') }}" # ensure the following parameters are set properly -mysql_allow_remote_root: false +mysql_remove_remote_root: true mysql_remove_anonymous_users: true mysql_remove_test_database: true diff --git a/files/mysql_remove_anonymous_users.sql b/files/mysql_remove_anonymous_users.sql new file mode 100644 index 0000000..916d83e --- /dev/null +++ b/files/mysql_remove_anonymous_users.sql @@ -0,0 +1 @@ +DELETE FROM mysql.user WHERE User=''; diff --git a/files/mysql_remove_remote_root.sql b/files/mysql_remove_remote_root.sql new file mode 100644 index 0000000..a95b990 --- /dev/null +++ b/files/mysql_remove_remote_root.sql @@ -0,0 +1 @@ +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 8491da0..f7e2293 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -1,7 +1,17 @@ --- +# supported for ansible ver => 2.0 +#- name: Install python-mysqldb for Ansible +# package: pkg=python-mysqldb state=present + + +- name: Install python-mysqldb for Ansible + apt: name=python-mysqldb state=present + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + - name: Install python-mysqldb for Ansible - package: pkg=python-mysqldb state=present + yum: name=python-mysqldb state=present + when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: root password is present mysql_user: name=root host={{ item }} password={{ mysql_root_password }} state=present @@ -15,31 +25,39 @@ owner=root group=root mode=0600 tags: my_cnf +- name: test database is absent + mysql_db: name=test state=absent + when: mysql_remove_test_database + # Can use only if ansible ver => 2.1 #- name: anonymous users are absent # mysql_user: name='' state=absent host_all=yes # when: mysql_remove_anonymous_users -- name: anonymous users are absent - command: 'mysql -ne "{{ item }}"' + +- name: copy mysql_remove_anonymous_users + copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' with_items: - - DELETE FROM mysql.user WHERE User='' + - mysql_remove_anonymous_users when: mysql_remove_anonymous_users changed_when: false -- name: remote root login is restricted - command: 'mysql -ne "{{ item }}"' +- name: apply mysql_remove_anonymous_users + mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' with_items: - - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1') - when: not mysql_allow_remote_root + - mysql_remove_anonymous_users + when: mysql_remove_anonymous_users changed_when: false -- name: test database is absent - mysql_db: name=test state=absent - when: mysql_remove_test_database +- name: copy mysql_remove_remote_root + copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' + with_items: + - mysql_remove_remote_root + when: mysql_remove_remote_root + changed_when: false -- name: access to test database is absent - command: 'mysql -ne "{{ item }}"' +- name: apply mysql_remove_remote_root + mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' with_items: - - DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%' - when: mysql_remove_test_database + - mysql_remove_remote_root + when: mysql_remove_remote_root changed_when: false From 67a3b14051158000bb1be87da4fda96d8538de46 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sat, 21 May 2016 23:10:36 +0700 Subject: [PATCH 04/17] disable role by default --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index e0ebd84..59b1d74 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,4 @@ -mysql_hardening_enabled: yes +mysql_hardening_enabled: no # general configuration mysql_hardening_user: 'mysql' mysql_hardening_group: 'mysql' From 57937c0170d9549526646c92f145d9a98399335d Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 23 May 2016 01:04:17 +0700 Subject: [PATCH 05/17] change default admin group mysql->root --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 59b1d74..e137d44 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,7 @@ mysql_hardening_enabled: no # general configuration mysql_hardening_user: 'mysql' -mysql_hardening_group: 'mysql' +mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' mysql_root_password: "{{ lookup('env','mysql_root_password') }}" From 888247733806440eb55c8c3ef6d382ddfb980b89 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Mon, 23 May 2016 01:08:33 +0700 Subject: [PATCH 06/17] fixed package name for RHEL: python-mysqldb->MySQL-python --- tasks/mysql_secure_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index f7e2293..b929a7c 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -10,7 +10,7 @@ when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - name: Install python-mysqldb for Ansible - yum: name=python-mysqldb state=present + yum: name=MySQL-python state=present when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: root password is present From dfc4c813c83439663a47596f2bf18e3f9ce56e16 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 01:38:56 +0700 Subject: [PATCH 07/17] add 'mysql_user_home' variable and turn on role by default --- defaults/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e137d44..490802e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,10 +1,13 @@ -mysql_hardening_enabled: no +# switcher to enable/disable role +mysql_hardening_enabled: yes + # general configuration mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' -mysql_root_password: "{{ lookup('env','mysql_root_password') }}" +mysql_user_home: "{{ ansible_env.HOME}}" +mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' # ensure the following parameters are set properly mysql_remove_remote_root: true From 780c4affdef76919492e8557419bf62364de2832 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 01:39:35 +0700 Subject: [PATCH 08/17] install .my.cnf into 'mysql_user_home' location instead of hardcoded /root --- tasks/mysql_secure_installation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index b929a7c..8b9c636 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -20,8 +20,8 @@ - '127.0.0.1' - 'localhost' -- name: root has .my.cnf - template: src=my.cnf.j2 dest=/root/.my.cnf +- name: install .my.cnf with credentials + template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf owner=root group=root mode=0600 tags: my_cnf From 9289dc81a730abafc4f2ffea68f9a176f2588ebb Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:09:07 +0700 Subject: [PATCH 09/17] make mysql_root_password as mandatory variable --- templates/my.cnf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2 index 3996fff..ce66b13 100644 --- a/templates/my.cnf.j2 +++ b/templates/my.cnf.j2 @@ -1,4 +1,4 @@ [client] user=root -password='{{ mysql_root_password }}' +password='{{ mysql_root_password | mandatory }}' #ssl From 01bd7bcedee322506a667c8e5f9155f6e9ed082a Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:10:42 +0700 Subject: [PATCH 10/17] make mysql_root_password mandatory variable and change owner/group permissions for users .my.cnf --- tasks/mysql_secure_installation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 8b9c636..866038e 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -14,7 +14,7 @@ when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' - name: root password is present - mysql_user: name=root host={{ item }} password={{ mysql_root_password }} state=present + mysql_user: name=root host={{ item }} password={{ mysql_root_password | mandatory }} state=present with_items: - '::1' - '127.0.0.1' @@ -22,7 +22,7 @@ - name: install .my.cnf with credentials template: src=my.cnf.j2 dest={{mysql_user_home}}/.my.cnf - owner=root group=root mode=0600 + mode=0400 tags: my_cnf - name: test database is absent From 6542799382d02fed35ee980da0550d5d27e00bf7 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:16:18 +0700 Subject: [PATCH 11/17] add warning about using default mysql_root_password --- tasks/mysql_secure_installation.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 866038e..53a6fd3 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -13,6 +13,9 @@ yum: name=MySQL-python state=present when: ansible_os_family == 'RedHat' or ansible_os_family == 'Oracle Linux' +- debug: msg="WARNING - you have to change default mysql_root_password" + when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----' + - name: root password is present mysql_user: name=root host={{ item }} password={{ mysql_root_password | mandatory }} state=present with_items: From f4e84e5fed2e1783fafd5cdc21d3d58868de206c Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:20:52 +0700 Subject: [PATCH 12/17] add comments into defaults --- defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 490802e..32b0ea0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -6,8 +6,10 @@ mysql_hardening_user: 'mysql' mysql_hardening_group: 'root' mysql_datadir: '/var/lib/mysql' mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf' -mysql_user_home: "{{ ansible_env.HOME}}" +# You have to change this to your own strong enough mysql root password mysql_root_password: '-----====>SetR00tPa$$wordH3r3!!!<====-----' +# There .my.cnf with mysql root credentials will be installed +mysql_user_home: "{{ ansible_env.HOME}}" # ensure the following parameters are set properly mysql_remove_remote_root: true From 8f1d970bd27c21d7c5a2cae25caeff7f63183305 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:39:46 +0700 Subject: [PATCH 13/17] run mysql_secure_installation always --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 995202d..83659fb 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -10,7 +10,7 @@ - mysql_hardening - include: mysql_secure_installation.yml - when: mysql_hardening_enabled and mysql_root_password != '' + when: mysql_hardening_enabled tags: - mysql_hardening - mysql_secure_installation From 4e4b931cc5bdd198c0f85fdc2415479324d25872 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:41:38 +0700 Subject: [PATCH 14/17] fix task name --- tasks/mysql_secure_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 53a6fd3..3f7ed21 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -5,7 +5,7 @@ # package: pkg=python-mysqldb state=present -- name: Install python-mysqldb for Ansible +- name: Install MySQL-python for Ansible apt: name=python-mysqldb state=present when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' From 56fe7393f2bd17092b826aac054280ca9bcc47f4 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:46:41 +0700 Subject: [PATCH 15/17] README updated --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 20244c1..ba14868 100644 --- a/README.md +++ b/README.md @@ -11,11 +11,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this ## Requirements * Ansible -* Python MySQL-DB Package - -## Usage - -Before you use this role make sure to have a valid login-configuration in `~/.my.cnf` so Ansible is able to login into your database. +* Set up `mysql_root_password` variable ### Example Playbook From ef77bf7c1120bffe361114d02a49f16a301ea581 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Wed, 1 Jun 2016 02:57:04 +0700 Subject: [PATCH 16/17] delete spaces in variables ({{ item }} -> {{item}}) --- tasks/mysql_secure_installation.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/mysql_secure_installation.yml b/tasks/mysql_secure_installation.yml index 3f7ed21..d5f8834 100644 --- a/tasks/mysql_secure_installation.yml +++ b/tasks/mysql_secure_installation.yml @@ -17,7 +17,7 @@ when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----' - name: root password is present - mysql_user: name=root host={{ item }} password={{ mysql_root_password | mandatory }} state=present + mysql_user: name=root host={{item}} password={{mysql_root_password | mandatory}} state=present with_items: - '::1' - '127.0.0.1' @@ -38,28 +38,28 @@ # when: mysql_remove_anonymous_users - name: copy mysql_remove_anonymous_users - copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' + copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' with_items: - mysql_remove_anonymous_users when: mysql_remove_anonymous_users changed_when: false - name: apply mysql_remove_anonymous_users - mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' + mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' with_items: - mysql_remove_anonymous_users when: mysql_remove_anonymous_users changed_when: false - name: copy mysql_remove_remote_root - copy: src='{{ item }}.sql' dest='/tmp/{{ item }}.sql' + copy: src='{{item}}.sql' dest='/tmp/{{item}}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root changed_when: false - name: apply mysql_remove_remote_root - mysql_db: name='mysql' state=import target='/tmp/{{ item }}.sql' + mysql_db: name='mysql' state=import target='/tmp/{{item}}.sql' with_items: - mysql_remove_remote_root when: mysql_remove_remote_root From ec90b8d3ebd3531799a2a1312073ded800713906 Mon Sep 17 00:00:00 2001 From: fitz123 Date: Sun, 5 Jun 2016 14:08:10 +0700 Subject: [PATCH 17/17] Update README with explaining of conditional enabling/disabling role --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ba14868..470a0c9 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ This role focuses on security configuration of MySQL. Therefore you can add this This hardening role installs the hardening but expects an existing installation of MySQL, MariaDB or Percona. Please ensure that the following variables are set accordingly: +- `mysql_hardening_enabled: yes` role is enabled by default and can be disabled without removing it from a playbook. You can use conditional variable, for example: `mysql_hardening_enabled: "{{ true if mysql_enabled else false }}"` - `mysql_hardening_user: 'mysql'` The user that mysql runs as. - `mysql_datadir: '/var/lib/mysql'` The MySQL data directory - `mysql_hardening_hardening_conf: '/etc/mysql/conf.d/hardening.cnf'` The path to the configuration file where the hardening will be performed