GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → dev-sec → chef-mysql-hardening

dev-sec / chef-mysql-hardening

Licence: Apache-2.0 license
This chef cookbook provides security configuration for mysql.

Programming Languages

ruby
36898 projects - #4 most used programming language
HTML
75241 projects

Labels

mysqlsecuritydevopschef-cookbookchefhardening

Projects that are alternatives of or similar to chef-mysql-hardening

chef-apache-hardening
dev-sec.io/
Stars: ✭ 24 (+4.35%)
Mutual labels:  chef-cookbook, chef, hardening
Chef Os Hardening
This chef cookbook provides numerous security-related configurations, providing all-round base protection.
Stars: ✭ 386 (+1578.26%)
Mutual labels:  chef-cookbook, chef, hardening
chef-nginx-hardening
This chef cookbook provides secure nginx configurations.
Stars: ✭ 50 (+117.39%)
Mutual labels:  chef-cookbook, chef, hardening
Chef Windows Hardening
This chef cookbook provides windows hardening configurations for the DevSec Windows baseline profile.
Stars: ✭ 80 (+247.83%)
Mutual labels:  chef-cookbook, chef, hardening
chef-jenkins-hardening
⛔ DEPRECATED: A secure jenkins installation
Stars: ✭ 18 (-21.74%)
Mutual labels:  chef-cookbook, chef, hardening
Chef Ssh Hardening
This chef cookbook provides secure ssh-client and ssh-server configurations.
Stars: ✭ 144 (+526.09%)
Mutual labels:  chef-cookbook, chef, hardening
sssd ldap
Development repository for the sssd_ldap cookbook
Stars: ✭ 17 (-26.09%)
Mutual labels:  chef-cookbook, chef
ossec
Development repository for the ossec cookbook
Stars: ✭ 42 (+82.61%)
Mutual labels:  chef-cookbook, chef
COVID19-FeedbackApplication
A simple application is developed to get feedback from a user and analyzing the text to predict the sentiment.
Stars: ✭ 13 (-43.48%)
Mutual labels:  chef-cookbook, chef
firewall
Development repository for the firewall cookbook
Stars: ✭ 97 (+321.74%)
Mutual labels:  chef-cookbook, chef
yum-epel
Development repository for the yum-epel cookbook
Stars: ✭ 23 (+0%)
Mutual labels:  chef-cookbook, chef
drbd
Development repository for the drbd cookbook
Stars: ✭ 19 (-17.39%)
Mutual labels:  chef-cookbook, chef
cookbook-redmine
Chef's Cookbook for installing Redmine
Stars: ✭ 25 (+8.7%)
Mutual labels:  chef-cookbook, chef
freebsd
Development repository for the freebsd cookbook
Stars: ✭ 27 (+17.39%)
Mutual labels:  chef-cookbook, chef
github
Development repository for the github cookbook
Stars: ✭ 22 (-4.35%)
Mutual labels:  chef-cookbook, chef
kafka
Development repository for the kafka cookbook
Stars: ✭ 87 (+278.26%)
Mutual labels:  chef-cookbook, chef
mac os x
This cookbook has been deprecated
Stars: ✭ 75 (+226.09%)
Mutual labels:  chef-cookbook, chef
line
Development repository for the line cookbook
Stars: ✭ 96 (+317.39%)
Mutual labels:  chef-cookbook, chef
memcached
Development repository for the memcached cookbook
Stars: ✭ 50 (+117.39%)
Mutual labels:  chef-cookbook, chef
chef-postgres-hardening
This chef cookbook provides security configuration for PostgreSQL.
Stars: ✭ 26 (+13.04%)
Mutual labels:  chef, hardening
View All Similar Projects ➔

mysql-hardening (Chef cookbook)

Supermarket Build Status Code Coverage Dependencies Gitter Chat

Description

Provides security configurations for mysql. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers.

This cookbook focus security configuration of mysql and reuses the mysql cookbook for the installation. Therefore you can add this hardening layer on top of your existing mysql configuration in Chef.

We optimized this cookbook to work with os-hardening and ssh-hardening without a hassle. It will play well without, but you need to ensure all preconditions like apt-get update or yum update are met.

Requirements

  • Opscode chef

Usage

A sample role may look like:

{
    "name": "mysql",
    "default_attributes": { },
    "override_attributes": { },
    "json_class": "Chef::Role",
    "description": "MySql Hardened Server Test Role",
    "chef_type": "role",
    "default_attributes" : {
      "mysql": {
        "server_root_password": "iloverandompasswordsbutthiswilldo",
        "server_debian_password": "iloverandompasswordsbutthiswilldo"
      }
    },
    "run_list": [
        "recipe[chef-solo-search]",
        "recipe[apt]",
        "recipe[mysql::server]",
        "recipe[mysql-hardening]"
    ]
}

Recipes

mysql-hardening::hardening (default)

This recipe is an overley recipe for the mysql cookbook) and applies mysql-hardening::hardening

Add the following to your runlist and customize security option attributes

  "recipe[mysql::server]",
  "recipe[mysql-hardening]"

This hardening recipe installs the hardening but expects an existing installation of Mysql, MariaDB or Percona. If you are not using the mysql cookbook, you may need to adapt the attributes:

  • node['mysql']['service_name'] = 'default'
  • node['mysql']['data_dir'] = '/var/lib/mysql'
  • node['mysql-hardening']['conf-file'] = '/etc/mysql/conf.d/hardening.cnf'
  • node['mysql-hardening']['user'] = 'mysql'

Security Options

Further information is already available at Deutsche Telekom (German) and Symantec

Security Configuration

This setup sets the following parameters by default

user = mysql
port = 3306
bind-address = X.Y.Z.W

# via ['mysql']['security']['local_infile']
local-infile = 0

# via ['mysql']['security']['safe_user_create']
safe-user-create = 1

# via ['mysql']['security']['secure_auth']
secure-auth = 1

# via ['mysql']['security']['skip_show_database']
skip-show-database

# via ['mysql']['security']['skip_symbolic_links']
skip-symbolic-links

# via ['mysql']['security']['automatic_sp_privileges']
automatic_sp_privileges = 0

# via ['mysql']['security']['secure-file-priv']
secure-file-priv = /tmp

Additionally it ensures that the following parameters are not set

  • deactivate old-passwords via ['mysql']['security']['secure_auth']
  • deactivate allow-suspicious-udfs via node['mysql']['security']['allow-suspicious-udfs']
  • skip-grant-tables
  • chroot (instead we prefer AppArmor for Ubuntu)

Furthermore the permission of /var/lib/mysql is limited to mysql user.

Tests

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# Fetch tests
git clone https://github.com/dev-sec/tests-mysql-hardening test/integration

# fast test on one machine
bundle exec kitchen test default-ubuntu-1204

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

This cookbook comes with a guard file for easy development. During development guard watches the folders and runs footcritic and robocop.

# list all plugins
bundle exec guard list

# run guard with foodcritic and robocop
bundle exec guard -P Foodcritic Rubocop

Tested Operating Systems

  • Ubuntu 12.04
  • Ubuntu 14.04
  • CentOS 6.4
  • CentOS 6.5
  • Oracle 6.4
  • Oracle 6.5
  • Debian 7

Contributors + Kudos

  • Dominik Richter
  • Christoph Hartmann
  • Patrick Meier
  • Edmund Haselwanter

License and Author

  • Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].