├── .github └── workflows │ └── codespell.yml ├── .gitignore ├── .kitchen.yml ├── .puppet-lint.rc ├── .rubocop.yml ├── .travis.yml ├── CHANGELOG.md ├── Gemfile ├── Guardfile ├── Modulefile ├── Puppetfile ├── README.md ├── Rakefile ├── Thorfile ├── files └── .keep ├── manifests ├── init.pp ├── puppetlabs.pp └── puppetlabs_override.pp ├── metadata.json └── renovate.json /.github/workflows/codespell.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Codespell - Spellcheck 3 | 4 | on: # yamllint disable-line rule:truthy 5 | push: 6 | branches: [master] 7 | pull_request: 8 | branches: [master] 9 | 10 | jobs: 11 | codespell: 12 | uses: "dev-sec/.github/.github/workflows/codespell.yml@main" 13 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | exp.* 2 | .kitchen 3 | Berksfile.lock 4 | Puppetfile.lock 5 | .kitchen.local.yml 6 | shared_test_repo/ 7 | .librarian/ 8 | .tmp/ 9 | test/integration 10 | Gemfile.lock 11 | -------------------------------------------------------------------------------- /.kitchen.yml: -------------------------------------------------------------------------------- 1 | --- 2 | driver: 3 | name: vagrant 4 | provisioner: 5 | name: puppet_apply 6 | test_repo_uri: https://github.com/TelekomLabs/tests-mysql-hardening.git 7 | platforms: 8 | - name: ubuntu-12.04 9 | driver_config: 10 | box: opscode-ubuntu-12.04 11 | box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box 12 | - name: ubuntu-14.04 13 | driver_config: 14 | box: opscode-ubuntu-14.04 15 | box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box 16 | - name: centos-6.4 17 | driver_config: 18 | box: opscode-centos-6.4 19 | box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box 20 | - name: centos-6.5 21 | driver_config: 22 | box: opscode-centos-6.5 23 | box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box 24 | - name: centos-7.1 25 | driver_config: 26 | box: opscode-centos-7.1 27 | box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-7.1_chef-provisionerless.box 28 | - name: oracle-6.4 29 | driver_config: 30 | box: oracle-6.4 31 | box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box 32 | - name: oracle-6.5 33 | driver_config: 34 | box: oracle-6.5 35 | box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box 36 | - name: debian-6 37 | driver_config: 38 | box: debian-6 39 | box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-6.0.10-amd64_virtualbox.box 40 | - name: debian-7 41 | driver_config: 42 | box: debian-7 43 | box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-7.7.0-amd64_virtualbox.box 44 | - name: debian-8 45 | driver_config: 46 | box: debian-8 47 | box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-8.0.0-amd64_virtualbox.box 48 | suites: 49 | - name: default 50 | manifest: site.pp 51 | -------------------------------------------------------------------------------- /.puppet-lint.rc: -------------------------------------------------------------------------------- 1 | --no-autoloader_layout-check 2 | --no-80chars-check 3 | --no-inherits_across_namespaces-check -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AllCops: 3 | Exclude: 4 | - vendor/**/* 5 | - test/**/* 6 | - spec/fixtures/**/* 7 | - Puppetfile 8 | Documentation: 9 | Enabled: false 10 | AlignParameters: 11 | Enabled: true 12 | Encoding: 13 | Enabled: true 14 | HashSyntax: 15 | Enabled: false 16 | LineLength: 17 | Enabled: false 18 | EmptyLinesAroundBlockBody: 19 | Enabled: false 20 | MethodLength: 21 | Max: 40 22 | NumericLiterals: 23 | MinDigits: 10 24 | Metrics/CyclomaticComplexity: 25 | Max: 10 26 | Metrics/PerceivedComplexity: 27 | Max: 10 28 | Metrics/AbcSize: 29 | Max: 29 30 | Style/DotPosition: 31 | EnforcedStyle: trailing 32 | Enabled: true 33 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | rvm: 2 | - 1.8.7 3 | - 1.9.3 4 | - 2.0.0 5 | - 2.1.0 6 | language: ruby 7 | bundler_args: --without development integration openstack 8 | env: 9 | - PUPPET_VERSION="~> 4.0.0" 10 | - PUPPET_VERSION="~> 3.7.5" 11 | - PUPPET_VERSION="~> 3.6.2" 12 | - PUPPET_VERSION="~> 2.7.0" 13 | matrix: 14 | fast_finish: true 15 | exclude: 16 | - rvm: 1.9.3 17 | env: PUPPET_VERSION="~> 2.7.0" 18 | - rvm: 2.0.0 19 | env: PUPPET_VERSION="~> 2.7.0" 20 | - rvm: 2.1.0 21 | env: PUPPET_VERSION="~> 2.7.0" 22 | - rvm: 1.8.7 23 | env: PUPPET_VERSION="~> 4.0.0" 24 | - rvm: 1.9.3 25 | env: PUPPET_VERSION="~> 4.0.0" 26 | - rvm: 2.0.0 27 | env: PUPPET_VERSION="~> 4.0.0" 28 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## 1.0.2 4 | 5 | * improvement: move to new test kitchen 6 | 7 | ## 1.0.1 8 | 9 | * improvement: dont overwrite ownership of `my.cnf` 10 | * bugfix: align my.cnf declaration with upstream 11 | 12 | ## 1.0.0 13 | 14 | * feature: update to 1.0.0 release of tests-mysql-hardening 15 | * improvement: streamline rubocop 16 | * improvement: add guard and linting 17 | * bugfix: push module dependency to correct version 18 | 19 | ## 0.1.0 20 | 21 | * initial release 22 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | 3 | source 'https://rubygems.org' 4 | 5 | puppetversion = ENV['PUPPET_VERSION'] 6 | if puppetversion 7 | gem 'puppet', puppetversion, :require => false 8 | else 9 | gem 'puppet', :require => false 10 | end 11 | 12 | group :test do 13 | gem 'rake' 14 | gem 'rspec', '~> 3.13.0' 15 | gem 'rspec-puppet' 16 | # avoid NoMethodError: private method `clone' called for # 17 | gem 'puppetlabs_spec_helper', :git => 'https://github.com/ehaselwanter/puppetlabs_spec_helper' 18 | gem 'puppet-lint' 19 | gem 'rubocop' 20 | end 21 | 22 | group :development do 23 | gem 'guard-rake' 24 | end 25 | 26 | group :integration do 27 | gem 'test-kitchen' 28 | gem 'kitchen-vagrant' 29 | gem 'kitchen-puppet' 30 | gem 'librarian-puppet' 31 | gem 'kitchen-sharedtests', '~> 0.2.0' 32 | end 33 | 34 | group :openstack do 35 | gem 'kitchen-openstack' 36 | end 37 | -------------------------------------------------------------------------------- /Guardfile: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | 3 | # Guardfile 4 | 5 | guard 'rake', :task => 'lint' do 6 | watch(%r{^manifests/.*$}) 7 | watch(%r{^templates/.*$}) 8 | end 9 | 10 | guard 'rake', :task => 'spec' do 11 | watch(%r{^spec/(classes|defines)/.+_spec\.rb$}) 12 | watch('spec/spec_helper.rb') 13 | watch(%r{^lib/.*$}) 14 | watch(%r{^manifests/.*$}) 15 | watch(%r{^templates/.*$}) 16 | end 17 | -------------------------------------------------------------------------------- /Modulefile: -------------------------------------------------------------------------------- 1 | name 'hardening-mysql_hardening' 2 | version '1.0.2' 3 | source 'https://github.com/TelekomLabs/puppet-mysql-hardening' 4 | author 'Dominik Richter' 5 | license 'Apache License, Version 2.0' 6 | summary 'Configures MySQL for security hardening' 7 | description 'Configures MySQL for security hardening' 8 | project_page 'https://github.com/TelekomLabs/puppet-mysql-hardening' 9 | 10 | dependency 'hardening/hardening_stdlib', '>=0.0.0 <1.0.0' 11 | -------------------------------------------------------------------------------- /Puppetfile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | #^syntax detection 3 | 4 | forge "http://forge.puppetlabs.com" 5 | 6 | # use dependencies defined in Modulefile 7 | modulefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Puppet MySQL hardening 2 | 3 | [![Puppet Forge](https://img.shields.io/puppetforge/dt/hardening/mysql_hardening.svg)][1] 4 | [![Build Status](http://img.shields.io/travis/hardening-io/puppet-mysql-hardening.svg)][2] 5 | [![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][3] 6 | 7 | ## Description 8 | 9 | This Puppet module provides hardening configuration for MySQL. 10 | 11 | ## Requirements 12 | 13 | * Puppet 14 | * Supported module: `puppetlabs/mysql` (v2.x.x) 15 | 16 | 17 | ## Parameters 18 | 19 | none 20 | 21 | ## Usage 22 | 23 | If you use `puppetlabs/mysql`: 24 | 25 | # Configure MySQL Server as you normally would: 26 | class { 'mysql::server': 27 | # ... 28 | } 29 | 30 | # now include hardening: 31 | class { 'mysql_hardening': provider => 'puppetlabs/mysql'} 32 | 33 | ## Local Testing 34 | 35 | For local testing you can use vagrant and Virtualbox of VMWare to run tests locally. You will have to install Virtualbox and Vagrant on your system. See [Vagrant Downloads](http://downloads.vagrantup.com/) for a vagrant package suitable for your system. For all our tests we use `test-kitchen`. If you are not familiar with `test-kitchen` please have a look at [their guide](http://kitchen.ci/docs/getting-started). 36 | 37 | Next install test-kitchen: 38 | 39 | ```bash 40 | # Install dependencies 41 | gem install bundler 42 | bundle install 43 | 44 | # Fetch tests 45 | bundle exec thor kitchen:fetch-remote-tests 46 | 47 | # Do lint checks 48 | bundle exec rake lint 49 | 50 | # Do spec checks 51 | bundle exec rake spec 52 | 53 | # fast test on one machine 54 | bundle exec kitchen test default-ubuntu-1204 55 | 56 | # test on Debian-based machines 57 | bundle exec kitchen test 58 | 59 | # for development 60 | bundle exec kitchen create default-ubuntu-1204 61 | bundle exec kitchen converge default-ubuntu-1204 62 | ``` 63 | 64 | For more information see [test-kitchen](http://kitchen.ci/docs/getting-started) 65 | 66 | ## Contributors + Kudos 67 | 68 | * Edmund Haselwanter [ehaselwanter](https://github.com/ehaselwanter) 69 | * Christoph Hartmann [chris-rock](https://github.com/chris-rock) 70 | * Matthew Haughton [3flex](https://github.com/3flex) 71 | * Patrick Meier [atomic111](https://github.com/atomic111) 72 | 73 | ## License and Author 74 | 75 | * Author:: Dominik Richter 76 | * Author:: Deutsche Telekom AG 77 | 78 | Licensed under the Apache License, Version 2.0 (the "License"); 79 | you may not use this file except in compliance with the License. 80 | You may obtain a copy of the License at 81 | 82 | http://www.apache.org/licenses/LICENSE-2.0 83 | 84 | Unless required by applicable law or agreed to in writing, software 85 | distributed under the License is distributed on an "AS IS" BASIS, 86 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 87 | See the License for the specific language governing permissions and 88 | limitations under the License. 89 | 90 | [1]: https://forge.puppetlabs.com/hardening/mysql_hardening 91 | [2]: http://travis-ci.org/hardening-io/puppet-mysql-hardening 92 | [3]: https://gitter.im/hardening-io/general 93 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | # encoding: UTF-8 2 | 3 | require 'puppet-lint/tasks/puppet-lint' 4 | require 'puppetlabs_spec_helper/rake_tasks' 5 | 6 | PuppetLint.configuration.send('disable_autoloader_layout') 7 | PuppetLint.configuration.send('disable_80chars') 8 | PuppetLint.configuration.send('disable_inherits_across_namespaces') 9 | PuppetLint.configuration.fail_on_warnings = true 10 | PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp'] 11 | 12 | if RUBY_VERSION > '1.9.2' 13 | require 'rubocop' 14 | require 'rubocop/rake_task' 15 | 16 | desc 'Run all linters: rubocop and puppet-lint' 17 | task :run_all_linters => [:rubocop, :lint] 18 | 19 | # Rubocop 20 | desc 'Run Rubocop lint checks' 21 | task :rubocop do 22 | RuboCop::RakeTask.new 23 | end 24 | 25 | task :default => [:run_all_linters, :spec] 26 | 27 | else 28 | desc 'Run all linters: rubocop and puppet-lint' 29 | task :run_all_linters => [:lint] 30 | 31 | task :default => [:lint, :spec] 32 | end 33 | -------------------------------------------------------------------------------- /Thorfile: -------------------------------------------------------------------------------- 1 | # encoding: utf-8 2 | 3 | require 'bundler' 4 | require 'bundler/setup' 5 | require 'kitchen_sharedtests' 6 | require 'kitchen/sharedtests_thor_tasks' 7 | 8 | Kitchen::SharedtestsThorTasks.new 9 | -------------------------------------------------------------------------------- /files/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dev-sec/puppet-mysql-hardening/ddff9028908408e4b918b29e9bfdcfa42635883d/files/.keep -------------------------------------------------------------------------------- /manifests/init.pp: -------------------------------------------------------------------------------- 1 | # === Copyright 2 | # 3 | # Copyright 2014, Deutsche Telekom AG 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | 8 | # == Class: mysql_hardening 9 | # 10 | # Configures overlay hardening 11 | # 12 | # === Parameters 13 | # 14 | # [*mysql_provider*] 15 | # The name of the provider you use to install MySQL. 16 | # Supported: `puppetlabs/mysql` 17 | # 18 | class mysql_hardening( 19 | $provider = 'none', 20 | ) { 21 | case $provider { 22 | 'puppetlabs/mysql': { 23 | class{'mysql_hardening::puppetlabs': } 24 | } 25 | 'none': { 26 | fail('You haven\'t configured a MySQL provider for hardening.') 27 | } 28 | default: { 29 | fail('Unrecognized/Unsupported MySQL provider for hardening.') 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /manifests/puppetlabs.pp: -------------------------------------------------------------------------------- 1 | # === Copyright 2 | # 3 | # Copyright 2014, Deutsche Telekom AG 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | 8 | # == Class: mysql_hardening::puppetlabs 9 | # 10 | # Overlay provider for puppetlabs/mysql 11 | # 12 | # === Parameters 13 | # 14 | # none 15 | # 16 | class mysql_hardening::puppetlabs( 17 | ) { 18 | # hardening options 19 | $hardening_oo = { 20 | 21 | mysqld => { 22 | automatic_sp_privileges => '0', 23 | safe-user-create => '1', 24 | skip-symbolic-links => '1', 25 | secure-auth => '1', 26 | local-infile => '0', 27 | skip-show-database => true, 28 | secure-file-priv => '/tmp', 29 | allow-suspicious-udfs => '0' 30 | } 31 | } 32 | 33 | # get the override options the user specifies 34 | $org_oo = getparam(Class['::mysql::server'], 'override_options') 35 | 36 | # now lay hardening on top 37 | $new_options = merge_hardening( $org_oo, $hardening_oo ) 38 | 39 | class { '::mysql::server::account_security': 40 | require => Anchor['mysql::server::end'], 41 | } 42 | 43 | # finally we need to make sure our options are written to the config file 44 | class{'mysql_hardening::puppetlabs_override': } 45 | 46 | } 47 | -------------------------------------------------------------------------------- /manifests/puppetlabs_override.pp: -------------------------------------------------------------------------------- 1 | # === Copyright 2 | # 3 | # Copyright 2014, Deutsche Telekom AG 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # http://www.apache.org/licenses/LICENSE-2.0 6 | # 7 | 8 | # == Class: mysql_hardening::puppetlabs_override 9 | # 10 | # Overlay provider for puppetlabs/mysql 11 | # 12 | # === Parameters 13 | # 14 | # none 15 | # 16 | class mysql_hardening::puppetlabs_override inherits ::mysql::server::config { 17 | # merges the final set of options 18 | $options = mysql_deepmerge( $::mysql::server::options, $::mysql_hardening::puppetlabs::new_options ) 19 | # write the new template 20 | if defined(File['mysql-config-file']) { 21 | $mysql_config_filename = 'mysql-config-file' 22 | } else { 23 | $mysql_config_filename = $mysql::server::config_file 24 | } 25 | 26 | File[$mysql_config_filename]{ 27 | content => template('mysql/my.cnf.erb'), 28 | mode => '0640', 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "hardening-mysql_hardening", 3 | "version": "1.0.2", 4 | "author": "Dominik Richter", 5 | "summary": "Configures MySQL for security hardening", 6 | "license": "Apache License, Version 2.0", 7 | "source": "https://github.com/TelekomLabs/puppet-mysql-hardening", 8 | "project_page": "https://github.com/TelekomLabs/puppet-mysql-hardening", 9 | "issues_url": "https://github.com/TelekomLabs/puppet-mysql-hardening/issues", 10 | "description": "Configures MySQL for security hardening", 11 | "types": [ 12 | 13 | ], 14 | "dependencies": [ 15 | { 16 | "name": "hardening/hardening_stdlib", 17 | "version_requirement": ">=0.0.0 <1.0.0" 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base", 5 | ":gitSignOff" 6 | ], 7 | "dependencyDashboard": true, 8 | "dependencyDashboardAutoclose": true, 9 | "packageRules": [ 10 | { 11 | "matchUpdateTypes": ["patch", "minor"], 12 | "automerge": true 13 | } 14 | ] 15 | } 16 | --------------------------------------------------------------------------------