This role provides security configurations for MySQL and its derivates. It is intended to set up production-ready MySQL instances that are configured with minimal surface for attackers. Furthermore it is intended to be compliant with the DevSec MySQL Baseline.
It configures:
- Permissions for the various configuration files and folders
- Removes anonymous users, users without a password or authentication_string and test databases
- various hardening options inside MySQL
Changes of options log_error
or datadir
in mysql_hardening_options
will not be checked for correct permissions. Please change/set log_error
or datadir
with the installation role of MySQL before running this role, or you can run this role twice.
Further information is available at Deutsche Telekom (German) and Symantec
- An existing installation of MySQL or MariaDB.
- python-jmespath on the ansible host
- EL
- 8, 9
- Ubuntu
- focal, jammy, noble
- Debian
- bullseye, bookworm
- Amazon
- opensuse
mysql_daemon_enabled
- Default:
True
- Description: Whether to enable the MySQL-service so it starts on boot
- Type: bool
- Required: no
- Default:
mysql_hardening_chroot
- Default: ``
- Description: chroot
- Type: str
- Required: no
mysql_hardening_chroot.automatic-sp-privileges
- Default:
0
- Description: automatic_sp_privileges
- Type: int
- Required: no
- Default:
mysql_hardening_enabled
- Default:
True
- Description: Whether to run the hardening
- Type: bool
- Required: no
- Default:
mysql_hardening_options.allow-suspicious-udfs
- Default:
0
- Description: allow-suspicious-udfs
- Type: int
- Required: no
- Default:
mysql_hardening_options.local-infile
- Default:
0
- Description: local-infile
- Type: int
- Required: no
- Default:
mysql_hardening_options.safe-user-create
- Default:
1
- Description: safe-user-create
- Type: int
- Required: no
- Default:
mysql_hardening_options.secure-auth
- Default:
1
- Description: secure-auth
- Type: int
- Required: no
- Default:
mysql_hardening_options.secure-file-priv
- Default:
/tmp
- Description: secure-file-priv
- Type: str
- Required: no
- Default:
mysql_hardening_options.skip-symbolic-links
- Default:
1
- Description: skip-symbolic-links
- Type: int
- Required: no
- Default:
mysql_hardening_restart_mysql
- Default:
True
- Description: Restart mysql after running this role
- Type: bool
- Required: no
- Default:
mysql_hardening_skip_grant_tables:
- Default:
False
- Description: skip-grant-tables
- Type: bool
- Required: no
- Default:
mysql_hardening_skip_show_database
- Default:
1
- Description: skip-show-database
- Type: int
- Required: no
- Default:
mysql_remove_anonymous_users
- Default:
True
- Description: Set to
false
to keep users without authentication - Type: bool
- Required: no
- Default:
mysql_remove_remote_root
- Default:
True
- Description: If
true
, root can only connect from localhost. Set tofalse
to not remove remote root users. - Type: bool
- Required: no
- Default:
mysql_remove_test_database
- Default:
True
- Description: Set to
false
to keep the test database - Type: bool
- Required: no
- Default:
mysql_root_password
- Default:
-----====>SetR00tPa$$wordH3r3!!!<====-----
- Description: The default password. Please change or overwrite it
- Type: str
- Required: no
- Default:
mysql_user_home
- Default:
{{ ansible_env.HOME }}
- Description: The path where the
.my.cnf
will be stored - Type: str
- Required: no
- Default:
None.
- hosts: all
become: true
roles:
- name: devsec.hardening.mysql_hardening