mysql-hardening (Chef cookbook)

Description

Provides security configurations for mysql. It is intended to set up production-ready mysql instances that are configured with minimal surface for attackers.

This cookbook focus security configuration of mysql and reuses the mysql cookbook for the installation. Therefore you can add this hardening layer on top of your existing mysql configuration in Chef.

We optimized this cookbook to work with os-hardening and ssh-hardening without a hassle. It will play well without, but you need to ensure all preconditions like apt-get update or yum update are met.

Requirements

• Opscode chef

Usage

A sample role may look like:

{
    "name": "mysql",
    "default_attributes": { },
    "override_attributes": { },
    "json_class": "Chef::Role",
    "description": "MySql Hardened Server Test Role",
    "chef_type": "role",
    "default_attributes" : {
      "mysql": {
        "server_root_password": "iloverandompasswordsbutthiswilldo",
        "server_debian_password": "iloverandompasswordsbutthiswilldo"
      }
    },
    "run_list": [
        "recipe[chef-solo-search]",
        "recipe[apt]",
        "recipe[mysql-hardening::server]"
    ]
}

Security Options

Further information is already available at Deutsche Telekom (German) and Symantec

• default['mysql']['security']['chroot'] - chroot
• default['mysql']['security']['safe_user_create'] - safe-user-create
• default['mysql']['security']['secure_auth'] - secure-auth
• default['mysql']['security']['skip_symbolic_links'] - skip-symbolic-links
• default['mysql']['security']['skip_show_database'] - skip-show-database
• default['mysql']['security']['local_infile'] - local-infile
• default['mysql']['security']['allow-suspicious-udfs'] - allow-suspicious-udfs
• default['mysql']['security']['automatic_sp_privileges'] - automatic_sp_privileges
• default['mysql']['security']['secure-file-priv'] - secure-file-priv

Security Configuration

This setup sets the following parameters by default

user = mysql
port = 3306
bind-address = X.Y.Z.W

# via ['mysql']['security']['local_infile']
local-infile = 0

# via ['mysql']['security']['safe_user_create']
safe-user-create = 1

# via ['mysql']['security']['secure_auth']
secure-auth = 1

# via ['mysql']['security']['skip_show_database']
skip-show-database

# via ['mysql']['security']['skip_symbolic_links']
skip-symbolic-links

# via ['mysql']['security']['automatic_sp_privileges']
automatic_sp_privileges = 0

# via ['mysql']['security']['secure-file-priv']
secure-file-priv = /tmp

Additionally it ensures that the following parameters are not set

• deactivate old-passwords via ['mysql']['security']['secure_auth']
• deactivate allow-suspicious-udfs via node['mysql']['security']['allow-suspicious-udfs']
• skip-grant-tables
• chroot (instead we prefer AppArmor for Ubuntu)

Furthermore the permission of /var/lib/mysql is limited to mysql user.

Tests

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# Fetch tests
bundle exec thor kitchen:fetch-remote-tests

# fast test on one machine
bundle exec kitchen test default-ubuntu-1204

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

Tested Operating Systems

• Ubuntu 12.04
• Ubuntu 14.04
• CentOS 6.4
• CentOS 6.5
• Oracle 6.4
• Oracle 6.5
• Debain 7

Contributors + Kudos

• Dominik Richter
• Christoph Hartmann
• Patrick Meier
• Edmund Haselwanter

License and Author

• Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.