mysql_hardening cannot work with mysql on freebsd #472

sdwilsh · 2021-08-13T03:46:13Z

Describe the bug
Due to this line of code, on FreeBSD it is always assumed that the distribution is mariadb because the package name is mysql80-server, not mysql-server.

Expected behavior
Either the system detects the right package or it is allowed to be user-overridden.

Actual behavior

TASK [devsec.hardening.mysql_hardening : get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0] ***************************************************************
skipping: [mysql.hogs.tswn.us]

TASK [devsec.hardening.mysql_hardening : get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0] *****************************************************
fatal: [mysql.hogs.tswn.us]: FAILED! => {"changed": false, "msg": "Cannot execute SQL 'SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users FROM mysql.user WHERE (length(password)=0 OR password=\"\") AND (length(authentication_string)=0 OR authentication_string=\"\") AND USER NOT IN ('mysql.sys', 'mysqlxsys', 'mariadb.sys');' args [None]: (1054, \"Unknown column 'password' in 'where clause'\")"}

Notably, if I ask mysql what version it is running, it properly reports version 8.0.25

Example Playbook

n/a - this is pretty obvious what is going on

OS / Environment

FreeBSD 12.2

Ansible Version

ansible 2.10.12
  config file = /home/sdwilsh/ansible-playbooks/ansible.cfg
  configured module search path = ['/home/sdwilsh/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Jun  2 2021, 10:49:15) [GCC 9.4.0]

Role Version

7.9.0

Additional context

Everything else about this playbook works, although I do have to set a number of variables in order to get this far.

The text was updated successfully, but these errors were encountered:

This has to be disabled for now because of dev-sec/ansible-collection-hardening#472

sdwilsh · 2021-08-13T03:55:33Z

Everything else about this playbook works, although I do have to set a number of variables in order to get this far.

Just to elaborate on this, since this failing piece of code is pretty early, I know other stuff works because I was running with --check --diff and seeing what the changes would be before I actually ran it and got this error.

rndmh3ro · 2021-08-13T06:30:34Z

Making the variable user-overridable seems like the best idea. Something like this:

- name: Check if MySQL or MariaDB is used
  set_fact:
    mysql_distribution: "{{ ansible_facts.packages['mysql-server'] is defined | ternary('mysql', 'mariadb') }}"
  when: not mysql_distribution

Do you weant to create a PR for this?

sdwilsh · 2021-08-13T12:47:17Z

I can do that, but I wanted to make sure this was something y'all would take. I can also do a second PR for getting some of the platform variables for FreeBSD defined, if you'd like.

rndmh3ro · 2021-08-13T13:12:36Z

I'd like both PRs! :)

On some operating systems, the package for MySQL is not `mysql-server`, and so the default check for this will not yield the correct result. This change adds an escape hatch by letting the user set `mysql_distribution`. Additionally, it verifies that it is set to a legal value if the user has set it. Closes dev-sec#472

On some operating systems, the package for MySQL is not `mysql-server`, and so the default check for this will not yield the correct result. This change adds an escape hatch by letting the user set `mysql_distribution`. Additionally, it verifies that it is set to a legal value if the user has set it. Closes dev-sec#472 Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com>

* [mysql_hardening] Allow setting the mysql_distribution On some operating systems, the package for MySQL is not `mysql-server`, and so the default check for this will not yield the correct result. This change adds an escape hatch by letting the user set `mysql_distribution`. Additionally, it verifies that it is set to a legal value if the user has set it. Closes #472 Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com> * Update roles/mysql_hardening/tasks/main.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

* [mysql_hardening] Allow setting the mysql_distribution On some operating systems, the package for MySQL is not `mysql-server`, and so the default check for this will not yield the correct result. This change adds an escape hatch by letting the user set `mysql_distribution`. Additionally, it verifies that it is set to a legal value if the user has set it. Closes dev-sec#472 Signed-off-by: Shawn Wilsher <656602+sdwilsh@users.noreply.github.com> * Update roles/mysql_hardening/tasks/main.yml Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>

sdwilsh added a commit to sdwilsh/ansible-playbooks that referenced this issue Aug 13, 2021

Add a disabled version of mysql_hardening

efb14b6

This has to be disabled for now because of dev-sec/ansible-collection-hardening#472

rndmh3ro added the bug label Aug 13, 2021

sdwilsh mentioned this issue Aug 13, 2021

[mysql_hardening] Allow setting the mysql_distribution #473

Merged

rndmh3ro closed this as completed in #473 Aug 15, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

mysql_hardening cannot work with mysql on freebsd #472

mysql_hardening cannot work with mysql on freebsd #472

sdwilsh commented Aug 13, 2021

sdwilsh commented Aug 13, 2021

rndmh3ro commented Aug 13, 2021

sdwilsh commented Aug 13, 2021

rndmh3ro commented Aug 13, 2021

mysql_hardening cannot work with mysql on freebsd #472

mysql_hardening cannot work with mysql on freebsd #472

Comments

sdwilsh commented Aug 13, 2021

sdwilsh commented Aug 13, 2021

rndmh3ro commented Aug 13, 2021

sdwilsh commented Aug 13, 2021

rndmh3ro commented Aug 13, 2021