Merge pull request #423 from dev-sec/drop_users_wo_passwords

add new tasks to delete mysql users without passwords

Author: schurzi

molecule/mysql_hardening/converge.yml

@@ -22,9 +22,6 @@
         - mysql_python_package_debian is not defined
         - ansible_distribution != "Ubuntu"
         - ansible_distribution_major_version|int < 20
-    - include_role:
-        name: dev-sec.mysql
-
     - include_role:
         name: mysql_hardening
   vars:

molecule/mysql_hardening/prepare.yml

@@ -25,3 +25,34 @@
       file:
         path: "/etc/mysql/conf.d"
         state: directory
+
+    - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
+      set_fact:
+        mysql_python_package_debian: "python3-pymysql"
+      when:
+        - mysql_python_package_debian is not defined
+        - ansible_distribution == "Ubuntu"
+        - ansible_distribution_major_version|int > 19
+
+    - name: Determine required MySQL Python libraries.
+      set_fact:
+        mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
+      when:
+        - mysql_python_package_debian is not defined
+        - ansible_distribution != "Ubuntu"
+        - ansible_distribution_major_version|int < 20
+
+    - include_role:
+        name: dev-sec.mysql
+
+    - name: create a user with an empty password
+      community.mysql.mysql_query:
+        query:
+          - "CREATE USER foo@bar;"
+        login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  vars:
+    overwrite_global_mycnf: false
+    mysql_root_password: iloverandompasswordsbutthiswilldo
+    mysql_user_password: iloverandompasswordsbutthiswilldo
+    mysql_config_file: /etc/mysql/mariadb.cnf
+    mysql_root_password_update: true

requirements.txt

@@ -4,3 +4,4 @@ ansible
 ansible-lint
 docker
 flake8
+jmespath

roles/mysql_hardening/README.md

@@ -9,7 +9,7 @@ This role provides security configurations for MySQL and its derivates. It is in
 It configures:
 
 - Permissions for the various configuration files and folders
-- Removes anonymous users, root-users without a password and test databases
+- Removes anonymous users, users without a password or authentication_string and test databases
 - various hardening options inside MySQL
 
 ## Requirements

roles/mysql_hardening/tasks/mysql_secure_installation.yml

@@ -4,8 +4,8 @@
     msg: 'ERROR - you have to change default mysql_root_password'
   when: mysql_root_password == '-----====>SetR00tPa$$wordH3r3!!!<====-----'
 
-- name: Root password is present
-  mysql_user:
+- name: ensure that the root password is present
+  community.mysql.mysql_user:
     name: 'root'
     host_all: true
     password: '{{ mysql_root_password | mandatory }}'
@@ -19,24 +19,84 @@
     mode: '0400'
   tags: my_cnf
 
-- name: Test database is absent
-  mysql_db:
+- name: ensure that the test database is absent
+  community.mysql.mysql_db:
     name: test
     state: absent
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_test_database
 
-- name: Anonymous users are absent
-  mysql_user:
+- name: ensure that anonymous users are absent
+  community.mysql.mysql_user:
     name: ''
     state: absent
     host_all: true
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_anonymous_users
 
-- name: Remove remote root
+- name: ensure that root can only login from localhost
   community.mysql.mysql_query:
     query:
-      - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
+      - DELETE
+        FROM mysql.user
+        WHERE USER='root'
+          AND HOST NOT IN ('localhost',
+                          '127.0.0.1',
+                          '::1')
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_remote_root
+
+- name: get all users that have no password or authentication_string on MySQL version >= 5.7.6
+  community.mysql.mysql_query:
+    query:
+      - SELECT GROUP_CONCAT(USER, '@', HOST SEPARATOR ', ') AS users
+        FROM mysql.user
+        WHERE (length(authentication_string)=0
+              OR authentication_string="")
+          AND USER NOT IN ('mysql.sys',
+                          'mysqlxsys',
+                          'mariadb.sys');
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_users_wo_passwords_or_auth_string
+  when:
+    - mysql_version.version.full is version('5.7.6', '>=')
+
+- name: get all users that have no password on MySQL version < 5.7.6
+  community.mysql.mysql_query:
+    query:
+      - SELECT GROUP_CONCAT(USER, '@', HOST SEPARATOR ', ') AS users
+        FROM mysql.user
+        WHERE (length(password)=0
+              OR password="")
+          AND (length(authentication_string)=0
+              OR authentication_string="")
+          AND USER NOT IN ('mysql.sys',
+                          'mysqlxsys',
+                          'mariadb.sys');
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  register: mysql_users_wo_passwords
+  when:
+    - mysql_version.version.full is version('5.7.6', '<')
+
+- name: create a fact for users without password or authentication_string
+  set_fact:
+    users_wo_auth: "{{ mysql_users_wo_passwords_or_auth_string.query_result.0.0 | community.general.json_query('users') }}"
+  when:
+    - mysql_users_wo_passwords_or_auth_string.query_result is defined
+    - mysql_users_wo_passwords_or_auth_string.query_result != ""  # noqa empty-string-compare
+
+- name: create a fact for users without password
+  set_fact:
+    users_wo_auth: "{{ mysql_users_wo_passwords.query_result.0.0 | community.general.json_query('users') }}"
+  when:
+    - mysql_users_wo_passwords.query_result is defined
+    - mysql_users_wo_passwords.query_result != ""  # noqa empty-string-compare
+
+- name: ensure that there are no users without password or authentication_string
+  community.mysql.mysql_query:
+    query:
+      - "DROP USER {{ users_wo_auth }}"
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  when:
+    - users_wo_auth is defined
+    - users_wo_auth != ""  # noqa empty-string-compare