Fix local kitchen runs and travis-ci, replace geerlingguy-mysql with …

…forked dev-sec-mysql

Signed-off-by: szEvEz <szivos.john@gmail.com>

.kitchen.vagrant.yml

@@ -26,15 +26,9 @@ platforms:
   - name: ubuntu-18.04
     driver_config:
       box: bento/ubuntu-18.04
-  - name: centos-6
-    driver_config:
-      box: bento/centos-6
   - name: centos-7
     driver_config:
       box: bento/centos-7
-  - name: oracle-6
-    driver_config:
-      box: bento/oracle-6
   - name: oracle-7
     driver_config:
       box: bento/oracle-7

.kitchen.yml

@@ -17,23 +17,16 @@ provisioner:
   require_ruby_for_busser: false
   ansible_verbose: true
   ansible_diff: true
-
   roles_path: ../ansible-mysql-hardening/
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
   requirements_path: requirements.yml
   requirements_collection_path: requirements.yml
-#  ansible_cfg_path: ansible.cfg
-#  ansible_cfg_overwrite: true
   sudo_command: 'sudo -E -H'
   playbook: tests/test.yml
   galaxy_ignore_certs: true
 
 platforms:
-  - name: centos6-ansible-latest
-    driver:
-      image: rndmh3ro/docker-centos6-ansible:latest
-      platform: centos
   - name: centos7-ansible-latest
     driver:
       image: rndmh3ro/docker-centos7-ansible:latest
@@ -42,20 +35,19 @@ platforms:
       provision_command:
         - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
         - systemctl enable sshd.service
-  - name: oracle6-ansible-latest
-    driver:
-      image: rndmh3ro/docker-oracle6-ansible:latest
-      platform: centos
   - name: oracle7-ansible-latest
     driver:
       image: rndmh3ro/docker-oracle7-ansible:latest
       run_command: /sbin/init
       platform: centos
       provision_command:
-        - systemctl enable ssh.service
+        - yum -y install initscripts
+        - sed -i '/nologin/d' /etc/pam.d/sshd
+        - systemctl enable sshd.service
   - name: ubuntu1804-ansible-latest
     driver:
       image: rndmh3ro/docker-ubuntu1804-ansible:latest
+      run_command: /sbin/init
       platform: ubuntu
       provision_command:
         - systemctl enable ssh.service

.travis.yml

@@ -2,20 +2,13 @@
 services: docker
 
 env:
-  - distro: centos6
-    version: latest
-    init: /sbin/init
-
   - distro: centos7
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     version: latest
 
-  - distro: oracle6
-    version: latest
-    init: /sbin/init
-
   - distro: oracle7
+    version: latest
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
@@ -54,21 +47,22 @@ before_install:
   - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
 
 script:
-  - pip install --user ansible-lint
-  - ansible-lint ./
+  - gem install bundler
+  - bundle install
 
   - container_id=$(mktemp)
   # Run container in detached state.
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-mysql-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Install ansible galaxy requirements
   - 'docker exec "$(cat ${container_id})" ansible-galaxy install -c -r /etc/ansible/roles/ansible-mysql-hardening/requirements.yml -p /etc/ansible/roles/'
+  - 'docker exec "$(cat ${container_id})" ansible-galaxy collection install -c community.mysql'
 
   # Test role.
   - 'travis_wait docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-mysql-hardening/tests/test.yml'
 
   # Verify role
-  - 'inspec exec https://github.com/dev-sec/mysql-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
+  - 'inspec exec https://github.com/dev-sec/mysql-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit --chef-license=accept'
 
 after_failure:
   # Check MySQL settings.

Gemfile

@@ -10,6 +10,6 @@ group :integration do
   gem 'kitchen-sharedtests'
   gem 'kitchen-sync'
   gem 'kitchen-docker'
-  gem 'inspec'
+  gem 'inspec-bin'
   gem 'aws-sdk'
 end

requirements.yml

@@ -3,4 +3,5 @@ collections:
   - community.mysql
 
 roles:
-  - src: geerlingguy.mysql
+  - src: dev-sec.mysql
+    version: master

tasks/configure.yml

@@ -1,11 +1,10 @@
 ---
-
 - name: protect my.cnf
   file:
     path: '{{ mysql_hardening_mysql_conf_file }}'
     mode: '0640'
     owner: '{{ mysql_cnf_owner }}'
-    group: '{{ mysql_cnf_owner }}'
+    group: '{{ mysql_cnf_group }}'
     follow: true
     state: file
 

tasks/mysql_secure_installation.yml

@@ -14,6 +14,7 @@
     host_all: true
     password: '{{ mysql_root_password | mandatory }}'
     state: present
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
 
 - name: install .my.cnf with credentials
   template:
@@ -26,17 +27,20 @@
   mysql_db:
     name: test
     state: absent
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_test_database
 
 - name: anonymous users are absent
   mysql_user:
     name: ''
     state: absent
     host_all: true
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_anonymous_users
 
 - name: remove remote root
   community.mysql.mysql_query:
     query:
       - DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
+    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   when: mysql_remove_remote_root

tests/test.yml

@@ -43,8 +43,9 @@
     mysql_user_password: iloverandompasswordsbutthiswilldo
     mysql_config_file: /etc/mysql/mariadb.cnf
     mysql_root_password_update: true
+    login_unix_socket: "{{ '/var/run/mysqld/mysqld.sock' if ansible_distribution == 'Debian' else '' | default(omit) }}"
   roles:
-    - geerlingguy.mysql
+    - dev-sec.mysql
     - ansible-mysql-hardening
   collections:
     - community.mysql

vars/Debian.yml

@@ -8,7 +8,7 @@ mysql_hardening_log_file: '/var/log/mysql/error.log'
 
 mysql_hardening_group: 'adm'
 
-mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
 mysql_python_package: "python3-pymysql"

vars/RedHat_7.yml

@@ -7,7 +7,7 @@ mysql_hardening_log_file: '/var/log/mariadb/mariadb.log'
 
 mysql_python_package: 'MySQL-python'
 
-mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
 mysql_hardening_group: 'mysql'

vars/RedHat_8.yml

@@ -6,7 +6,7 @@ mysql_hardening_log_file: '/var/log/mariadb/mariadb.log'
 
 mysql_python_package: 'python3-mysqlclient'
 
-mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
 mysql_hardening_group: 'mysql'

vars/Ubuntu_16.yml

@@ -6,6 +6,9 @@ mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
 
 mysql_hardening_log_file: '/var/log/mysql/error.log'
 
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
 mysql_hardening_group: 'adm'
 
 mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files

vars/Ubuntu_18.yml

@@ -6,6 +6,9 @@ mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
 
 mysql_hardening_log_file: '/var/log/mysql/error.log'
 
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
+
 mysql_hardening_group: 'adm'
 
 mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files

vars/Ubuntu_20.yml

@@ -6,9 +6,9 @@ mysql_hardening_mysql_confd_dir: '/etc/mysql/conf.d'
 
 mysql_hardening_log_file: '/var/log/mysql/error.log'
 
-mysql_hardening_group: 'adm'
-
-mysql_cnf_owner: 'mysql'  # owner of /etc/mysql/*.cnf files
+mysql_cnf_owner: 'root'  # owner of /etc/mysql/*.cnf files
 mysql_cnf_group: 'mysql'  # owner of /etc/mysql/*.cnf files
 
+mysql_hardening_group: 'adm'
+
 mysql_python_package: "python3-mysqldb"