dev-sec · arlimus · Jul 18, 2014 · Jul 18, 2014 · Jul 18, 2014 · Jul 18, 2014
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -13,11 +13,16 @@ platforms:
     box: opscode-ubuntu-12.04
     box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
 
+- name: ubuntu-14.04
+  driver_config:
+    box: opscode-ubuntu-14.04
+    box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
+
 - name: centos-6.4
   driver_config:
     box: opscode-centos-6.4
     box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
-    
+
 - name: centos-6.5
   driver_config:
      box: opscode-centos-6.5
@@ -26,17 +31,26 @@ platforms:
 - name: oracle-6.4
   driver_config:
     box: oracle-6.4
-    box_url: https://dl.dropbox.com/sh/yim9oyqajopoiqs/G-XIEmQJMb/oracle64-64.box
+    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
 
-- name: debian-squezze-6
+- name: oracle-6.5
   driver_config:
-    box: debian-squezze-6
-    box_url: http://public.sphax3d.org/vagrant/squeeze64.box
-
-- name: debian-wheezy-7
+    box: oracle-6.5
+    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
+
+# excluded, see possible fix https://github.com/opscode-cookbooks/mysql/issues/210
+# 
+# - name: debian-6
+#   driver_config:
+#     box: debian-6
+#     # source: https://github.com/ffuenf/vagrant-boxes
+#     box_url: https://googledrive.com/host/0B83ZToJ3fGtDeE9KWm1sWndZdGs/debian-6.0.9-amd64_virtualbox.box
+
+- name: debian-7
   driver_config:
-    box: debian-wheezy-7
-    box_url: https://dl.dropboxusercontent.com/u/86066173/debian-wheezy.box
+    box: debian-7
+    # source: https://github.com/ffuenf/vagrant-boxes
+    box_url: https://googledrive.com/host/0B83ZToJ3fGtDVC1DeVVzc3lkc0U/debian-7.5.0-amd64_virtualbox.box
 
 suites:
 - name: default

diff --git a/attributes/hardening.rb b/attributes/hardening.rb
@@ -26,28 +26,25 @@
 default['mysql']['security']['chroot']                  = nil
 
 # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_safe-user-create
-default['mysql']['security']['safe_user_create']        = 1
+default['mysql']['security']['safe-user-create']        = 1
 
 # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-auth
-default['mysql']['security']['secure_auth']             = 1
+default['mysql']['security']['secure-auth']             = 1
 
 # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_symbolic-links
-default['mysql']['security']['skip_symbolic_links']     = 1
-
-# @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv
-default['mysql']['security']['secure_file_priv']        = nil
+default['mysql']['security']['skip-symbolic-links']     = 1
 
 # @see http://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_skip-show-database
-default['mysql']['security']['skip_show_database']      = 1
+default['mysql']['security']['skip-show-database']      = true
 
 # @see http://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile
-default['mysql']['security']['local_infile']            = 0
+default['mysql']['security']['local-infile']            = 0
 
 # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_allow-suspicious-udfs
 default['mysql']['security']['allow-suspicious-udfs']   = 0
 
 # @see https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_automatic_sp_privileges
-default['mysql']['security']['automatic_sp_privileges']   = 0
+default['mysql']['security']['automatic-sp-privileges']   = 0
 
 # @see https://dev.mysql.com/doc/refman/5.7/en/server-options.html#option_mysqld_secure-file-priv
 default['mysql']['security']['secure-file-priv']        = '/tmp'
diff --git a/recipes/server.rb b/recipes/server.rb
@@ -24,7 +24,7 @@
 # apply hardening configuration
 template '/etc/mysql/conf.d/hardening.cnf' do
   owner 'mysql'
-  owner 'mysql'
+  mode '750'
   source 'hardening.cnf.erb'
   notifies :restart, "mysql_service[#{node['mysql']['service_name']}]"
 end

diff --git a/templates/default/hardening.cnf.erb b/templates/default/hardening.cnf.erb
@@ -1,39 +1,9 @@
-<% if node['mysql']['security']['chroot'] -%>
-chroot = <%= node['mysql']['security']['chroot'] %>
-<% end %>
-
-<% if node['mysql']['security']['safe_user_create'] -%>
-safe-user-create = <%= node['mysql']['security']['safe_user_create'] %>
-<% end %>
-
-<% if node['mysql']['security']['secure_auth'] -%>
-secure-auth = <%= node['mysql']['security']['secure_auth'] %>
-<% end %>
-
-<% if node['mysql']['security']['skip_symbolic_links'] -%>
-skip-symbolic-links = <%= node['mysql']['security']['skip_symbolic_links'] %>
-<% end %>
-
-<% if node['mysql']['security']['secure_file_priv'] -%>
-secure-file-priv = <%= node['mysql']['security']['secure_file_priv'] %>
-<% end %>
-
-<% if node['mysql']['security']['local_infile'] -%>
-local-infile = <%= node['mysql']['security']['local_infile'] %>
-<% end %>
-
-<% if node['mysql']['security']['skip_show_database'] -%>
-skip-show-database
-<% end %>
-
-<% if node['mysql']['security']['allow-suspicious-udfs'] -%>
-allow-suspicious-udfs = <%= node['mysql']['security']['allow-suspicious-udfs'] %>
-<% end %>
+[mysqld]
 
-<% if node['mysql']['security']['automatic_sp_privileges'] -%>
-automatic_sp_privileges = <%= node['mysql']['security']['automatic_sp_privileges'] %>
+<% node['mysql']['security'].each do |sec_setting, value| -%>
+  <% if value && (!!value == value) # We do have a value and it is a boolean -%>
+<%= sec_setting if value %>
+  <% else -%>
+<%= "#{sec_setting} = #{value}" if value  %>
+  <% end %>
 <% end %>
-
-<% if node['mysql']['security']['secure-file-priv'] -%>
-secure-file-priv = <%= node['mysql']['security']['secure-file-priv'] %>
-<% end %>