Git Product home page Git Product logo

chef-percona-hardening's Introduction

percona-hardening (Chef cookbook)

[Supermarket][https://supermarket.getchef.com/cookbooks/percona-hardening] [Build Status][http://travis-ci.org/dev-sec/chef-percona-hardening] [Code Coverage][https://coveralls.io/r/dev-sec/chef-percona-hardening] [Dependencies][https://gemnasium.com/dev-sec/chef-percona-hardening] [Gitter Chat][https://gitter.im/dev-sec/general]

Description

Provides security configurations for Percona. It is intended to set up production-ready Percona instances that are configured with minimal surface for attackers.

This cookbook focus security configuration of Percona. It is optimized to be a companion for percona. Therefore you can add this hardening layer on top of your existing Percona configuration in Chef. This cookbook does not replace the existing Percona, but focus on the secure configuration.

We optimized this cookbook to work with os-hardening and ssh-hardening without a hassle. It will also play well without.

Requirements

  • Opscode chef

Usage

A sample role may look like:

{
    "name": "percona",
    "default_attributes": { },
    "override_attributes": { },
    "json_class": "Chef::Role",
    "description": "MySql Hardened Server Test Role",
    "chef_type": "role",
    "default_attributes" : {
      "percona" : {
        "server": {
          "jemalloc": true,
          "debian_password": "d3b1an",
          "root_password": "r00t"
        }
      }
    },
    "run_list": [
        "recipe[chef-solo-search]",
        "recipe[apt]",
        "recipe[percona::server]",
        "recipe[percona-hardening]"
    ]
}

Recipes

percona-hardening::hardening (default)

This recipe is an overlay recipe for the percona cookbook) and applies percona-hardening::hardening

Add the following to your run list and customize security option attributes

  "recipe[percona::server]",
  "recipe[percona-hardening]"

Security Options

Further information is already available at Deutsche Telekom (German) and Symantec

Security Configuration

This setup sets the following parameters by default

user = mysql
port = 3306
bind-address = X.Y.Z.W

# via ['mysql']['security']['local_infile']
local-infile = 0

# via ['mysql']['security']['safe_user_create']
safe-user-create = 1

# via ['mysql']['security']['secure_auth']
secure-auth = 1

# via ['mysql']['security']['skip_show_database']
skip-show-database

# via ['mysql']['security']['skip_symbolic_links']
skip-symbolic-links

# via ['mysql']['security']['automatic_sp_privileges']
automatic_sp_privileges = 0

# via ['mysql']['security']['secure-file-priv']
secure-file-priv = /tmp

Tests

# Install dependencies
gem install bundler
bundle install

# Do lint checks
bundle exec rake lint

# Fetch tests
bundle exec thor kitchen:fetch-remote-tests

# fast test on one machine
bundle exec kitchen test default-ubuntu-1204

# test on all machines
bundle exec kitchen test

# for development
bundle exec kitchen create default-ubuntu-1204
bundle exec kitchen converge default-ubuntu-1204

This cookbook comes with a guard file for easy development. During development guard watches the folders and runs footcritic and robocop.

# list all plugins
bundle exec guard list

# run guard with foodcritic and robocop
bundle exec guard -P Foodcritic Rubocop

Tested Operating Systems

  • Ubuntu 12.04
  • Ubuntu 14.04
  • CentOS 6.4
  • CentOS 6.5
  • Oracle 6.4
  • Oracle 6.5
  • Debain 7

Contributors + Kudos

  • Dominik Richter
  • Christoph Hartmann
  • Patrick Meier
  • Edmund Haselwanter

License and Author

  • Author:: Deutsche Telekom AG

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

chef-percona-hardening's People

Contributors

arlimus avatar atomic111 avatar chris-rock avatar ehaselwanter avatar shortdudey123 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.