ansible_services_hardening/mysql/tasks/hardening.yml

---
- name: Dump all databases to hostname.sql including master data
  community.mysql.mysql_db:
    state: dump
    name: all
    target: /tmp/dump.sql
    master_data: 1

- name: protect my.cnf
  file:
    path: '{{ mysql_hardening_mysql_conf_file }}'
    mode: '0640'
    owner: '{{ mysql_cnf_owner }}'
    group: '{{ mysql_cnf_group }}'
    follow: true
    state: file

- name: ensure permissions on mysql-datadir are correct
  file:
    path: '{{ mysql_datadir }}'
    state: directory
    owner: '{{ mysql_hardening_user }}'
    group: '{{ mysql_hardening_user }}'
    mode: '0750'

- name: ensure permissions on mysql-logfile are correct
  file:
    path: '{{ mysql_hardening_log_file }}'
    state: file
    owner: '{{ mysql_hardening_user }}'
    group: '{{ mysql_hardening_group }}'
    mode: '0640'

- name: check mysql configuration-directory exists and has right permissions
  file:
    path: '{{ mysql_hardening_mysql_confd_dir }}'
    state: directory
    owner: '{{ mysql_hardening_user }}'
    group: '{{ mysql_hardening_group }}'
    mode: '0750'

- name: check include-dir directive is present in my.cnf
  lineinfile:
    dest: '{{ mysql_hardening_mysql_conf_file }}'
    line: '!includedir {{ mysql_hardening_mysql_confd_dir }}'
    insertafter: 'EOF'
    state: present
    backup: true
  notify: Restart MySQL

- name: Removes anonymous user account for localhost
  community.mysql.mysql_user:
    name: ''
    host: localhost
    state: absent
    login_unix_socket: /run/mysqld/mysqld.sock

- name: Removes all anonymous user accounts
  community.mysql.mysql_user:
    name: ''
    host_all: true
    state: absent

      #- name: Disable remote connections
      #  community.mysql.mysql_variables:
      #    variable: "bind_address"
      #    value: "127.0.0.1"
      #    mode: "persist"
      #  become: true
first commit 2023-04-09 16:45:51 +02:00			`---`
			`- name: Dump all databases to hostname.sql including master data`
			`community.mysql.mysql_db:`
			`state: dump`
			`name: all`
			`target: /tmp/dump.sql`
			`master_data: 1`

			`- name: protect my.cnf`
			`file:`
			`path: '{{ mysql_hardening_mysql_conf_file }}'`
			`mode: '0640'`
			`owner: '{{ mysql_cnf_owner }}'`
			`group: '{{ mysql_cnf_group }}'`
			`follow: true`
			`state: file`

			`- name: ensure permissions on mysql-datadir are correct`
			`file:`
			`path: '{{ mysql_datadir }}'`
			`state: directory`
			`owner: '{{ mysql_hardening_user }}'`
			`group: '{{ mysql_hardening_user }}'`
			`mode: '0750'`

			`- name: ensure permissions on mysql-logfile are correct`
			`file:`
			`path: '{{ mysql_hardening_log_file }}'`
			`state: file`
			`owner: '{{ mysql_hardening_user }}'`
			`group: '{{ mysql_hardening_group }}'`
			`mode: '0640'`

			`- name: check mysql configuration-directory exists and has right permissions`
			`file:`
			`path: '{{ mysql_hardening_mysql_confd_dir }}'`
			`state: directory`
			`owner: '{{ mysql_hardening_user }}'`
			`group: '{{ mysql_hardening_group }}'`
			`mode: '0750'`

			`- name: check include-dir directive is present in my.cnf`
			`lineinfile:`
			`dest: '{{ mysql_hardening_mysql_conf_file }}'`
			`line: '!includedir {{ mysql_hardening_mysql_confd_dir }}'`
			`insertafter: 'EOF'`
			`state: present`
			`backup: true`
			`notify: Restart MySQL`

			`- name: Removes anonymous user account for localhost`
			`community.mysql.mysql_user:`
			`name: ''`
			`host: localhost`
			`state: absent`
			`login_unix_socket: /run/mysqld/mysqld.sock`

			`- name: Removes all anonymous user accounts`
			`community.mysql.mysql_user:`
			`name: ''`
			`host_all: true`
			`state: absent`

			`#- name: Disable remote connections`
			`# community.mysql.mysql_variables:`
			`# variable: "bind_address"`
			`# value: "127.0.0.1"`
			`# mode: "persist"`
			`# become: true`