ansible-collection-hardening
ansible-collection-hardening copied to clipboard
improve deletion of unsecured MySQL users to include the new auth mechanisms
Description
Currently we use a simple set of criterias to remove unsecured users. This set excludes some of the usefull new features of newer MySQL versions. Also the current logic needs a bit more documentation to be more easily to understand.
Solution
We should define which features of MySQL we want to advise using by making our queries for deleting unsecured users more explicit and more granular. Currently I would consider several types of authentication secure:
- auth with password
- auth with certificates
- auth with unix pipe
- auth with PAM
The current logic for queries should als obe improved, maybe in the same way we use to set all the ssh parameters for mac/key/ciphers
Alternatives
Leave as is, our current implementation is arguably secure but exludes some equally secure setups.
Additional information
for more information also consider #641 and related discussion (linked tickets)
All changes must also be reflected in our mysql-baseline.