I’ve been flipping through past posts and reading through some of the practices w/ the mysql module. I’m familiar with the option of using the /root/.my.cnf but this is unfortunately not an option for me. I’m dealing with a highly regulated industry and thus have some additional security constraints forced upon me and my setup. Having the root password in plaintext during an audit would cause me a lot of pain and grief. Has anyone figured out a way to use the mysql module without necessitating the root password be in plain text?
From a practical perspective and not from an “expert” auditor’s perspective, a /root/.my.cnf that is 0600 really isn’t a security risk as someone with access to that file can also reset the root password without knowing it*. But, I know that doesn’t work in the real world and from the tone of your email, it sounds like you know this already
Is the issue just having it be in plaintext? Would having ciphertext and decryption keys nearby work? i.e. ansible knows how to decrypt the key at runtime
Peter
N.B. since you have to stop mysql and start it in safe mode, reset the pwd, and then restart, hopefully your monitoring would alert you to the downtime and your audit logs would show the breach. You would still be compromised, but the incident response time would be pretty good and hopefully you could secure it before they dump the whole database. But, then, you’ve already been pwned and someone has root, likely on quite a few of your boxes.
I am totally with you, unfortunately the auditors won’t be - and that’s the battle I’m fighting.
I don’t think ciphertext + decryption key would fly either. I agree with you that both this 0600 on the root should be sufficient, but often times the audits in these regulated environments defy rationale arguments.
I don’t think ciphertext + decryption key would fly either. I agree with
you that both this 0600 on the root should be sufficient, but often times
the audits in these regulated environments defy rationale arguments.
Sadly, I thought that might be your answer. Does this only apply to the
root password?
If you can share, what framework are you being audited under? You've got me
playing cat-and-mouse with the auditors in my head.
Have you solved this problem outside of Ansible anywhere as part of an
automation routine?
So this is a PCI compliant environment. I hit similar issues when I worked in health care though and we were trying to meet HIPPA compliance with our hardware. Auditors just didn’t want access credentials on the same box, so with that company we were able to have puppet handle them and because the puppet master was somewhere else the auditors didn’t care. It’s dumb reasoning, but it’s the way these industries work.
So I can have passwords in my ansible playbooks, that’s tolerable. I just can’t put the password on the box itself. That is most likely a pretty uniform requirement, with the exception of application configuration to connect to said database.
Aha. Okay, so there is a feature on the roadmap called “vault” that I think will be perfect for this use case. It is what I was hinting at in my first reply where the password is stored in ciphertext on the control host and easily decryptable by Ansible. It doesn’t deter a determined attacker, but prevents shoulder surfing.
Ah, PCI and HIPAA, how I don’t miss thee. Sadly, both of those are more sane than COBIT, FISMA, et al.
Ah interesting. Is there any ETA on when vault will be available in beta for testing?
I owner too… do you think it’s possible to alter the paradigm and modify a pseudo my.cnf locally that would load the password? Such that it would get passed over ssh than, but it would reside on the deployment machine and ansible would be updating said file locally?
Ah interesting. Is there any ETA on when vault will be available in beta
for testing?
I don't know. You would have to ask Michael DeHaan.
I owner too… do you think it’s possible to alter the paradigm and modify
a pseudo my.cnf locally that would load the password? Such that it would
get passed over ssh than, but it would reside on the deployment machine and
ansible would be updating said file locally?
Not sure I follow this. Copy over a .my.cnf and then delete it at the end
of the run?
I was thinking more or less start with a local file to store the mysql password, and then when supplied pass it in. The file would start empty then for setup, populate and thereafter be pulled in.
