Skip to content

Latest commit

 

History

History
104 lines (70 loc) · 5.18 KB

File metadata and controls

104 lines (70 loc) · 5.18 KB

sample-oracle-mysql-ee-5.7-cis-overlay

Overlay for the baseline InSpec profile at https://github.com/mitre/oracle-mysql-ee-5.7-cis-baseline with modifications based on provided requirements. The baseline InSpec profile is used validate the secure configuration of Oracle MySQL EE 5.7 against the CIS Oracle MySQL EE 5.7 Benchmark 1.0.0.

Getting Started

It is intended and recommended that InSpec and this profile overlay be run from a "runner" host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target.

For the best security of the runner, always install on the runner the latest version of InSpec and supporting Ruby language components.

The simplest way to install InSpec is to use this command for *nix or Mac:

curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef-workstation

or this command for Windows (Powershell)

. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef-workstation

Latest versions and other installation options are available at the InSpec site.

Tailoring to Your Environment

For the MySQL resource to be properly accessed, you must ensure that the server's mysql.exe file is in the PATH environment variable. First you will need to find the mysql.exe file, which should be under C:\Program Files\MySQL\MySQL Server 5.1\bin. Otherwise, it should be in the bin directory of wherever MySQL is installed. Then, add the full path to the directory containing the executable as specfied here.

The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the InSpec Profile Documentation.

# Username MySQL DB Server (e.g., 'root')
user: ''

# Password MySQL DB Server (e.g., 'P@ssw0rd1')
password: ''

# Hostname MySQL DB Server (e.g., 'localhost')
host: ''

# Port MySQL DB Server
port: 3306

# List of MySQL database users (e.g., ['root'])
mysql_users: []   

# Set to true if the MySQL server has a slave configured
is_mysql_server_slave_configured: false

# List of MySQL administrative users (e.g., ['root'])
mysql_administrative_users: [] 

# List of MySQL users allows to modify or create data structures (e.g., ['root'])
mysql_users_allowed_modify_or_create: [] 

# Full path to MySQL configuration file (e.g. 'C:\Users\vagrant\MySQL\my.ini')
mysql_config_file: ''

Running This Overlay Directly from Github

# How to run
inspec exec https://github.com/mitre/sample-oracle-mysql-ee-5.7-cis-overlay/archive/main.tar.gz -t winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Different Run Options

Full exec options

Running This Overlay from a local Archive copy

If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this overlay and all of its dependent tests:

(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the Git site.)

When the "runner" host uses this profile overlay for the first time, follow these steps:

mkdir profiles
cd profiles
git clone https://github.com/mitre/sample-oracle-mysql-ee-5.7-cis-overlay.git
inspec archive sample-oracle-mysql-ee-5.7-cis-overlay
inspec exec <name of generated archive> -t winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

For every successive run, follow these steps to always have the latest version of this overlay and dependent profiles:

cd sample-oracle-mysql-ee-5.7-cis-overlay
git pull
cd ..
inspec archive sample-oracle-mysql-ee-5.7-cis-overlay --overwrite
inspec exec <name of generated archive> -t winrm://<hostip> --user '<admin-account>' --password=<password> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>

Using Heimdall for Viewing the JSON Results

The JSON results output file can be loaded into heimdall-lite for a user-interactive, graphical view of the InSpec results.

The JSON InSpec results file may also be loaded into a full heimdall server, allowing for additional functionality such as to store and compare multiple profile runs.

Contributing and Getting Help

To report a bug or feature request, please open an issue.

NOTICE

CIS Benchmarks are published by the Center for Internet Security (CIS), see: https://www.cisecurity.org/.