>From a practical perspective and not from an "expert" auditor's perspective, a /root/.my.cnf that is 0600 really isn't a security risk as someone with access to that file can also reset the root password without knowing it*. But, I know that doesn't work in the real world and from the tone of your email, it sounds like you know this already :-)
Is the issue just having it be in plaintext? Would having ciphertext and decryption keys nearby work? i.e. ansible knows how to decrypt the key at runtime - Peter * N.B. since you have to stop mysql and start it in safe mode, reset the pwd, and then restart, hopefully your monitoring would alert you to the downtime and your audit logs would show the breach. You would still be compromised, but the incident response time would be pretty good and hopefully you could secure it before they dump the whole database. But, then, you've already been pwned and someone has root, likely on quite a few of your boxes. On Thu, Jan 9, 2014 at 6:02 PM, Stan Lemon <[email protected]> wrote: > I've been flipping through past posts and reading through some of the > practices w/ the mysql module. I'm familiar with the option of using the > /root/.my.cnf but this is unfortunately not an option for me. I'm dealing > with a highly regulated industry and thus have some additional security > constraints forced upon me and my setup. Having the root password in > plaintext during an audit would cause me a lot of pain and grief. Has > anyone figured out a way to use the mysql module without necessitating the > root password be in plain text? > > Thanks for your help, > Stan > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Peter Gehres Site Reliability Engineer | AppDynamics, Inc. www.appdynamics.com | AS62897 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
