I am totally with you, unfortunately the auditors won’t be - and that’s the battle I’m fighting.
I don’t think ciphertext + decryption key would fly either. I agree with you that both this 0600 on the root should be sufficient, but often times the audits in these regulated environments defy rationale arguments. -- Stan Lemon On January 10, 2014 at 4:14:32 AM, Peter Gehres ([email protected]) wrote: >From a practical perspective and not from an "expert" auditor's perspective, a >/root/.my.cnf that is 0600 really isn't a security risk as someone with access >to that file can also reset the root password without knowing it*. But, I know >that doesn't work in the real world and from the tone of your email, it sounds >like you know this already :-) Is the issue just having it be in plaintext? Would having ciphertext and decryption keys nearby work? i.e. ansible knows how to decrypt the key at runtime - Peter * N.B. since you have to stop mysql and start it in safe mode, reset the pwd, and then restart, hopefully your monitoring would alert you to the downtime and your audit logs would show the breach. You would still be compromised, but the incident response time would be pretty good and hopefully you could secure it before they dump the whole database. But, then, you've already been pwned and someone has root, likely on quite a few of your boxes. On Thu, Jan 9, 2014 at 6:02 PM, Stan Lemon <[email protected]> wrote: I've been flipping through past posts and reading through some of the practices w/ the mysql module. I'm familiar with the option of using the /root/.my.cnf but this is unfortunately not an option for me. I'm dealing with a highly regulated industry and thus have some additional security constraints forced upon me and my setup. Having the root password in plaintext during an audit would cause me a lot of pain and grief. Has anyone figured out a way to use the mysql module without necessitating the root password be in plain text? Thanks for your help, Stan -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- Peter Gehres Site Reliability Engineer | AppDynamics, Inc. www.appdynamics.com | AS62897 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
