Skip to content

Commit

Permalink
Fixing several suggestions
Browse files Browse the repository at this point in the history 
Signed-off-by: Radovan Sroka <[email protected]>
  • Loading branch information
@radosroka
radosroka committed May 16, 2024
1 parent 1ee2bf0 commit be624d4
Show file tree
Hide file tree
Showing 12 changed files with 454 additions and 390 deletions.
270 changes: 133 additions & 137 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ None.

## Role Variables

The defaults defined for this role are based on a default RHEL7.6 `/etc/sudoers` configuration. Please check the defaults in [`defaults/main.yml`](defaults/main.yml) prior to running for OS compatibility.
The defaults defined for this role are based on a default RHEL8.4 `/etc/sudoers` configuration. Please check the defaults in [`defaults/main.yml`](defaults/main.yml) prior to running for OS compatibility.

| Variable Name | Description | Default Value | Variable Type |
| --- | --- | :---: | :---: |
| sudo_rewrite_default_sudoers_file | Use role default or user defined `sudoers_files` definition, replacing your distribution supplied `/etc/sudoers` file. Useful when attempting to deploy new configuration files to the `include_directories` and you do not wish to modify the `/etc/sudoers` file. | True | boolean |
| sudo_remove_unauthorized_included_files | ***Very Dangerous!*** Each existing sudoer file found in the `include_directories` dictionary which have not been defined in `sudoers_files` will be removed. This allows for enforcing a desired state. | False | boolean |
| sudo_visudo_path | Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | "/usr/sbin/visudo" | string |
| sudo_visudo_path | Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | /usr/sbin/visudo | string |
| sudo_sudoers_files | Definition of all your sudoers configurations | see [defaults/main.yml](defaults/main.yml)| list of dictionaries |

## sudo_sudoers_files Dictionary Fields
Expand Down Expand Up @@ -93,214 +93,210 @@ This dictionary can be used to assign either user specifications or default over
| --- | --- | :---: |
| defaults | List of defaults to override from the main configuration | list |
| type | Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`). The type field can be one of the following values: `command`, `host`, `runas`, or `user`. | string |
| commands | Use when `type: "command"`. List of `cmnd_alias` names as well as commands to override specific default values.| list |
| hosts | Use when `type: "host"`. List of `host_alias` names as well as individual host names to override specific default values. | list |
| operators | Use when `type: "runas"`. List of `runas_alias` names as well as individual user names to override specific default values. | list |
| users | Use when `type: "user"`. List of `user_alias` names as well as individual user names to override specific default values. | list |
| commands | Use when `type: command`. List of `cmnd_alias` names as well as commands to override specific default values.| list |
| hosts | Use when `type: host`. List of `host_alias` names as well as individual host names to override specific default values. | list |
| operators | Use when `type: runas`. List of `runas_alias` names as well as individual user names to override specific default values. | list |
| users | Use when `type: user`. List of `user_alias` names as well as individual user names to override specific default values. | list |

## Example Playbook

```yaml
# SPDX-License-Identifier: MIT
---
- name: "Apply a RHEL Default /etc/sudoers configuration"
hosts: "all"
- name: Apply a RHEL Default /etc/sudoers configuration
hosts: all
roles:
- role: "linux-system-roles.sudo"
- role: linux-system-roles.sudo
```
```yaml
# SPDX-License-Identifier: MIT
---
- name: "Apply custom /etc/sudoers configuration"
hosts: "all"
- name: Apply custom /etc/sudoers configuration
hosts: all
vars:
sudoers_files:
- path: "/etc/sudoers"
- path: /etc/sudoers
user_specifications:
- users:
- "root"
- root
hosts:
- "x"
- x
commands:
- "/usr/bin/ls"
- /usr/bin/ls
roles:
- role: "linux-system-roles.sudo"
- role: linux-system-roles.sudo
```
```yaml
# SPDX-License-Identifier: MIT
---
- name: "Apply a RHEL Default /etc/sudoers configuration"
hosts: "all"
- name: Apply a RHEL Default /etc/sudoers configuration
hosts: all
vars:
sudoers_files:
- path: "/etc/sudoers"
- path: /etc/sudoers
defaults:
- "!visiblepw"
- "always_set_home"
- "match_group_by_gid"
- "always_query_group_plugin"
- "env_reset"
- !visiblepw
- always_set_home
- match_group_by_gid
- always_query_group_plugin
- env_reset
- secure_path:
- "/sbin"
- "/bin"
- "/usr/sbin"
- "/usr/bin"
- /sbin
- /bin
- /usr/sbin
- /usr/bin
- env_keep:
- "COLORS"
- "DISPLAY"
- "HOSTNAME"
- "HISTSIZE"
- "KDEDIR"
- "LS_COLORS"
- "MAIL"
- "PS1"
- "PS2"
- "QTDIR"
- "USERNAME"
- "LANG"
- "LC_ADDRESS"
- "LC_CTYPE"
- "LC_COLLATE"
- "LC_IDENTIFICATION"
- "LC_MEASUREMENT"
- "LC_MESSAGES"
- "LC_MONETARY"
- "LC_NAME"
- "LC_NUMERIC"
- "LC_PAPER"
- "LC_TELEPHONE"
- "LC_TIME"
- "LC_ALL"
- "LANGUAGE"
- "LINGUAS"
- "_XKB_CHARSET"
- "XAUTHORITY"
- COLORS
- DISPLAY
- HOSTNAME
- HISTSIZE
- KDEDIR
- LS_COLORS
- MAIL
- PS1
- PS2
- QTDIR
- USERNAME
- LANG
- LC_ADDRESS
- LC_CTYPE
- LC_COLLATE
- LC_IDENTIFICATION
- LC_MEASUREMENT
- LC_MESSAGES
- LC_MONETARY
- LC_NAME
- LC_NUMERIC
- LC_PAPER
- LC_TELEPHONE
- LC_TIME
- LC_ALL
- LANGUAGE
- LINGUAS
- _XKB_CHARSET
- XAUTHORITY
user_specifications:
- users:
- "root"
- root
hosts:
- "ALL"
- ALL
operators:
- "ALL"
- ALL
commands:
- "ALL"
- ALL
- users:
- "%wheel"
- %wheel
hosts:
- "ALL"
- ALL
operators:
- "ALL"
- ALL
commands:
- "ALL"
- ALL
include_directories:
- "/etc/sudoers.d"
- /etc/sudoers.d
roles:
- role: "linux-system-roles.sudo"
- role: linux-system-roles.sudo
```
```yaml
# SPDX-License-Identifier: MIT
---
- name: "Apply a multi-file sudoers configuration"
hosts: "all"
- name: Apply a multi-file sudoers configuration
hosts: all
tasks:
- name: "Configure /etc/sudoers and included files"
- name: Configure /etc/sudoers and included files
include_role:
name: "linux-system-roles.sudo"
name: linux-system-roles.sudo
vars:
sudoers_rewrite_default_sudoers_file: True
sudoers_remove_unauthorized_included_files: True
sudoers_backup: True
sudoers_backup_path: "sudoers-backups"
sudoers_backup_path: sudoers-backups
sudoers_files:
- path: "/etc/sudoers"
- path: /etc/sudoers
defaults:
- "!visiblepw"
- "always_set_home"
- "match_group_by_gid"
- "always_query_group_plugin"
- "env_reset"
- !visiblepw
- always_set_home
- match_group_by_gid
- always_query_group_plugin
- env_reset
- secure_path:
- "/sbin"
- "/bin"
- "/usr/sbin"
- "/usr/bin"
- /sbin
- /bin
- /usr/sbin
- /usr/bin
- env_keep:
- "COLORS"
- "DISPLAY"
- "HOSTNAME"
- "HISTSIZE"
- "KDEDIR"
- "LS_COLORS"
- "MAIL"
- "PS1"
- "PS2"
- "QTDIR"
- "USERNAME"
- "LANG"
- "LC_ADDRESS"
- "LC_CTYPE"
- "LC_COLLATE"
- "LC_IDENTIFICATION"
- "LC_MEASUREMENT"
- "LC_MESSAGES"
- "LC_MONETARY"
- "LC_NAME"
- "LC_NUMERIC"
- "LC_PAPER"
- "LC_TELEPHONE"
- "LC_TIME"
- "LC_ALL"
- "LANGUAGE"
- "LINGUAS"
- "_XKB_CHARSET"
- "XAUTHORITY"
- COLORS
- DISPLAY
- HOSTNAME
- HISTSIZE
- KDEDIR
- LS_COLORS
- MAIL
- PS1
- PS2
- QTDIR
- USERNAME
- LANG
- LC_ADDRESS
- LC_CTYPE
- LC_COLLATE
- LC_IDENTIFICATION
- LC_MEASUREMENT
- LC_MESSAGES
- LC_MONETARY
- LC_NAME
- LC_NUMERIC
- LC_PAPER
- LC_TELEPHONE
- LC_TIME
- LC_ALL
- LANGUAGE
- LINGUAS
- _XKB_CHARSET
- XAUTHORITY
user_specifications:
- users:
- "root"
- root
hosts:
- "ALL"
- ALL
operators:
- "ALL"
- ALL
commands:
- "ALL"
- ALL
- users:
- "%wheel"
- %wheel
hosts:
- "ALL"
- ALL
operators:
- "ALL"
- ALL
commands:
- "ALL"
- ALL
include_directories:
- "/etc/sudoers.d"
- /etc/sudoers.d
aliases:
cmnd_alias:
- name: "PING"
- name: PING
commands:
- "/bin/ping"
- /bin/ping
user_alias:
- name: "PINGERS"
- name: PINGERS
users:
- "ahuffman"
- path: "/etc/sudoers.d/pingers"
- ahuffman
- path: /etc/sudoers.d/pingers
user_specifications:
- type: "user"
- type: user
defaults:
- "!requiretty"
- !requiretty
users:
- "PINGERS"
- path: "/etc/sudoers.d/root"
- PINGERS
- path: /etc/sudoers.d/root
defaults:
- "syslog=auth"
- syslog=auth
user_specifications:
- type: "runas"
- type: runas
defaults:
- "!set_logname"
- !set_logname
operators:
- "root"
- root
```
## License
Expand Down
Loading

0 comments on commit be624d4

Please sign in to comment.