From be624d428b244644c7441cf0737eee95149a5111 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: Thu, 16 May 2024 16:21:43 +0200 Subject: [PATCH] Fixing several suggestions Signed-off-by: Radovan Sroka --- README.md | 270 +++++++++++++++++------------------ defaults/main.yml | 98 ++++++------- examples/simple1.yml | 6 +- examples/simple2.yml | 14 +- examples/simple3.yml | 102 ++++++------- examples/simple4.yml | 132 ++++++++--------- meta/main.yml | 2 +- tasks/main.yml | 122 +++++++--------- templates/foo.conf.j2 | 9 -- templates/sudoers.j2 | 1 + tests/tests_role_applied.ok | 25 ++++ tests/tests_role_applied.yml | 63 ++++++++ 12 files changed, 454 insertions(+), 390 deletions(-) delete mode 100644 templates/foo.conf.j2 create mode 100644 tests/tests_role_applied.ok create mode 100644 tests/tests_role_applied.yml diff --git a/README.md b/README.md index df1ba5e..b8c2789 100644 --- a/README.md +++ b/README.md @@ -12,13 +12,13 @@ None. ## Role Variables -The defaults defined for this role are based on a default RHEL7.6 `/etc/sudoers` configuration. Please check the defaults in [`defaults/main.yml`](defaults/main.yml) prior to running for OS compatibility. +The defaults defined for this role are based on a default RHEL8.4 `/etc/sudoers` configuration. Please check the defaults in [`defaults/main.yml`](defaults/main.yml) prior to running for OS compatibility. | Variable Name | Description | Default Value | Variable Type | | --- | --- | :---: | :---: | | sudo_rewrite_default_sudoers_file | Use role default or user defined `sudoers_files` definition, replacing your distribution supplied `/etc/sudoers` file. Useful when attempting to deploy new configuration files to the `include_directories` and you do not wish to modify the `/etc/sudoers` file. | True | boolean | | sudo_remove_unauthorized_included_files | ***Very Dangerous!*** Each existing sudoer file found in the `include_directories` dictionary which have not been defined in `sudoers_files` will be removed. This allows for enforcing a desired state. | False | boolean | -| sudo_visudo_path | Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | "/usr/sbin/visudo" | string | +| sudo_visudo_path | Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | /usr/sbin/visudo | string | | sudo_sudoers_files | Definition of all your sudoers configurations | see [defaults/main.yml](defaults/main.yml)| list of dictionaries | ## sudo_sudoers_files Dictionary Fields @@ -93,214 +93,210 @@ This dictionary can be used to assign either user specifications or default over | --- | --- | :---: | | defaults | List of defaults to override from the main configuration | list | | type | Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`). The type field can be one of the following values: `command`, `host`, `runas`, or `user`. | string | -| commands | Use when `type: "command"`. List of `cmnd_alias` names as well as commands to override specific default values.| list | -| hosts | Use when `type: "host"`. List of `host_alias` names as well as individual host names to override specific default values. | list | -| operators | Use when `type: "runas"`. List of `runas_alias` names as well as individual user names to override specific default values. | list | -| users | Use when `type: "user"`. List of `user_alias` names as well as individual user names to override specific default values. | list | +| commands | Use when `type: command`. List of `cmnd_alias` names as well as commands to override specific default values.| list | +| hosts | Use when `type: host`. List of `host_alias` names as well as individual host names to override specific default values. | list | +| operators | Use when `type: runas`. List of `runas_alias` names as well as individual user names to override specific default values. | list | +| users | Use when `type: user`. List of `user_alias` names as well as individual user names to override specific default values. | list | ## Example Playbook ```yaml -# SPDX-License-Identifier: MIT --- -- name: "Apply a RHEL Default /etc/sudoers configuration" - hosts: "all" +- name: Apply a RHEL Default /etc/sudoers configuration + hosts: all roles: - - role: "linux-system-roles.sudo" + - role: linux-system-roles.sudo ``` ```yaml -# SPDX-License-Identifier: MIT --- -- name: "Apply custom /etc/sudoers configuration" - hosts: "all" +- name: Apply custom /etc/sudoers configuration + hosts: all vars: sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers user_specifications: - users: - - "root" + - root hosts: - - "x" + - x commands: - - "/usr/bin/ls" + - /usr/bin/ls roles: - - role: "linux-system-roles.sudo" + - role: linux-system-roles.sudo ``` ```yaml -# SPDX-License-Identifier: MIT --- -- name: "Apply a RHEL Default /etc/sudoers configuration" - hosts: "all" +- name: Apply a RHEL Default /etc/sudoers configuration + hosts: all vars: sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers defaults: - - "!visiblepw" - - "always_set_home" - - "match_group_by_gid" - - "always_query_group_plugin" - - "env_reset" + - !visiblepw + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset - secure_path: - - "/sbin" - - "/bin" - - "/usr/sbin" - - "/usr/bin" + - /sbin + - /bin + - /usr/sbin + - /usr/bin - env_keep: - - "COLORS" - - "DISPLAY" - - "HOSTNAME" - - "HISTSIZE" - - "KDEDIR" - - "LS_COLORS" - - "MAIL" - - "PS1" - - "PS2" - - "QTDIR" - - "USERNAME" - - "LANG" - - "LC_ADDRESS" - - "LC_CTYPE" - - "LC_COLLATE" - - "LC_IDENTIFICATION" - - "LC_MEASUREMENT" - - "LC_MESSAGES" - - "LC_MONETARY" - - "LC_NAME" - - "LC_NUMERIC" - - "LC_PAPER" - - "LC_TELEPHONE" - - "LC_TIME" - - "LC_ALL" - - "LANGUAGE" - - "LINGUAS" - - "_XKB_CHARSET" - - "XAUTHORITY" + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY user_specifications: - users: - - "root" + - root hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL - users: - - "%wheel" + - %wheel hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL include_directories: - - "/etc/sudoers.d" + - /etc/sudoers.d roles: - - role: "linux-system-roles.sudo" + - role: linux-system-roles.sudo ``` ```yaml -# SPDX-License-Identifier: MIT --- -- name: "Apply a multi-file sudoers configuration" - hosts: "all" +- name: Apply a multi-file sudoers configuration + hosts: all tasks: - - name: "Configure /etc/sudoers and included files" + - name: Configure /etc/sudoers and included files include_role: - name: "linux-system-roles.sudo" + name: linux-system-roles.sudo vars: sudoers_rewrite_default_sudoers_file: True sudoers_remove_unauthorized_included_files: True sudoers_backup: True - sudoers_backup_path: "sudoers-backups" + sudoers_backup_path: sudoers-backups sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers defaults: - - "!visiblepw" - - "always_set_home" - - "match_group_by_gid" - - "always_query_group_plugin" - - "env_reset" + - !visiblepw + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset - secure_path: - - "/sbin" - - "/bin" - - "/usr/sbin" - - "/usr/bin" + - /sbin + - /bin + - /usr/sbin + - /usr/bin - env_keep: - - "COLORS" - - "DISPLAY" - - "HOSTNAME" - - "HISTSIZE" - - "KDEDIR" - - "LS_COLORS" - - "MAIL" - - "PS1" - - "PS2" - - "QTDIR" - - "USERNAME" - - "LANG" - - "LC_ADDRESS" - - "LC_CTYPE" - - "LC_COLLATE" - - "LC_IDENTIFICATION" - - "LC_MEASUREMENT" - - "LC_MESSAGES" - - "LC_MONETARY" - - "LC_NAME" - - "LC_NUMERIC" - - "LC_PAPER" - - "LC_TELEPHONE" - - "LC_TIME" - - "LC_ALL" - - "LANGUAGE" - - "LINGUAS" - - "_XKB_CHARSET" - - "XAUTHORITY" + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY user_specifications: - users: - - "root" + - root hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL - users: - - "%wheel" + - %wheel hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL include_directories: - - "/etc/sudoers.d" + - /etc/sudoers.d aliases: cmnd_alias: - - name: "PING" + - name: PING commands: - - "/bin/ping" + - /bin/ping user_alias: - - name: "PINGERS" + - name: PINGERS users: - - "ahuffman" - - path: "/etc/sudoers.d/pingers" + - ahuffman + - path: /etc/sudoers.d/pingers user_specifications: - - type: "user" + - type: user defaults: - - "!requiretty" + - !requiretty users: - - "PINGERS" - - path: "/etc/sudoers.d/root" + - PINGERS + - path: /etc/sudoers.d/root defaults: - - "syslog=auth" + - syslog=auth user_specifications: - - type: "runas" + - type: runas defaults: - - "!set_logname" + - !set_logname operators: - - "root" + - root ``` ## License diff --git a/defaults/main.yml b/defaults/main.yml index fd21e96..93b8b7a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,69 +2,69 @@ sudo_rewrite_default_sudoers_file: True sudo_remove_unauthorized_included_files: False -sudo_visudo_path: "/usr/sbin/visudo" +sudo_visudo_path: /usr/sbin/visudo sudo_sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers defaults: - - "!visiblepw" - - "always_set_home" - - "match_group_by_gid" - - "always_query_group_plugin" - - "env_reset" + - !visiblepw + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset - secure_path: - - "/sbin" - - "/bin" - - "/usr/sbin" - - "/usr/bin" + - /sbin + - /bin + - /usr/sbin + - /usr/bin - env_keep: - - "COLORS" - - "DISPLAY" - - "HOSTNAME" - - "HISTSIZE" - - "KDEDIR" - - "LS_COLORS" - - "MAIL" - - "PS1" - - "PS2" - - "QTDIR" - - "USERNAME" - - "LANG" - - "LC_ADDRESS" - - "LC_CTYPE" - - "LC_COLLATE" - - "LC_IDENTIFICATION" - - "LC_MEASUREMENT" - - "LC_MESSAGES" - - "LC_MONETARY" - - "LC_NAME" - - "LC_NUMERIC" - - "LC_PAPER" - - "LC_TELEPHONE" - - "LC_TIME" - - "LC_ALL" - - "LANGUAGE" - - "LINGUAS" - - "_XKB_CHARSET" - - "XAUTHORITY" + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY user_specifications: - users: - - "root" + - root hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL - users: - - "%wheel" + - %wheel hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL include_directories: - - "/etc/sudoers.d" + - /etc/sudoers.d # include_files: [] # aliases: [] diff --git a/examples/simple1.yml b/examples/simple1.yml index a3bd53c..6e1df0a 100644 --- a/examples/simple1.yml +++ b/examples/simple1.yml @@ -1,6 +1,6 @@ # SPDX-License-Identifier: MIT --- -- name: "Apply a RHEL Default /etc/sudoers configuration" - hosts: "all" +- name: Apply a RHEL Default /etc/sudoers configuration + hosts: all roles: - - role: "linux-system-roles.sudo" + - role: linux-system-roles.sudo diff --git a/examples/simple2.yml b/examples/simple2.yml index 49db986..2d6a884 100644 --- a/examples/simple2.yml +++ b/examples/simple2.yml @@ -1,16 +1,16 @@ # SPDX-License-Identifier: MIT --- -- name: "Apply custom /etc/sudoers configuration" - hosts: "all" +- name: Apply custom /etc/sudoers configuration + hosts: all vars: sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers user_specifications: - users: - - "root" + - root hosts: - - "x" + - x commands: - - "/usr/bin/ls" + - /usr/bin/ls roles: - - role: "linux-system-roles.sudo" + - role: linux-system-roles.sudo diff --git a/examples/simple3.yml b/examples/simple3.yml index d99e778..daadcb5 100644 --- a/examples/simple3.yml +++ b/examples/simple3.yml @@ -1,69 +1,69 @@ # SPDX-License-Identifier: MIT --- -- name: "Apply a RHEL Default /etc/sudoers configuration" - hosts: "all" +- name: Apply a RHEL Default /etc/sudoers configuration + hosts: all vars: sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers defaults: - - "!visiblepw" - - "always_set_home" - - "match_group_by_gid" - - "always_query_group_plugin" - - "env_reset" + - !visiblepw + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset - secure_path: - - "/sbin" - - "/bin" - - "/usr/sbin" - - "/usr/bin" + - /sbin + - /bin + - /usr/sbin + - /usr/bin - env_keep: - - "COLORS" - - "DISPLAY" - - "HOSTNAME" - - "HISTSIZE" - - "KDEDIR" - - "LS_COLORS" - - "MAIL" - - "PS1" - - "PS2" - - "QTDIR" - - "USERNAME" - - "LANG" - - "LC_ADDRESS" - - "LC_CTYPE" - - "LC_COLLATE" - - "LC_IDENTIFICATION" - - "LC_MEASUREMENT" - - "LC_MESSAGES" - - "LC_MONETARY" - - "LC_NAME" - - "LC_NUMERIC" - - "LC_PAPER" - - "LC_TELEPHONE" - - "LC_TIME" - - "LC_ALL" - - "LANGUAGE" - - "LINGUAS" - - "_XKB_CHARSET" - - "XAUTHORITY" + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY user_specifications: - users: - - "root" + - root hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL - users: - - "%wheel" + - %wheel hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL include_directories: - - "/etc/sudoers.d" + - /etc/sudoers.d roles: - - role: "linux-system-roles.sudo" + - role: linux-system-roles.sudo diff --git a/examples/simple4.yml b/examples/simple4.yml index 4d43dac..ac48bb4 100644 --- a/examples/simple4.yml +++ b/examples/simple4.yml @@ -1,100 +1,100 @@ # SPDX-License-Identifier: MIT --- -- name: "Apply a multi-file sudoers configuration" - hosts: "all" +- name: Apply a multi-file sudoers configuration + hosts: all tasks: - - name: "Configure /etc/sudoers and included files" + - name: Configure /etc/sudoers and included files include_role: - name: "linux-system-roles.sudo" + name: linux-system-roles.sudo vars: sudoers_rewrite_default_sudoers_file: True sudoers_remove_unauthorized_included_files: True sudoers_backup: True - sudoers_backup_path: "sudoers-backups" + sudoers_backup_path: sudoers-backups sudoers_files: - - path: "/etc/sudoers" + - path: /etc/sudoers defaults: - - "!visiblepw" - - "always_set_home" - - "match_group_by_gid" - - "always_query_group_plugin" - - "env_reset" + - !visiblepw + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset - secure_path: - - "/sbin" - - "/bin" - - "/usr/sbin" - - "/usr/bin" + - /sbin + - /bin + - /usr/sbin + - /usr/bin - env_keep: - - "COLORS" - - "DISPLAY" - - "HOSTNAME" - - "HISTSIZE" - - "KDEDIR" - - "LS_COLORS" - - "MAIL" - - "PS1" - - "PS2" - - "QTDIR" - - "USERNAME" - - "LANG" - - "LC_ADDRESS" - - "LC_CTYPE" - - "LC_COLLATE" - - "LC_IDENTIFICATION" - - "LC_MEASUREMENT" - - "LC_MESSAGES" - - "LC_MONETARY" - - "LC_NAME" - - "LC_NUMERIC" - - "LC_PAPER" - - "LC_TELEPHONE" - - "LC_TIME" - - "LC_ALL" - - "LANGUAGE" - - "LINGUAS" - - "_XKB_CHARSET" - - "XAUTHORITY" + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY user_specifications: - users: - - "root" + - root hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL - users: - - "%wheel" + - %wheel hosts: - - "ALL" + - ALL operators: - - "ALL" + - ALL commands: - - "ALL" + - ALL include_directories: - - "/etc/sudoers.d" + - /etc/sudoers.d aliases: cmnd_alias: - - name: "PING" + - name: PING commands: - - "/bin/ping" + - /bin/ping user_alias: - - name: "PINGERS" + - name: PINGERS users: - - "ahuffman" - - path: "/etc/sudoers.d/pingers" + - ahuffman + - path: /etc/sudoers.d/pingers user_specifications: - - type: "user" + - type: user defaults: - - "!requiretty" + - !requiretty users: - - "PINGERS" - - path: "/etc/sudoers.d/root" + - PINGERS + - path: /etc/sudoers.d/root defaults: - - "syslog=auth" + - syslog=auth user_specifications: - - type: "runas" + - type: runas defaults: - - "!set_logname" + - !set_logname operators: - - "root" + - root diff --git a/meta/main.yml b/meta/main.yml index ebcb0d1..25e4ebf 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,7 +2,7 @@ --- galaxy_info: author: Radovan Sroka - description: Fapolicyd system role + description: Sudo system role company: Red Hat Inc. license: MIT diff --git a/tasks/main.yml b/tasks/main.yml index cc317e2..49d46f7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,100 +1,88 @@ --- -- name: "Ensure sudo is installed" +- name: Ensure sudo is installed package: - name: "sudo" - state: "present" - retries: 3 - register: "sudo_installed" - until: "sudo_installed is succeeded" + name: sudo + state: present + register: sudo_installed -- name: "Set include directories variable" +- name: Set include directories variable set_fact: - sudo_include_dirs: "{{ sudo_sudoers_files + sudo_include_dirs: {{ sudo_sudoers_files | selectattr('include_directories', 'defined') - | map(attribute='include_directories') | flatten }}" + | map(attribute='include_directories') | flatten }} -- name: "Set sudoer file paths variable" +- name: Set sudoer file paths variable set_fact: - sudo_file_paths: "{{ sudo_sudoers_files + sudo_file_paths: {{ sudo_sudoers_files | selectattr('path', 'defined') - | map(attribute='path') | flatten }}" + | map(attribute='path') | flatten }} -- name: "Display all sudoers include directories" - debug: - var: "sudo_include_dirs" - verbosity: "1" - -- name: "Display all sudoers file paths" - debug: - var: "sudo_file_paths" - verbosity: "1" - -- name: "Ensure include directories are created" +- name: Ensure include directories are created file: - path: "{{ item }}" - owner: "root" - group: "root" - mode: "0750" - state: "directory" - with_items: "{{ sudo_include_dirs }}" - when: "sudo_include_dirs | length > 0" + path: {{ item }} + owner: root + group: root + mode: 0750 + state: directory + with_items: {{ sudo_include_dirs }} + when: sudo_include_dirs | length > 0 -- name: "Ensure sudoers include files are configured" +- name: Ensure sudoers include files are configured template: - src: "sudoers.j2" - dest: "{{ item.path }}" - owner: "root" - group: "root" - mode: "0440" + src: sudoers.j2 + dest: {{ item.path }} + owner: root + group: root + mode: 0440 validate: '{{ sudo_visudo_path }} -cf %s' - with_items: "{{ sudo_sudoers_files }}" + with_items: {{ sudo_sudoers_files }} # become: True loop_control: - label: "{{ item.path }}" - when: "item.path != '/etc/sudoers'" + label: {{ item.path }} + when: item.path != '/etc/sudoers' -- name: "Ensure /etc/sudoers is configured" +- name: Ensure /etc/sudoers is configured template: - src: "sudoers.j2" - dest: "/etc/sudoers" - owner: "root" - group: "root" - mode: "0440" + src: sudoers.j2 + dest: /etc/sudoers + owner: root + group: root + mode: 0440 validate: '{{ sudo_visudo_path }} -cf %s' - with_items: "{{ sudo_sudoers_files }}" + with_items: {{ sudo_sudoers_files }} loop_control: - label: "{{ item.path }}" + label: {{ item.path }} when: - - "item.path == '/etc/sudoers'" - - "sudo_rewrite_default_sudoers_file | bool" + - item.path == '/etc/sudoers' + - sudo_rewrite_default_sudoers_file | bool -- name: "Remove unauthorized included sudoer files" +- name: Remove unauthorized included sudoer files when: - - "sudo_remove_unauthorized_included_files | bool" - - "sudo_include_dirs | length > 0" + - sudo_remove_unauthorized_included_files | bool + - sudo_include_dirs | length > 0 block: - - name: "Search for sudoer files in included directories" + - name: Search for sudoers files in included directories find: - paths: "{{ sudoers_include_dirs }}" + paths: {{ sudo_include_dirs }} recurse: True hidden: True - file_type: "any" - register: "sudo_existing_included_files" + file_type: any + register: sudo_existing_included_files - - name: "Set unauthorized included sudoers files variable" + - name: Set unauthorized included sudoers files variable set_fact: - sudo_unauthorized_files: "{{ sudo_existing_included_files['files'] + sudo_unauthorized_files: {{ sudo_existing_included_files['files'] | selectattr('path', 'defined') | map(attribute='path') - | flatten | difference(sudoers_file_paths) }}" + | flatten | difference(sudo_file_paths) }} - - name: "Display unauthorized sudoers include files to be removed" + - name: Display unauthorized sudoers include files to be removed debug: - var: "sudo_unauthorized_files" - verbosity: "1" + var: sudo_unauthorized_files + verbosity: 1 - - name: "Remove unauthorized included sudoers files" + - name: Remove unauthorized included sudoers files file: - path: "{{ item }}" - state: "absent" - with_items: "{{ sudo_unauthorized_files }}" - when: "sudo_unauthorized_files | length > 0" + path: {{ item }} + state: absent + with_items: {{ sudo_unauthorized_files }} + when: sudo_unauthorized_files | length > 0 diff --git a/templates/foo.conf.j2 b/templates/foo.conf.j2 deleted file mode 100644 index 5fc204b..0000000 --- a/templates/foo.conf.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# SPDX-License-Identifier: MIT -# -# Example of a template of configuration file -# -{{ ansible_managed | comment }} -{{ "system_role:template" | comment(prefix="", postfix="") }} -[foo] -foo = {{ template_foo }} -bar = {{ template_bar }} diff --git a/templates/sudoers.j2 b/templates/sudoers.j2 index 4fe1065..35b8e74 100644 --- a/templates/sudoers.j2 +++ b/templates/sudoers.j2 @@ -1,4 +1,5 @@ {{ ansible_managed | default('Ansible managed') | comment }} +{{ "system_role:sudo" | comment(prefix="", postfix="") }} {% if item.defaults is defined %} # Default specifications diff --git a/tests/tests_role_applied.ok b/tests/tests_role_applied.ok new file mode 100644 index 0000000..3e29e25 --- /dev/null +++ b/tests/tests_role_applied.ok @@ -0,0 +1,25 @@ +# +# Ansible managed +# + +# Default specifications +Defaults !visiblepw +Defaults always_set_home +Defaults match_group_by_gid +Defaults always_query_group_plugin +Defaults env_reset +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR" +Defaults env_keep += "LS_COLORS MAIL PS1 PS2 QTDIR" +Defaults env_keep += "USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE" +Defaults env_keep += "LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME" +Defaults env_keep += "LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL" +Defaults env_keep += "LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# User specifications +root ALL=(ALL) ALL +%wheel ALL=(ALL) ALL + +# Includes +## Include directories +#includedir /etc/sudoers.d diff --git a/tests/tests_role_applied.yml b/tests/tests_role_applied.yml new file mode 100644 index 0000000..40ce662 --- /dev/null +++ b/tests/tests_role_applied.yml @@ -0,0 +1,63 @@ +--- +- name: Basic test for Sudo + hosts: all + tasks: + - name: Run tests + block: + - name: Run the role + include_role: + name: linux-system-roles.sudo + vars: + sudo_rewrite_default_sudoers_file: True + sudo_remove_unauthorized_included_files: True + + - name: Create temp test directory + tempfile: + path: /var/tmp + prefix: sudo_ + state: directory + register: __sudo_tmpdir + + - name: Backup sudoers + copy: + src: '/etc/sudoers' + dest: "{{ __sudo_tmpdir }}/sudoers" + owner: root + group: root + mode: "0644" + remote_src: true + + - name: Backup sudoers.d + copy: + src: '/etc/sudoers.d' + dest: "{{ __sudo_tmpdir }}/sudoers.d" + owner: root + group: root + mode: "0644" + remote_src: true + + - name: Check sudoers + command: >- + diff -u /etc/sudoers ./tests_role_applied.ok + - name: Restore sudoers + copy: + src: "{{ __sudo_tmpdir }}/sudoers" + dest: '/etc/sudoers' + owner: root + group: root + mode: "0644" + remote_src: true + + - name: Restore sudoers.d + copy: + src: "{{ __sudo_tmpdir }}/sudoers.d" + dest: '/etc/sudoers.d' + owner: root + group: root + mode: "0644" + remote_src: true + + - name: Clean up temp directory + file: + path: "{{ __sudo_tmpdir }}" + state: absent