diff --git a/README.md b/README.md index 7efe5af..b8f4665 100644 --- a/README.md +++ b/README.md @@ -16,290 +16,430 @@ The defaults defined for this role are based on a default RHEL8.4 `/etc/sudoers` ### sudo_rewrite_default_sudoers_file -Use role default or user defined `sudoers_files` definition, replacing your distribution supplied `/etc/sudoers` file. Useful when attempting to deploy new configuration files to the `include_directories` and you do not wish to modify the `/etc/sudoers` file. | True | boolean | +Use role default or user defined `sudoers_files` definition, replacing your distribution supplied `/etc/sudoers` file. Useful when attempting to deploy new configuration files to the `include_directories` and you do not wish to modify the `/etc/sudoers` file. + +Default: `true` +Type: `bool` ### sudo_remove_unauthorized_included_files -***Dangerous!*** Each existing sudoers file found in the `include_directories` dictionary which have not been defined in `sudoers_files` will be removed. This allows for enforcing a desired state. | False | boolean | +***Dangerous!*** Each existing sudoers file found in the `include_directories` dictionary which have not been defined in `sudoers_files` will be removed. This allows for enforcing a desired state. + +Default: `false` +Type: `bool` ### sudo_visudo_path -Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. | /usr/sbin/visudo | string | +Fully-qualified path to the `visudo` binary required for validation of sudoers configuration changes. Added for Operating System compatibility. + +Default: `/usr/bin/visudo` +Type: `string` ### sudo_sudoers_files -Definition of all your sudoers configurations | see [defaults/main.yml](defaults/main.yml)| list of dictionaries | +Definition of all your sudoers configurations | see [defaults/main.yml](defaults/main.yml) + +Default: ` + - path: /etc/sudoers + defaults: + - "!visiblepw" + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset + - secure_path: + - /sbin + - /bin + - /usr/sbin + - /usr/bin + - env_keep: + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY + user_specifications: + - users: + - root + hosts: + - ALL + operators: + - ALL + commands: + - ALL + - users: + - "%wheel" + hosts: + - ALL + operators: + - ALL + commands: + - ALL + include_directories: + - /etc/sudoers.d` +Type: `list` #### path -Where to deploy the configuration file to on the filesystem. | string | +Where to deploy the configuration file to on the filesystem. + +Type: `string` #### aliases -Optional definition of `cmnd_alias`, `host_alias`, `runas_alias`, or `user_alias` items. | dictionary | +Optional definition of `cmnd_alias`, `host_alias`, `runas_alias`, or `user_alias` items. + +Type: `dictionary` #### defaults -This allows you to define the defaults of your sudoers configuration. Default overrides can be perfomed via the [`user_specifications`](#default-override-user_specifications) key.| list | +This allows you to define the defaults of your sudoers configuration. Default overrides can be perfomed via the [`user_specifications`](#default-override-user_specifications) key. + +Type: `list` #### include_files -Optional specific files that you would like your configuration to include. This is a list of fully-qualified paths to include via the `#include` option of a sudoers configuration. | list | +Optional specific files that you would like your configuration to include. This is a list of fully-qualified paths to include via the `#include` option of a sudoers configuration. + +Type: `list` #### include_directories -Optional specific directories that you would like your configurations to include. This is a list of fully-qualified paths to directories to include via the `#includedir` option of a sudoers configuration. | list | +Optional specific directories that you would like your configurations to include. This is a list of fully-qualified paths to directories to include via the `#includedir` option of a sudoers configuration. + +Type: `list` #### user_specifications -List of user specifications and default overrides to apply to a sudoers file configuration. | list | +List of user specifications and default overrides to apply to a sudoers file configuration. + +Type: `list` ### sudo_sudoers_files aliases This dictionary can be used to assign either user specifications or default overrides. +Type: `dictionary` + #### cmnd_alias -`name` Name of the command alias and commands. | string | -`commands` List of commands to apply to the alias | list | +`name` Name of the command alias and commands. +Type: `string` +`commands` List of commands to apply to the alias. +Type: `list` + #### host_alias -`name` Name of the host alias. | string | -`hosts` List of hosts to apply to the alias | list | +`name` Name of the host alias. +Type: `string` + +`hosts` List of hosts to apply to the alias. +Type: `list` #### runas_alias -`name` Name of the runas alias | string | -`users` List of users to apply to the alias | list | +`name` Name of the runas alias. +Type: `string` + +`users` List of users to apply to the alias. +Type: `list` #### user_alias -`name` Name of the user_alias | string | -`users` List of users to apply to the alias | list | +`name` Name of the user_alias. +Type: `string` + +`users` List of users to apply to the alias. +Type: `list` ### Other user_specifications #### Standard user_specifications -`users` List of users to apply the specification to. You can use a `user_alias` name as well as user names. | list | -`hosts` List of hosts to apply the specification to. You can use a defined `host_alias` name as well as host names. | list | -`operators` List of operators to apply the specification to. You can use a defined `runas_alias` name as well as user names. | list | -`selinux_role` Optional selinux role to apply to the specification | list | -`selinux_type` Optional selinux type to apply to the specification | list | -`solaris_privs` Optional Solaris privset to apply to the specification | list | -`solaris_limitprivs` Optional Solaris privset to apply to the specification | list | -`tags` Optional list of tags to apply to the specification. | list | -`commands` List of commands to apply the specification to. You can use a defined `cmnd_alias` name as well as commands. | list | +`users` List of users to apply the specification to. You can use a `user_alias` name as well as user names. + +Type: `list` + +`hosts` List of hosts to apply the specification to. You can use a defined `host_alias` name as well as host names. + +Type: `list` + +`operators` List of operators to apply the specification to. You can use a defined `runas_alias` name as well as user names. + +Type: `list` + +`selinux_role` Optional selinux role to apply to the specification. + +Type: `list` + +`selinux_type` Optional selinux type to apply to the specification. + +Type: `list` + +`solaris_privs` Optional Solaris privset to apply to the specification. + +Type: `list` + +`solaris_limitprivs` Optional Solaris privset to apply to the specification. + +Type: `list` + +`tags` Optional list of tags to apply to the specification. + +Type: `list` + +`commands` List of commands to apply the specification to. You can use a defined `cmnd_alias` name as well as commands. + +Type: `list` #### Default Override user_specifications -`defaults` List of defaults to override from the main configuration | list | -`type` Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`). The type field can be one of the following values: `command`, `host`, `runas`, or `user`. | string | -`commands` Use when `type: command`. List of `cmnd_alias` names as well as commands to override specific default values.| list | -`hosts` Use when `type: host`. List of `host_alias` names as well as individual host names to override specific default values. | list | -`operators` Use when `type: runas`. List of `runas_alias` names as well as individual user names to override specific default values. | list | -`users` Use when `type: user`. List of `user_alias` names as well as individual user names to override specific default values. | list | +`defaults` List of defaults to override from the main configuration. + +Type: `list` + +`type` Type of default to override, this affects the operator in the configuration ( host -> `@`, user -> `:`, command -> `!`, and runas -> `>`). The type field can be one of the following values: `command`, `host`, `runas`, or `user`. + +Type: `string` + +`commands` Use when `type: command`. List of `cmnd_alias` names as well as commands to override specific default values. + +Type: `list` + +`hosts` Use when `type: host`. List of `host_alias` names as well as individual host names to override specific default values. + +Type: `list` + +`operators` Use when `type: runas`. List of `runas_alias` names as well as individual user names to override specific default values. + +Type: `list` + +`users` Use when `type: user`. List of `user_alias` names as well as individual user names to override specific default values. + +Type: `list` ## Example Playbook ```yaml --- - name: Apply a RHEL Default /etc/sudoers configuration - hosts: all - roles: - - role: linux-system-roles.sudo + hosts: all + roles: + - role: linux-system-roles.sudo ``` ```yaml --- - name: Apply custom /etc/sudoers configuration - hosts: all - vars: - sudoers_files: - - path: /etc/sudoers - user_specifications: - - users: - - root - hosts: - - x - commands: - - /usr/bin/ls - roles: - - role: linux-system-roles.sudo + hosts: all + vars: + sudoers_files: + - path: /etc/sudoers + user_specifications: + - users: + - root + hosts: + - x + commands: + - /usr/bin/ls + roles: + - role: linux-system-roles.sudo ``` ```yaml --- - name: Apply a RHEL Default /etc/sudoers configuration - hosts: all - vars: - sudoers_files: - - path: /etc/sudoers - defaults: - - "!visiblepw" - - always_set_home - - match_group_by_gid - - always_query_group_plugin - - env_reset - - secure_path: - - /sbin - - /bin - - /usr/sbin - - /usr/bin - - env_keep: - - COLORS - - DISPLAY - - HOSTNAME - - HISTSIZE - - KDEDIR - - LS_COLORS - - MAIL - - PS1 - - PS2 - - QTDIR - - USERNAME - - LANG - - LC_ADDRESS - - LC_CTYPE - - LC_COLLATE - - LC_IDENTIFICATION - - LC_MEASUREMENT - - LC_MESSAGES - - LC_MONETARY - - LC_NAME - - LC_NUMERIC - - LC_PAPER - - LC_TELEPHONE - - LC_TIME - - LC_ALL - - LANGUAGE - - LINGUAS - - _XKB_CHARSET - - XAUTHORITY - user_specifications: - - users: - - root - hosts: - - ALL - operators: - - ALL - commands: - - ALL - - users: - - "%wheel" - hosts: - - ALL - operators: - - ALL - commands: - - ALL - include_directories: - - /etc/sudoers.d - roles: - - role: linux-system-roles.sudo + hosts: all + vars: + sudoers_files: + - path: /etc/sudoers + defaults: + - "!visiblepw" + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset + - secure_path: + - /sbin + - /bin + - /usr/sbin + - /usr/bin + - env_keep: + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY + user_specifications: + - users: + - root + hosts: + - ALL + operators: + - ALL + commands: + - ALL + - users: + - "%wheel" + hosts: + - ALL + operators: + - ALL + commands: + - ALL + include_directories: + - /etc/sudoers.d + roles: + - role: linux-system-roles.sudo ``` ```yaml --- - name: Apply a multi-file sudoers configuration - hosts: all - tasks: - - name: Configure /etc/sudoers and included files - include_role: - name: linux-system-roles.sudo - vars: - sudoers_rewrite_default_sudoers_file: True - sudoers_remove_unauthorized_included_files: True - sudoers_backup: True - sudoers_backup_path: sudoers-backups - sudoers_files: - - path: /etc/sudoers - defaults: - - "!visiblepw" - - always_set_home - - match_group_by_gid - - always_query_group_plugin - - env_reset - - secure_path: - - /sbin - - /bin - - /usr/sbin - - /usr/bin - - env_keep: - - COLORS - - DISPLAY - - HOSTNAME - - HISTSIZE - - KDEDIR - - LS_COLORS - - MAIL - - PS1 - - PS2 - - QTDIR - - USERNAME - - LANG - - LC_ADDRESS - - LC_CTYPE - - LC_COLLATE - - LC_IDENTIFICATION - - LC_MEASUREMENT - - LC_MESSAGES - - LC_MONETARY - - LC_NAME - - LC_NUMERIC - - LC_PAPER - - LC_TELEPHONE - - LC_TIME - - LC_ALL - - LANGUAGE - - LINGUAS - - _XKB_CHARSET - - XAUTHORITY - user_specifications: - - users: - - root - hosts: - - ALL - operators: - - ALL - commands: - - ALL - - users: - - "%wheel" - hosts: - - ALL - operators: - - ALL - commands: - - ALL - include_directories: - - /etc/sudoers.d - aliases: - cmnd_alias: - - name: PING - commands: - - /bin/ping - user_alias: - - name: PINGERS - users: - - ahuffman - - path: /etc/sudoers.d/pingers - user_specifications: - - type: user - defaults: - - "!requiretty" - users: - - PINGERS - - path: /etc/sudoers.d/root - defaults: - - syslog=auth - user_specifications: - - type: runas - defaults: - - "!set_logname" - operators: - - root + hosts: all + tasks: + - name: Configure /etc/sudoers and included files + include_role: + name: linux-system-roles.sudo + vars: + sudo_rewrite_default_sudoers_file: true + sudo_remove_unauthorized_included_files: true + sudo_sudoers_files: + - path: /etc/sudoers + defaults: + - "!visiblepw" + - always_set_home + - match_group_by_gid + - always_query_group_plugin + - env_reset + - secure_path: + - /sbin + - /bin + - /usr/sbin + - /usr/bin + - env_keep: + - COLORS + - DISPLAY + - HOSTNAME + - HISTSIZE + - KDEDIR + - LS_COLORS + - MAIL + - PS1 + - PS2 + - QTDIR + - USERNAME + - LANG + - LC_ADDRESS + - LC_CTYPE + - LC_COLLATE + - LC_IDENTIFICATION + - LC_MEASUREMENT + - LC_MESSAGES + - LC_MONETARY + - LC_NAME + - LC_NUMERIC + - LC_PAPER + - LC_TELEPHONE + - LC_TIME + - LC_ALL + - LANGUAGE + - LINGUAS + - _XKB_CHARSET + - XAUTHORITY + user_specifications: + - users: + - root + hosts: + - ALL + operators: + - ALL + commands: + - ALL + - users: + - "%wheel" + hosts: + - ALL + operators: + - ALL + commands: + - ALL + include_directories: + - /etc/sudoers.d + aliases: + cmnd_alias: + - name: PING + commands: + - /bin/ping + user_alias: + - name: PINGERS + users: + - username + - path: /etc/sudoers.d/pingers + user_specifications: + - type: user + defaults: + - "!requiretty" + users: + - PINGERS + - path: /etc/sudoers.d/root + defaults: + - syslog=auth + user_specifications: + - type: runas + defaults: + - "!set_logname" + operators: + - root ``` ## License diff --git a/defaults/main.yml b/defaults/main.yml index e8653d6..f2e7191 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ --- -sudo_rewrite_default_sudoers_file: True -sudo_remove_unauthorized_included_files: False +sudo_rewrite_default_sudoers_file: true +sudo_remove_unauthorized_included_files: false sudo_visudo_path: /usr/sbin/visudo diff --git a/examples/multiple_sudoers_configuration.yml b/examples/multiple_sudoers_configuration.yml index 97ddb40..4132a0b 100644 --- a/examples/multiple_sudoers_configuration.yml +++ b/examples/multiple_sudoers_configuration.yml @@ -7,8 +7,8 @@ include_role: name: linux-system-roles.sudo vars: - sudo_rewrite_default_sudoers_file: True - sudo_remove_unauthorized_included_files: True + sudo_rewrite_default_sudoers_file: true + sudo_remove_unauthorized_included_files: true sudo_sudoers_files: - path: /etc/sudoers defaults: diff --git a/tasks/main.yml b/tasks/main.yml index c20f106..95904aa 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,19 +3,18 @@ package: name: sudo state: present - register: sudo_installed - name: Set include directories variable set_fact: sudo_include_dirs: "{{ sudo_sudoers_files - | selectattr('include_directories', 'defined') - | map(attribute='include_directories') | flatten }}" + | selectattr('include_directories', 'defined') + | map(attribute='include_directories') | flatten }}" - name: Set sudoer file paths variable set_fact: sudo_file_paths: "{{ sudo_sudoers_files - | selectattr('path', 'defined') - | map(attribute='path') | flatten }}" + | selectattr('path', 'defined') + | map(attribute='path') | flatten }}" - name: Ensure include directories are created file: @@ -43,7 +42,7 @@ - name: Ensure /etc/sudoers is configured template: src: sudoers.j2 - dest: /etc/sudoers + dest: "{{ item.path }}" owner: root group: root mode: 0440 @@ -63,8 +62,8 @@ - name: Search for sudoers files in included directories find: paths: "{{ sudo_include_dirs }}" - recurse: True - hidden: True + recurse: true + hidden: true file_type: any register: sudo_existing_included_files diff --git a/tests/tests_multiple_sudoers.yml b/tests/tests_multiple_sudoers.yml index 1a2f7c9..33bea1e 100644 --- a/tests/tests_multiple_sudoers.yml +++ b/tests/tests_multiple_sudoers.yml @@ -8,8 +8,8 @@ include_role: name: linux-system-roles.sudo vars: - sudo_rewrite_default_sudoers_file: True - sudo_remove_unauthorized_included_files: True + sudo_rewrite_default_sudoers_file: true + sudo_remove_unauthorized_included_files: true sudo_sudoers_files: - path: /etc/sudoers defaults: @@ -123,20 +123,41 @@ mode: 0644 remote_src: true + - name: Get stat of tests/files/test_multiple_sudoers_sudoers.ok + delegate_to: localhost + stat: + path: files/test_multiple_sudoers_sudoers.ok + checksum_algorithm: sha256 + register: sudoers_ok + # sha256sum ./files/test_multiple_sudoers_sudoers.ok - name: Check sudoers command: >- - echo "5be0fd4d601eaa7ae037045f7333d935520117b6b81f4605f1079cd29f472d0c /etc/sudoers" | sha256sum --check + echo "{{ sudoers.ok.stat.checksum }} /etc/sudoers" | sha256sum --check + + - name: Get stat of tests/files/test_multiple_sudoers_pingers.ok + delegate_to: localhost + stat: + path: files/test_multiple_sudoers_pingers.ok + checksum_algorithm: sha256 + register: pingers_ok # sha256sum ./files/test_multiple_sudoers_pingers.ok - name: Check pingers command: >- - echo "381c8fec4c1aa100be800f6640a12010319ec44b8da72fa39d2558ecc381d41d /etc/sudoers.d/pingers" | sha256sum --check + echo "{{ pingers.ok.stat.checksum }} /etc/sudoers.d/pingers" | sha256sum --check + + - name: Get stat of tests/files/test_multiple_sudoers_root.ok + delegate_to: localhost + stat: + path: files/test_multiple_sudoers_root.ok + checksum_algorithm: sha256 + register: root_ok # sha256sum ./files/test_multiple_sudoers_root.ok - name: Check root command: >- - echo "6a4a84012548edf0ee995c126e7329fe1fea62bbc746ec4efc2d664f387b92ba /etc/sudoers.d/root" | sha256sum --check + echo "{{ sudoers.ok.stat.checksum }} /etc/sudoers.d/root" | sha256sum --check - name: Restore sudoers copy: diff --git a/tests/tests_role_applied.yml b/tests/tests_role_applied.yml index 2f2bc78..8af29fb 100644 --- a/tests/tests_role_applied.yml +++ b/tests/tests_role_applied.yml @@ -8,8 +8,8 @@ include_role: name: linux-system-roles.sudo vars: - sudo_rewrite_default_sudoers_file: True - sudo_remove_unauthorized_included_files: True + sudo_rewrite_default_sudoers_file: true + sudo_remove_unauthorized_included_files: true - name: Create temp test directory tempfile: @@ -36,10 +36,17 @@ mode: 0644 remote_src: true + - name: Get stat of tests/files/test_role_applied.ok + delegate_to: localhost + stat: + path: files/test_role_applied.ok + checksum_algorithm: sha256 + register: sudoers_ok + # sha256sum ./files/test_role_applied.ok - name: Check sudoers command: >- - echo "5b88319c0fb98c646ee94b6ccd2314a1b46df1c3f42e6948a42fb920217d9726 /etc/sudoers" | sha256sum --check + echo "{{ sudoers.ok.stat.checksum }} /etc/sudoers" | sha256sum --check - name: Restore sudoers copy: