-
Notifications
You must be signed in to change notification settings - Fork 0
/
sudo.cf
66 lines (60 loc) · 2.54 KB
/
sudo.cf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
###############################################################################
# Sudo management API
# brought to you by LastOps (http://lastops.com)
###############################################################################
body file control
# @ignore
{
namespace => "lastops";
}
bundle agent sudo_enforce_includes
# @brief Changes sudoers file to use explicit inludes only
{
files:
"/etc/sudoers"
create => "true",
perms => default:mog("0440","root","root"),
classes => default:if_repaired("created_sudoers");
"/etc/sudoers"
edit_line => default:delete_lines_matching("^(?!#include).*"),
classes => default:if_repaired("cleaned_up_sudoers");
"/etc/sudoers"
edit_line => default:delete_lines_matching(".*includedir.*"),
classes => default:if_repaired("deleted_includedir");
reports:
created_sudoers::
"$(sys.fqhost): /etc/sudoers exists and has proper permissions";
cleaned_up_sudoers::
"$(sys.fqhost): Enforcing includes-only /etc/sudoers";
deleted_includedir::
"$(sys.fqhost): Enforcing file-based includes in /etc/sudoers";
}
bundle agent sudo_include_json(json, include, template)
# @brief Generates files and include statements for sudoers file
# @param json string Path to a JSON-formatted file describing users
# @param include string Include file name
# @param template string Path to a a template file to use to generate include file
{
vars:
"sudo_include_dir" string => "/etc/sudoers.d";
files:
"$(sudo_include_dir)/."
create => "true",
perms => default:mog("0440","root","root");
"$(sudo_include_dir)/$(include)"
create => "true",
edit_template => "$(template)",
template_method => "mustache",
template_data => readjson("$(json)", 4000),
classes => default:if_repaired("updated_include");
"/etc/sudoers"
create => "true",
edit_line => default:insert_lines("#include $(sudo_include_dir)/$(include)"),
perms => default:mog("0440","root","root"),
classes => default:if_repaired("enabled_include");
reports:
updated_include::
"$(sys.fqhost): Updated include $(sudo_include_dir)/$(include)";
enabled_include::
"$(sys.fqhost): Enabled include $(sudo_include_dir)/$(include) in /etc/sudoers";
}