<img src=‘https://jenkins-iac.cegeka.be/job/puppet-sudo/badge/icon’ />
Use this module to modify the default sudo security policy.
sudo::config::user_alias { 'FULLTIMERS' :
configuration => 'FULLTIMERS = millert, mikef, dowdy'
}
# User_Alias FULLTIMERS = millert, mikef, dowdy
sudo::config::runas_alias { 'db' :
configuration => 'DB = oracle, sybase'
}
# Runas_Alias DB = oracle, sybase
sudo::config::host_alias { 'SERVERS' :
configuration => 'SERVERS = master, mail, www, ns'
}
# Host_Alias SERVERS = master, mail, www, ns
sudo::config::cmnd_alias { 'admins-elev' :
configuration => 'ADMINELEV = ALL'
}
# Cmnd_Alias ADMINELEV = ALL
sudo::config::cmnd_alias { 'su' :
configuration => 'SU = /usr/bin/su'
}
# Cmnd_Alias SU = /usr/bin/su
sudo::config::default_entry { 'visiblepw' :
configuration => '!visiblepw'
}
# Defaults !visiblepw
sudo::config::default_entry { 'always_set_home' :
configuration => 'always_set_home'
}
# Defaults always_set_home
sudo::config::default_entry { 'secure_path' :
type => 'global',
configuration => 'secure_path = /sbin:/bin:/usr/sbin:/usr/bin'
}
# Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
sudo::config::default_entry { 'env_settings' :
type => 'env',
env_settings => [
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"',
'env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"',
'env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"',
'env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"',
'env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"',
'env_keep += "SSH_AUTH_SOCK"'
]
}
# Defaults env_reset
# Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
# Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
# Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
# Defaults nv_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
# Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
# Defaults env_keep += "SSH_AUTH_SOCK"
sudo::config::default_entry { 'disable_shell_escapes' :
type => 'cmnd',
configuration => 'PAGERS noexec'
}
# Defaults!PAGERS noexec
sudo::config::default_entry { 'additional_local_logs' :
type => 'host',
configuration => 'SERVERS log_year, logfile=/var/log/sudo.log'
}
# Defaults@SERVERS log_year, logfile=/var/log/sudo.log
sudo::config::default_entry { 'no_reset_of_LOGNAME_when_running_commands_as_root' :
type => 'runas',
configuration => 'root !set_logname'
}
# Defaults>root !set_logname
sudo::config::default_entry { 'user_millert_need_not_give_a_password' :
type => 'user',
configuration => 'millert !authenticate'
}
# Defaults:millert !authenticate
sudo::config::user { 'root' :
configuration => 'ALL=(ALL) ALL'
}
# root ALL=(ALL) ALL
sudo::config::user { 'admin_group' :
user => '%admin',
configuration => 'ALL=(ALL) NOPASSWD: ALL'
}
# %admin ALL=(ALL) NOPASSWD: ALL
sudo::config::user { 'buadm' :
user => 'BUADM',
configuration => 'ALL = NOPASSWD: BUCMD'
}
# BUADM ALL = NOPASSWD: BUCMD