Work in progress

ncharles · Jun 16, 2017 · 6235842 · 6235842
1 parent d692bf4
commit 6235842
Showing 1 changed file with 28 additions and 19 deletions.
diff --git a/techniques/systemSettings/userManagement/sudoParameters/3.1/sudoParameters.st b/techniques/systemSettings/userManagement/sudoParameters/3.1/sudoParameters.st
@@ -17,7 +17,7 @@
 #####################################################################################
 
 ##########################################################################
-# Sudo configuration PT                                                  #
+# Sudo configuration Technique                                                  #
 # ---------------------------------------------------------------------- #
 # Objective : Configure /etc/sudoers according to the given parameters   #
 ##########################################################################
@@ -32,6 +32,9 @@ bundle agent check_sudo_parameters
                 &SUDO_NAME:{name |"sudo_entity_name[&i&]" string => "&name&";
 }&
 
+                &SUDO_DESCRIPTION:{description |"sudo_entity_description[&i&]" string => "&description&";
+}&
+
                 &SUDO_NOPASSWD:{nopasswd |"sudo_entity_nopasswd[&i&]" string => "&nopasswd&";
 }&
 
@@ -91,7 +94,7 @@ bundle agent check_sudo_parameters
 
     ((sudoconfiguration_sudoers_tmp_copy_kept|sudoconfiguration_sudoers_tmp_copy_repaired).(!sudoconfiguration_sudoers_tmp_copy_error))::
       "/etc/sudoers.rudder"
-        edit_line => sudo_add_line("check_sudo_parameters.sudo_entity_type", "check_sudo_parameters.sudo_entity_name", "check_sudo_parameters.sudo_entity_nopasswd", "check_sudo_parameters.sudo_entity_all", "check_sudo_parameters.sudo_entity_command", "check_sudo_parameters.sudo_directive_id", "${sudo_force_content}"),
+        edit_line => sudo_add_line("check_sudo_parameters.sudo_entity_type", "check_sudo_parameters.sudo_entity_name", "check_sudo_parameters.sudo_entity_nopasswd", "check_sudo_parameters.sudo_entity_all", "check_sudo_parameters.sudo_entity_command", "check_sudo_parameters.sudo_directive_id"),
         create => "true",
         edit_defaults => noempty_backup,
         perms => mog("0440", "root", "0"),
@@ -110,10 +113,30 @@ bundle agent check_sudo_parameters
   methods:
 
       "any"
-
         usebundle => check_sudo_installation("${sudo_directive_id[${sudo_index}]}");
 
+    # Only copy /etc/sudoers if it exists (this is to avoid falling into an
+    # error report below)
+    sudoconfiguration_sudoers_present::
+      "any"
+        usebundle =>  file_copy_from_local_source("/etc/sudoers", "/etc/sudoers.rudder");
+
+    # Question: how do we manage transition from previous version to current version, to prevent duplicated lines ?
+
+
+    # If there is no /etc/sudoers file, remove our local copy before
+    # rebuilding, so that success/repaired reports make sense for the
+    # /etc/sudoers file, not just for our copy of it, and set result classes
+    # as if we had set it up correctly.
+    !sudoconfiguration_sudoers_present::
+      "any"
+        usebundle =>  file_remove("/etc/sudoers.rudder");
+
+
+    # Edit sudoers.rudder file if it's been copied or purged
+    (file_copy_from_local_source__etc_sudoers_rudder_ok.!file_copy_from_local_source__etc_sudoers_rudder_error)|(file_remove__etc_sudoers_rudder_ok)::
 
+
     pass3.(sudoconfiguration_sudoers_copy_kept.!sudoconfiguration_sudoers_copy_repaired)::
 
       "any" usebundle => rudder_common_report("sudoParameters", "result_success", "${sudo_directive_id[${sudo_index}]}", "sudoersFile", "None", "The sudoers file did not require any modification");
@@ -142,10 +165,6 @@ bundle agent check_sudo_parameters
       "any" usebundle => rudder_common_report("sudoParameters", "result_error", "${sudo_directive_id[${sudo_index}]}", "Permissions", "${sudo_entity_name[${sudo_index}]}", "The ${sudo_entity_type[${sudo_index}]} ${sudo_entity_name[${sudo_index}]} could not be handled"),
         ifvarclass => canonify("line_${sudo_index}_add_failed");
 
-    pass3.sudo_all_lines_defined.force.sudo_all_lines_deleted::
-
-      "any" usebundle => rudder_common_report("sudoParameters", "result_repaired", "sudoersFile", "None", "None", "Some lines were deleted from the sudoers file. This implies either a manual edition or an intrusion attempt");
-
   commands:
 
     (sudoconfiguration_sudoers_tmp_edit_repair|sudoconfiguration_sudoers_tmp_edit_kept).pass2::
@@ -157,7 +176,7 @@ bundle agent check_sudo_parameters
 
 }
 
-bundle edit_line sudo_add_line(type, name, nopasswd, alldo, command, directiveId, force)
+bundle edit_line sudo_add_line(type, name, nopasswd, alldo, command, directiveId)
 {
 
   vars:
@@ -196,9 +215,6 @@ bundle edit_line sudo_add_line(type, name, nopasswd, alldo, command, directiveId
 
   classes:
       # some classes are used by reporting from parent bundle (scope namespace)
-      # sudoParameters is declared as unique so this bundle can be called only once 
-
-      "sudo_force_content" expression => strcmp("true", "${force}");
 
       # Is it a group ?
       "sudo_${index}_isgroup" expression => strcmp("${${type}[${index}]}","group");
@@ -225,14 +241,7 @@ bundle edit_line sudo_add_line(type, name, nopasswd, alldo, command, directiveId
                                   scope => "namespace";
 
 
-  delete_lines:
-
-    sudo_all_lines_defined.force::
-
-      ".*"
-        delete_select => sudo_select_nomatch("${all_lines}"),
-        classes => if_repaired("sudo_all_lines_deleted");
-
+
   insert_lines:
     replace_attempted_env_reset::
       "Defaults	env_reset";