diff --git a/tasks/main.yml b/tasks/main.yml index 44a22c8..ef2c9f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,18 +2,18 @@ # tasks file for ensure_sudo - name: 'include vendor / version specific variables' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' include_vars: file: '{{ lookup("first_found", findme ) }}' name: 'ensure_sudo' vars: findme: files: - - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml' - - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml' - - '{{ ansible_distribution }}-default.yml' - - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml' - - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml' + - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_architecture }}.yml' + - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' + - '{{ ansible_facts["distribution"] }}-default.yml' + - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_architecture }}.yml' + - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' - '{{ ansible_os_family }}-default.yml' - 'default.yml' paths: @@ -21,17 +21,17 @@ errors: 'ignore' - name: 'package discovery' when: - - ansible_system == 'Linux' - - packages is not defined + - ansible_facts["system"] == 'Linux' + - ansible_facts["packages"] is not defined ansible.builtin.package_facts: - name: 'service discovery' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - services is not defined ansible.builtin.service_facts: - name: 'ensure packages' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.package_list is defined - ensure_sudo.package_list is iterable @@ -46,7 +46,7 @@ - 'ensure_sudo.service_facts' - name: 'ensure configurations' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.template_list is defined - ensure_sudo.template_list is iterable @@ -71,7 +71,7 @@ - 'ensure_sudo.service_restart' - name: 'ensure services' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.service_list is defined - ensure_sudo.service_list is iterable @@ -87,7 +87,7 @@ - 'ensure_sudo.service_facts' - name: 'find directories over log retention window under /var/log/sudo-io' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - sudo_log_retention is defined - sudo_log_retention is regex('^[0-9]*[smhdw]$') @@ -101,7 +101,7 @@ register: 'results' - name: 'And drop them' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - sudo_log_retention is defined - sudo_log_retention is regex('^[0-9]*[smhdw]$') diff --git a/templates/Fedora/33/etc/sudo.conf b/templates/Fedora/33/etc/sudo.conf deleted file mode 100644 index e4fccc3..0000000 --- a/templates/Fedora/33/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing dummy versions of the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/34/etc/sudo.conf b/templates/Fedora/34/etc/sudo.conf deleted file mode 100644 index cb23433..0000000 --- a/templates/Fedora/34/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/35/etc/dnf/protected.d/sudo.conf b/templates/Fedora/35/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/35/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/35/etc/pam.d/sudo b/templates/Fedora/35/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/35/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/35/etc/pam.d/sudo-i b/templates/Fedora/35/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/35/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/35/etc/sudo.conf b/templates/Fedora/35/etc/sudo.conf deleted file mode 100644 index cb23433..0000000 --- a/templates/Fedora/35/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/35/etc/sudoers b/templates/Fedora/35/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/35/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/35/etc/sudoers.d/session_log.j2 b/templates/Fedora/35/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/35/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/36/etc/dnf/protected.d/sudo.conf b/templates/Fedora/36/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/36/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/36/etc/pam.d/sudo b/templates/Fedora/36/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/36/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/36/etc/pam.d/sudo-i b/templates/Fedora/36/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/36/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/36/etc/sudo.conf b/templates/Fedora/36/etc/sudo.conf deleted file mode 100644 index fe92dad..0000000 --- a/templates/Fedora/36/etc/sudo.conf +++ /dev/null @@ -1,139 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept /usr/libexec/sudo/sudo_intercept.so - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/36/etc/sudoers b/templates/Fedora/36/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/36/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/36/etc/sudoers.d/session_log.j2 b/templates/Fedora/36/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/36/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/37/etc/dnf/protected.d/sudo.conf b/templates/Fedora/37/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/37/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/37/etc/pam.d/sudo b/templates/Fedora/37/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/37/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/37/etc/pam.d/sudo-i b/templates/Fedora/37/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/37/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/37/etc/sudo.conf b/templates/Fedora/37/etc/sudo.conf deleted file mode 100644 index 773a0e0..0000000 --- a/templates/Fedora/37/etc/sudo.conf +++ /dev/null @@ -1,139 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept /usr/libexec/sudo/sudo_intercept.so - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/37/etc/sudoers b/templates/Fedora/37/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/37/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/37/etc/sudoers.d/session_log.j2 b/templates/Fedora/37/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/37/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/38/etc/dnf/protected.d/sudo.conf b/templates/Fedora/38/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/38/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/38/etc/pam.d/sudo b/templates/Fedora/38/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/38/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/38/etc/pam.d/sudo-i b/templates/Fedora/38/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/38/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/38/etc/sudoers b/templates/Fedora/38/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/38/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/38/etc/sudoers.d/session_log.j2 b/templates/Fedora/38/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/38/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/39/etc/dnf/protected.d/sudo.conf b/templates/Fedora/39/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/39/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/39/etc/pam.d/sudo b/templates/Fedora/39/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/39/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/39/etc/pam.d/sudo-i b/templates/Fedora/39/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/39/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/39/etc/sudoers b/templates/Fedora/39/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/39/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/39/etc/sudoers.d/session_log.j2 b/templates/Fedora/39/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/39/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/40/etc/dnf/protected.d/sudo.conf b/templates/Fedora/40/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/40/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/40/etc/pam.d/sudo b/templates/Fedora/40/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/40/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/40/etc/pam.d/sudo-i b/templates/Fedora/40/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/40/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/40/etc/sudo.conf b/templates/Fedora/40/etc/sudo.conf deleted file mode 100644 index 1c499a7..0000000 --- a/templates/Fedora/40/etc/sudo.conf +++ /dev/null @@ -1,131 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/40/etc/sudoers b/templates/Fedora/40/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/40/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/40/etc/sudoers.d/session_log.j2 b/templates/Fedora/40/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/40/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/41/etc/dnf/protected.d/sudo.conf b/templates/Fedora/41/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/41/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/41/etc/pam.d/sudo b/templates/Fedora/41/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/41/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/41/etc/pam.d/sudo-i b/templates/Fedora/41/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/41/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/41/etc/sudo.conf b/templates/Fedora/41/etc/sudo.conf deleted file mode 100644 index 1c499a7..0000000 --- a/templates/Fedora/41/etc/sudo.conf +++ /dev/null @@ -1,131 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/41/etc/sudoers b/templates/Fedora/41/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/41/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/41/etc/sudoers.d/session_log.j2 b/templates/Fedora/41/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/41/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/33/etc/dnf/protected.d/sudo.conf b/templates/Fedora/43/etc/dnf/protected.d/sudo.conf similarity index 100% rename from templates/Fedora/33/etc/dnf/protected.d/sudo.conf rename to templates/Fedora/43/etc/dnf/protected.d/sudo.conf diff --git a/templates/Fedora/33/etc/pam.d/sudo b/templates/Fedora/43/etc/pam.d/sudo similarity index 100% rename from templates/Fedora/33/etc/pam.d/sudo rename to templates/Fedora/43/etc/pam.d/sudo diff --git a/templates/Fedora/33/etc/pam.d/sudo-i b/templates/Fedora/43/etc/pam.d/sudo-i similarity index 100% rename from templates/Fedora/33/etc/pam.d/sudo-i rename to templates/Fedora/43/etc/pam.d/sudo-i diff --git a/templates/Fedora/38/etc/sudo.conf b/templates/Fedora/43/etc/sudo.conf similarity index 100% rename from templates/Fedora/38/etc/sudo.conf rename to templates/Fedora/43/etc/sudo.conf diff --git a/templates/Fedora/33/etc/sudoers b/templates/Fedora/43/etc/sudoers similarity index 100% rename from templates/Fedora/33/etc/sudoers rename to templates/Fedora/43/etc/sudoers diff --git a/templates/Fedora/33/etc/sudoers.d/session_log.j2 b/templates/Fedora/43/etc/sudoers.d/session_log.j2 similarity index 100% rename from templates/Fedora/33/etc/sudoers.d/session_log.j2 rename to templates/Fedora/43/etc/sudoers.d/session_log.j2 diff --git a/templates/Fedora/34/etc/dnf/protected.d/sudo.conf b/templates/Fedora/44/etc/dnf/protected.d/sudo.conf similarity index 100% rename from templates/Fedora/34/etc/dnf/protected.d/sudo.conf rename to templates/Fedora/44/etc/dnf/protected.d/sudo.conf diff --git a/templates/Fedora/34/etc/pam.d/sudo b/templates/Fedora/44/etc/pam.d/sudo similarity index 100% rename from templates/Fedora/34/etc/pam.d/sudo rename to templates/Fedora/44/etc/pam.d/sudo diff --git a/templates/Fedora/34/etc/pam.d/sudo-i b/templates/Fedora/44/etc/pam.d/sudo-i similarity index 100% rename from templates/Fedora/34/etc/pam.d/sudo-i rename to templates/Fedora/44/etc/pam.d/sudo-i diff --git a/templates/Fedora/39/etc/sudo.conf b/templates/Fedora/44/etc/sudo.conf similarity index 100% rename from templates/Fedora/39/etc/sudo.conf rename to templates/Fedora/44/etc/sudo.conf diff --git a/templates/Fedora/34/etc/sudoers b/templates/Fedora/44/etc/sudoers similarity index 100% rename from templates/Fedora/34/etc/sudoers rename to templates/Fedora/44/etc/sudoers diff --git a/templates/Fedora/34/etc/sudoers.d/session_log.j2 b/templates/Fedora/44/etc/sudoers.d/session_log.j2 similarity index 100% rename from templates/Fedora/34/etc/sudoers.d/session_log.j2 rename to templates/Fedora/44/etc/sudoers.d/session_log.j2 diff --git a/vars/AlmaLinux-10-default.yml b/vars/AlmaLinux-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/AlmaLinux-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/AlmaLinux-8-default.yml b/vars/AlmaLinux-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/AlmaLinux-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/AlmaLinux-9-default.yml b/vars/AlmaLinux-9-default.yml index 1e839dc..033c586 100644 --- a/vars/AlmaLinux-9-default.yml +++ b/vars/AlmaLinux-9-default.yml @@ -10,29 +10,31 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/CentOS-10-default.yml b/vars/CentOS-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/CentOS-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/CentOS-8-default.yml b/vars/CentOS-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/CentOS-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/CentOS-9-default.yml b/vars/CentOS-9-default.yml index 1e839dc..289d0e2 100644 --- a/vars/CentOS-9-default.yml +++ b/vars/CentOS-9-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-33-default.yml b/vars/Fedora-33-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-33-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-34-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-35-default.yml b/vars/Fedora-35-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-35-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-36-default.yml b/vars/Fedora-36-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-36-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-37-default.yml b/vars/Fedora-37-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-37-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-38-default.yml b/vars/Fedora-38-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-38-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-39-default.yml b/vars/Fedora-39-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-39-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-40-default.yml b/vars/Fedora-40-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-40-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-41-default.yml b/vars/Fedora-41-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-41-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-42-default.yml b/vars/Fedora-42-default.yml index 1e839dc..289d0e2 100644 --- a/vars/Fedora-42-default.yml +++ b/vars/Fedora-42-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-43-default.yml b/vars/Fedora-43-default.yml new file mode 100644 index 0000000..289d0e2 --- /dev/null +++ b/vars/Fedora-43-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-44-default.yml b/vars/Fedora-44-default.yml new file mode 100644 index 0000000..289d0e2 --- /dev/null +++ b/vars/Fedora-44-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/OracleLinux-10-default.yml b/vars/OracleLinux-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/OracleLinux-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/OracleLinux-8-default.yml b/vars/OracleLinux-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/OracleLinux-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/OracleLinux-9-default.yml b/vars/OracleLinux-9-default.yml index 1e839dc..289d0e2 100644 --- a/vars/OracleLinux-9-default.yml +++ b/vars/OracleLinux-9-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Rocky-10-default.yml b/vars/Rocky-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/Rocky-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/Rocky-8-default.yml b/vars/Rocky-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/Rocky-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/Rocky-9-default.yml b/vars/Rocky-9-default.yml index 1e839dc..289d0e2 100644 --- a/vars/Rocky-9-default.yml +++ b/vars/Rocky-9-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2'