From 31ae9def963010b7bf1830dd21c79b71ae1eb5dd Mon Sep 17 00:00:00 2001 From: AnsibleRoles <> Date: Mon, 28 Dec 2020 20:09:46 +0000 Subject: [PATCH 01/40] Initial commit --- .gitignore | 78 +++++++++++++++++++++++++ LICENSE | 163 +++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 2 + 3 files changed, 243 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 README.md diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3ee4c9a --- /dev/null +++ b/.gitignore @@ -0,0 +1,78 @@ +# ---> Ansible +*.retry + +# ---> Windows +# Windows thumbnail cache files +Thumbs.db +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# ---> macOS +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +# ---> Linux +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +# ---> VisualStudioCode +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json + diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..1344add --- /dev/null +++ b/LICENSE @@ -0,0 +1,163 @@ +GNU LESSER GENERAL PUBLIC LICENSE + +Version 3, 29 June 2007 + +Copyright (C) 2007 Free Software Foundation, Inc. + +Everyone is permitted to copy and distribute verbatim copies of this license +document, but changing it is not allowed. + +This version of the GNU Lesser General Public License incorporates the terms +and conditions of version 3 of the GNU General Public License, supplemented +by the additional permissions listed below. + + 0. Additional Definitions. + + + +As used herein, "this License" refers to version 3 of the GNU Lesser General +Public License, and the "GNU GPL" refers to version 3 of the GNU General Public +License. + + + +"The Library" refers to a covered work governed by this License, other than +an Application or a Combined Work as defined below. + + + +An "Application" is any work that makes use of an interface provided by the +Library, but which is not otherwise based on the Library. Defining a subclass +of a class defined by the Library is deemed a mode of using an interface provided +by the Library. + + + +A "Combined Work" is a work produced by combining or linking an Application +with the Library. The particular version of the Library with which the Combined +Work was made is also called the "Linked Version". + + + +The "Minimal Corresponding Source" for a Combined Work means the Corresponding +Source for the Combined Work, excluding any source code for portions of the +Combined Work that, considered in isolation, are based on the Application, +and not on the Linked Version. + + + +The "Corresponding Application Code" for a Combined Work means the object +code and/or source code for the Application, including any data and utility +programs needed for reproducing the Combined Work from the Application, but +excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + +You may convey a covered work under sections 3 and 4 of this License without +being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + +If you modify a copy of the Library, and, in your modifications, a facility +refers to a function or data to be supplied by an Application that uses the +facility (other than as an argument passed when the facility is invoked), +then you may convey a copy of the modified version: + +a) under this License, provided that you make a good faith effort to ensure +that, in the event an Application does not supply the function or data, the +facility still operates, and performs whatever part of its purpose remains +meaningful, or + +b) under the GNU GPL, with none of the additional permissions of this License +applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + +The object code form of an Application may incorporate material from a header +file that is part of the Library. You may convey such object code under terms +of your choice, provided that, if the incorporated material is not limited +to numerical parameters, data structure layouts and accessors, or small macros, +inline functions and templates (ten or fewer lines in length), you do both +of the following: + +a) Give prominent notice with each copy of the object code that the Library +is used in it and that the Library and its use are covered by this License. + +b) Accompany the object code with a copy of the GNU GPL and this license document. + + 4. Combined Works. + +You may convey a Combined Work under terms of your choice that, taken together, +effectively do not restrict modification of the portions of the Library contained +in the Combined Work and reverse engineering for debugging such modifications, +if you also do each of the following: + +a) Give prominent notice with each copy of the Combined Work that the Library +is used in it and that the Library and its use are covered by this License. + +b) Accompany the Combined Work with a copy of the GNU GPL and this license +document. + +c) For a Combined Work that displays copyright notices during execution, include +the copyright notice for the Library among these notices, as well as a reference +directing the user to the copies of the GNU GPL and this license document. + + d) Do one of the following: + +0) Convey the Minimal Corresponding Source under the terms of this License, +and the Corresponding Application Code in a form suitable for, and under terms +that permit, the user to recombine or relink the Application with a modified +version of the Linked Version to produce a modified Combined Work, in the +manner specified by section 6 of the GNU GPL for conveying Corresponding Source. + +1) Use a suitable shared library mechanism for linking with the Library. A +suitable mechanism is one that (a) uses at run time a copy of the Library +already present on the user's computer system, and (b) will operate properly +with a modified version of the Library that is interface-compatible with the +Linked Version. + +e) Provide Installation Information, but only if you would otherwise be required +to provide such information under section 6 of the GNU GPL, and only to the +extent that such information is necessary to install and execute a modified +version of the Combined Work produced by recombining or relinking the Application +with a modified version of the Linked Version. (If you use option 4d0, the +Installation Information must accompany the Minimal Corresponding Source and +Corresponding Application Code. If you use option 4d1, you must provide the +Installation Information in the manner specified by section 6 of the GNU GPL +for conveying Corresponding Source.) + + 5. Combined Libraries. + +You may place library facilities that are a work based on the Library side +by side in a single library together with other library facilities that are +not Applications and are not covered by this License, and convey such a combined +library under terms of your choice, if you do both of the following: + +a) Accompany the combined library with a copy of the same work based on the +Library, uncombined with any other library facilities, conveyed under the +terms of this License. + +b) Give prominent notice with the combined library that part of it is a work +based on the Library, and explaining where to find the accompanying uncombined +form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + +The Free Software Foundation may publish revised and/or new versions of the +GNU Lesser General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to address +new problems or concerns. + +Each version is given a distinguishing version number. If the Library as you +received it specifies that a certain numbered version of the GNU Lesser General +Public License "or any later version" applies to it, you have the option of +following the terms and conditions either of that published version or of +any later version published by the Free Software Foundation. If the Library +as you received it does not specify a version number of the GNU Lesser General +Public License, you may choose any version of the GNU Lesser General Public +License ever published by the Free Software Foundation. + +If the Library as you received it specifies that a proxy can decide whether +future versions of the GNU Lesser General Public License shall apply, that +proxy's public statement of acceptance of any version is permanent authorization +for you to choose that version for the Library. diff --git a/README.md b/README.md new file mode 100644 index 0000000..dd47e29 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# ensure_sudo + From fcba030a5b240ca96ec5cfb94695b6e30e4072d3 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 14:11:34 -0600 Subject: [PATCH 02/40] Initial Role --- .travis.yml | 29 ++++++++++++++++++++++++++ README.md | 38 ++++++++++++++++++++++++++++++++- defaults/main.yml | 2 ++ handlers/main.yml | 2 ++ meta/main.yml | 53 +++++++++++++++++++++++++++++++++++++++++++++++ tasks/main.yml | 2 ++ tests/inventory | 2 ++ tests/test.yml | 5 +++++ vars/main.yml | 2 ++ 9 files changed, 134 insertions(+), 1 deletion(-) create mode 100644 .travis.yml create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100644 tests/inventory create mode 100644 tests/test.yml create mode 100644 vars/main.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/README.md b/README.md index dd47e29..225dd44 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,38 @@ -# ensure_sudo +Role Name +========= +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..ba49fe4 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for ensure_sudo \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..13c670f --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for ensure_sudo \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..227ad9c --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..779df43 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for ensure_sudo \ No newline at end of file diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..0f5704c --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ensure_sudo \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..4744a45 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for ensure_sudo \ No newline at end of file From ea082eab658694099faf1f9a55c633e3221f2ad5 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 14:56:37 -0600 Subject: [PATCH 03/40] Ensure sudo with local session logs for Fedora 33 --- tasks/main.yml | 82 +++++++++++- .../Fedora/33/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/33/etc/pam.d/sudo | 7 + templates/Fedora/33/etc/pam.d/sudo-i | 6 + templates/Fedora/33/etc/sudo.conf | 124 ++++++++++++++++++ templates/Fedora/33/etc/sudoers | 120 +++++++++++++++++ .../Fedora/33/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-33-default.yml | 39 ++++++ vars/default.yml | 2 + 9 files changed, 386 insertions(+), 1 deletion(-) create mode 100644 templates/Fedora/33/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/33/etc/pam.d/sudo create mode 100644 templates/Fedora/33/etc/pam.d/sudo-i create mode 100644 templates/Fedora/33/etc/sudo.conf create mode 100644 templates/Fedora/33/etc/sudoers create mode 100644 templates/Fedora/33/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-33-default.yml create mode 100644 vars/default.yml diff --git a/tasks/main.yml b/tasks/main.yml index 779df43..df5b27b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,82 @@ --- -# tasks file for ensure_sudo \ No newline at end of file +# tasks file for ensure_sudo +- name: 'include vendor / version specific variables' + when: + - ansible_system == 'Linux' + include_vars: + file: '{{ lookup("first_found", findme ) }}' + name: 'ensure_ansible_prereq' + vars: + findme: + files: + - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml' + - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml' + - '{{ ansible_distribution }}-default.yml' + - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml' + - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml' + - '{{ ansible_os_family }}-default.yml' + - 'default.yml' + paths: + - '../vars/' + errors: 'ignore' +- name: 'package discovery' + when: + - ansible_system == 'Linux' + - packages is not defined + ansible.builtin.package_facts: +- name: 'service discovery' + when: + - ansible_system == 'Linux' + - services is not defined + ansible.builtin.service_facts: +- name: 'ensure packages' + when: + - ansible_system == 'Linux' + - ensure_ansible_prereq is defined + - ensure_ansible_prereq.package_list is defined + - ensure_ansible_prereq.package_list is iterable + ansible.builtin.package: + name: '{{ item.name }}' + state: '{{ item.state }}' + loop: '{{ ensure_ansible_prereq.package_list }}' + loop_control: + label: '{{ item.name }} will be {{ item.state }}' + notify: + - 'ensure_ansible_prereq.package_facts' + - 'ensure_ansible_prereq.service_facts' +- name: 'ensure services' + when: + - ansible_system == 'Linux' + - ensure_ansible_prereq is defined + - ensure_ansible_prereq.service_list is defined + - ensure_ansible_prereq.service_list is iterable + ansible.builtin.service: + enabled: '{{ item.enabled }}' + name: '{{ item.name }}' + state: '{{ item.state }}' + loop: '{{ ensure_ansible_prereq.service_list }}' + loop_control: + label: '{{ item.name }} will be {{ item.state }}' + notify: + - 'ensure_ansible_prereq.package_facts' + - 'ensure_ansible_prereq.service_facts' +- name: 'ensure configurations' + when: + - ansible_system == 'Linux' + - ensure_sudo is defined + - ensure_sudo.template_list is defined + - ensure_sudo.template_list is iterable + ansible.builtin.template: + backup: 'no' + dest: '{{ item.dest }}' + group: '{{ item.group | default(omit) }}' + mode: '{{ item.mode | default(omit) }}' + owner: '{{ item.owner | default(omit) }}' + selevel: '{{ iteml.selevel | default(omit) }}' + serole: '{{ item.serole | default(omit) }}' + setype: '{{ item.setype | default(omit) }}' + seuser: '{{ item.seuser | default(omit) }}' + src: '{{ item.src }}' +- name: 'flush handlers' + meta: 'flush_handlers' + diff --git a/templates/Fedora/33/etc/dnf/protected.d/sudo.conf b/templates/Fedora/33/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/33/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/33/etc/pam.d/sudo b/templates/Fedora/33/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/33/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/33/etc/pam.d/sudo-i b/templates/Fedora/33/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/33/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/33/etc/sudo.conf b/templates/Fedora/33/etc/sudo.conf new file mode 100644 index 0000000..e4fccc3 --- /dev/null +++ b/templates/Fedora/33/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/33/etc/sudoers b/templates/Fedora/33/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/33/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/33/etc/sudoers.d/session_log.j2 b/templates/Fedora/33/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/33/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-33-default.yml b/vars/Fedora-33-default.yml new file mode 100644 index 0000000..c762476 --- /dev/null +++ b/vars/Fedora-33-default.yml @@ -0,0 +1,39 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + diff --git a/vars/default.yml b/vars/default.yml new file mode 100644 index 0000000..4744a45 --- /dev/null +++ b/vars/default.yml @@ -0,0 +1,2 @@ +--- +# vars file for ensure_sudo \ No newline at end of file From f6031f74d1c20445dea720cd510286480b6847cc Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 15:10:50 -0600 Subject: [PATCH 04/40] Use correct variable names to ensure sudo is deployed --- tasks/main.yml | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index df5b27b..7435e39 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,7 +5,7 @@ - ansible_system == 'Linux' include_vars: file: '{{ lookup("first_found", findme ) }}' - name: 'ensure_ansible_prereq' + name: 'ensure_sudo' vars: findme: files: @@ -32,34 +32,34 @@ - name: 'ensure packages' when: - ansible_system == 'Linux' - - ensure_ansible_prereq is defined - - ensure_ansible_prereq.package_list is defined - - ensure_ansible_prereq.package_list is iterable + - ensure_sudo is defined + - ensure_sudo.package_list is defined + - ensure_sudo.package_list is iterable ansible.builtin.package: name: '{{ item.name }}' state: '{{ item.state }}' - loop: '{{ ensure_ansible_prereq.package_list }}' + loop: '{{ ensure_sudo.package_list }}' loop_control: label: '{{ item.name }} will be {{ item.state }}' notify: - - 'ensure_ansible_prereq.package_facts' - - 'ensure_ansible_prereq.service_facts' + - 'ensure_sudo.package_facts' + - 'ensure_sudo.service_facts' - name: 'ensure services' when: - ansible_system == 'Linux' - - ensure_ansible_prereq is defined - - ensure_ansible_prereq.service_list is defined - - ensure_ansible_prereq.service_list is iterable + - ensure_sudo is defined + - ensure_sudo.service_list is defined + - ensure_sudo.service_list is iterable ansible.builtin.service: enabled: '{{ item.enabled }}' name: '{{ item.name }}' state: '{{ item.state }}' - loop: '{{ ensure_ansible_prereq.service_list }}' + loop: '{{ ensure_sudo.service_list }}' loop_control: label: '{{ item.name }} will be {{ item.state }}' notify: - - 'ensure_ansible_prereq.package_facts' - - 'ensure_ansible_prereq.service_facts' + - 'ensure_sudo.package_facts' + - 'ensure_sudo.service_facts' - name: 'ensure configurations' when: - ansible_system == 'Linux' @@ -77,6 +77,12 @@ setype: '{{ item.setype | default(omit) }}' seuser: '{{ item.seuser | default(omit) }}' src: '{{ item.src }}' + loop: '{{ ensure_sudo.template_test }}' + loop_control: + label: '{{ item.dest }} will be ensured' + notify: + - 'ensure_sudo.package_facts' + - 'ensure_sudo.service_facts' - name: 'flush handlers' meta: 'flush_handlers' From 4e58508b8e2f9fffa5b0c7d8902d909afc934434 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 15:12:30 -0600 Subject: [PATCH 05/40] Add missing handlers --- handlers/main.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 13c670f..4aa5009 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,7 @@ --- -# handlers file for ensure_sudo \ No newline at end of file +# handlers file for ensure_sudo +- name: 'ensure_sudo.package_facts' + ansible.builtin.package_facts: +- name: 'ensure_sudo.service_facts' + ansible.builtin.service_facts: + From 9f589ee5ce6a9ac00aaa889f4d27f7099e464624 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 15:13:28 -0600 Subject: [PATCH 06/40] Add role meta --- meta/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 227ad9c..098dde1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,6 +1,6 @@ galaxy_info: - author: your name - description: your role description + author: Jason Rothstein + description: Ensure sudo configuration company: your company (optional) # If the issue tracker for your role is not on github, uncomment the @@ -14,7 +14,7 @@ galaxy_info: # - GPL-3.0-only # - Apache-2.0 # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: LGPL-3.0-or-later min_ansible_version: 2.9 @@ -50,4 +50,4 @@ galaxy_info: dependencies: [] # List your role dependencies here, one per line. Be sure to remove the '[]' above, # if you add dependencies to this list. - \ No newline at end of file + From 329e5bd68e2cf6749ec2e115010722df8f35a114 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 15:15:27 -0600 Subject: [PATCH 07/40] Fix template_list variable name error --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7435e39..917f3b9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -77,7 +77,7 @@ setype: '{{ item.setype | default(omit) }}' seuser: '{{ item.seuser | default(omit) }}' src: '{{ item.src }}' - loop: '{{ ensure_sudo.template_test }}' + loop: '{{ ensure_sudo.template_list }}' loop_control: label: '{{ item.dest }} will be ensured' notify: From 8147f41d6fd765962ad3835c1e3f9f8eada76c78 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 17:39:10 -0600 Subject: [PATCH 08/40] Clean logs older than 90d by default to add missing feature to sudo --- defaults/main.yml | 4 +++- tasks/main.yml | 29 +++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ba49fe4..ab081a4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,4 @@ --- -# defaults file for ensure_sudo \ No newline at end of file +# defaults file for ensure_sudo +sudo_log_retention: '90d' + diff --git a/tasks/main.yml b/tasks/main.yml index 917f3b9..2bdeb97 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -85,4 +85,33 @@ - 'ensure_sudo.service_facts' - name: 'flush handlers' meta: 'flush_handlers' +- name: 'find directories over {{ sudo_log_retention }} old under /var/log/sudo-io' + when: + - ansible_system == 'Linux' + - ensure_sudo is defined + - sudo_log_retention is defined + - sudo_log_retention is regex('^[0-9]*[smhdw]$') + ansible.builtin.find: + age: '{{ sudo_log_retention }}' + file_type: 'directory' + follow: 'no' + paths: + - '/var/log/sudo-io/' + recurse: 'yes' + register: 'results' +- name: 'And drop them' + when: + - ansible_system == 'Linux' + - ensure_sudo is defined + - sudo_log_retention is defined + - sudo_log_retention is regex('^[0-9]*[smhdw]$') + - item.path is regex('^/var/log/sudo-io/([0-9]|[A-Z])([0-9]|[A-Z])/([0-9]|[A-Z])([0-9]|[A-Z])/([0-9]|[A-Z])([0-9]|[A-Z])$') + ansible.builtin.file: + path: '{{ item.path }}' + state: 'absent' + loop: '{{ results.files }}' + loop_control: + label: '{{ item.path }} to be removed' +- name: 'flush handlers' + meta: 'flush_handlers' From 87b2934cba42f04e3ad8594446c78f2e6a75439d Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 28 Dec 2020 17:48:52 -0600 Subject: [PATCH 09/40] Correct the task label for when the variable isn't defined --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2bdeb97..e5c3df1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -85,7 +85,7 @@ - 'ensure_sudo.service_facts' - name: 'flush handlers' meta: 'flush_handlers' -- name: 'find directories over {{ sudo_log_retention }} old under /var/log/sudo-io' +- name: 'find directories over log retention window under /var/log/sudo-io' when: - ansible_system == 'Linux' - ensure_sudo is defined From 8bb7f1952779cc6de9c7535423894925321206ce Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 29 Jun 2021 21:01:16 -0500 Subject: [PATCH 10/40] Enable Fedora 34 --- .../Fedora/34/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/34/etc/pam.d/sudo | 7 + templates/Fedora/34/etc/pam.d/sudo-i | 6 + templates/Fedora/34/etc/sudo.conf | 124 ++++++++++++++++++ templates/Fedora/34/etc/sudoers | 120 +++++++++++++++++ .../Fedora/34/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-34-default.yml | 39 ++++++ 7 files changed, 303 insertions(+) create mode 100644 templates/Fedora/34/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/34/etc/pam.d/sudo create mode 100644 templates/Fedora/34/etc/pam.d/sudo-i create mode 100644 templates/Fedora/34/etc/sudo.conf create mode 100644 templates/Fedora/34/etc/sudoers create mode 100644 templates/Fedora/34/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-34-default.yml diff --git a/templates/Fedora/34/etc/dnf/protected.d/sudo.conf b/templates/Fedora/34/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/34/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/34/etc/pam.d/sudo b/templates/Fedora/34/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/34/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/34/etc/pam.d/sudo-i b/templates/Fedora/34/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/34/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/34/etc/sudo.conf b/templates/Fedora/34/etc/sudo.conf new file mode 100644 index 0000000..cb23433 --- /dev/null +++ b/templates/Fedora/34/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/34/etc/sudoers b/templates/Fedora/34/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/34/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/34/etc/sudoers.d/session_log.j2 b/templates/Fedora/34/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/34/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml new file mode 100644 index 0000000..c762476 --- /dev/null +++ b/vars/Fedora-34-default.yml @@ -0,0 +1,39 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + From 38fbd29350a137de19be02a74abff681a0281c54 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 5 Jul 2021 04:49:28 +0000 Subject: [PATCH 11/40] Skip packages that already installed --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index e5c3df1..b2ede93 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,6 +35,7 @@ - ensure_sudo is defined - ensure_sudo.package_list is defined - ensure_sudo.package_list is iterable + - packages[item.name] is not defined ansible.builtin.package: name: '{{ item.name }}' state: '{{ item.state }}' From bdd06e2d444426358d215977ab8d52d28ae42129 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 6 Jul 2021 02:36:56 +0000 Subject: [PATCH 12/40] Deploy configuration before services --- tasks/main.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index b2ede93..750a798 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -45,22 +45,6 @@ notify: - 'ensure_sudo.package_facts' - 'ensure_sudo.service_facts' -- name: 'ensure services' - when: - - ansible_system == 'Linux' - - ensure_sudo is defined - - ensure_sudo.service_list is defined - - ensure_sudo.service_list is iterable - ansible.builtin.service: - enabled: '{{ item.enabled }}' - name: '{{ item.name }}' - state: '{{ item.state }}' - loop: '{{ ensure_sudo.service_list }}' - loop_control: - label: '{{ item.name }} will be {{ item.state }}' - notify: - - 'ensure_sudo.package_facts' - - 'ensure_sudo.service_facts' - name: 'ensure configurations' when: - ansible_system == 'Linux' @@ -86,6 +70,22 @@ - 'ensure_sudo.service_facts' - name: 'flush handlers' meta: 'flush_handlers' +- name: 'ensure services' + when: + - ansible_system == 'Linux' + - ensure_sudo is defined + - ensure_sudo.service_list is defined + - ensure_sudo.service_list is iterable + ansible.builtin.service: + enabled: '{{ item.enabled }}' + name: '{{ item.name }}' + state: '{{ item.state }}' + loop: '{{ ensure_sudo.service_list }}' + loop_control: + label: '{{ item.name }} will be {{ item.state }}' + notify: + - 'ensure_sudo.package_facts' + - 'ensure_sudo.service_facts' - name: 'find directories over log retention window under /var/log/sudo-io' when: - ansible_system == 'Linux' From 4a889a31bc8e6d5ca96aa079b1fd7cc59e2dced5 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 25 Jul 2021 04:08:57 +0000 Subject: [PATCH 13/40] Prevent multiple service restarts --- tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 750a798..db740ad 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -68,8 +68,6 @@ notify: - 'ensure_sudo.package_facts' - 'ensure_sudo.service_facts' -- name: 'flush handlers' - meta: 'flush_handlers' - name: 'ensure services' when: - ansible_system == 'Linux' From ad92ecfd9c7bcb4b4c07b0180f8b8def0b0acdfc Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sat, 13 Nov 2021 21:25:06 -0600 Subject: [PATCH 14/40] Add Fedora 35 --- .../Fedora/35/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/35/etc/pam.d/sudo | 7 + templates/Fedora/35/etc/pam.d/sudo-i | 6 + templates/Fedora/35/etc/sudo.conf | 124 ++++++++++++++++++ templates/Fedora/35/etc/sudoers | 120 +++++++++++++++++ .../Fedora/35/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-33-default.yml | 1 - vars/Fedora-34-default.yml | 1 - vars/Fedora-35-default.yml | 38 ++++++ vars/main.yml | 2 +- 10 files changed, 303 insertions(+), 3 deletions(-) create mode 100644 templates/Fedora/35/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/35/etc/pam.d/sudo create mode 100644 templates/Fedora/35/etc/pam.d/sudo-i create mode 100644 templates/Fedora/35/etc/sudo.conf create mode 100644 templates/Fedora/35/etc/sudoers create mode 100644 templates/Fedora/35/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-35-default.yml diff --git a/templates/Fedora/35/etc/dnf/protected.d/sudo.conf b/templates/Fedora/35/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/35/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/35/etc/pam.d/sudo b/templates/Fedora/35/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/35/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/35/etc/pam.d/sudo-i b/templates/Fedora/35/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/35/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/35/etc/sudo.conf b/templates/Fedora/35/etc/sudo.conf new file mode 100644 index 0000000..cb23433 --- /dev/null +++ b/templates/Fedora/35/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/35/etc/sudoers b/templates/Fedora/35/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/35/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/35/etc/sudoers.d/session_log.j2 b/templates/Fedora/35/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/35/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-33-default.yml b/vars/Fedora-33-default.yml index c762476..1e839dc 100644 --- a/vars/Fedora-33-default.yml +++ b/vars/Fedora-33-default.yml @@ -36,4 +36,3 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' - diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml index c762476..1e839dc 100644 --- a/vars/Fedora-34-default.yml +++ b/vars/Fedora-34-default.yml @@ -36,4 +36,3 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' - diff --git a/vars/Fedora-35-default.yml b/vars/Fedora-35-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-35-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/main.yml b/vars/main.yml index 4744a45..9ae18b3 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,2 @@ --- -# vars file for ensure_sudo \ No newline at end of file +# vars file for ensure_sudo From bb980765cb20fbd01e4919218047ac0b6c45dc42 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 5 Jun 2022 16:30:17 -0500 Subject: [PATCH 15/40] Update handlers --- handlers/main.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 4aa5009..b3263a8 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,4 +4,24 @@ ansible.builtin.package_facts: - name: 'ensure_sudo.service_facts' ansible.builtin.service_facts: - +- name: 'ensure_sudo.service_reload' + when: + - ansible_system == 'Linux' + - ansible_service_mgr == 'systemd' + - ensure_sudo is defined + ansible.builtin.systemd: + daemon_reload: 'yes' +- name: 'ensure_sudo.services' + when: + - ansible_system == 'Linux' + - ensure_sudo is defined + - ensure_sudo.service_list is defined + - ensure_sudo.service_list is iterable + - item.state == 'started' + ansible.builtin.service: + enabled: '{{ item.enabled }}' + name: '{{ item.name }}' + state: 'restarted' + loop: '{{ ensure_sudo.service_list }}' + loop_control: + label: '{{ item.name }} will be restarted' From 6f4c0451aa25b0cf5497727ad30b77c736f9a50a Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 5 Jun 2022 16:48:45 -0500 Subject: [PATCH 16/40] Update tasks --- tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index db740ad..1e74845 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,7 +35,6 @@ - ensure_sudo is defined - ensure_sudo.package_list is defined - ensure_sudo.package_list is iterable - - packages[item.name] is not defined ansible.builtin.package: name: '{{ item.name }}' state: '{{ item.state }}' From 2423792139b5a70e0668dbe2fdd05a4d66a27dfa Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 5 Jun 2022 17:53:09 -0500 Subject: [PATCH 17/40] Enable Fedora 36 --- .../Fedora/36/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/36/etc/pam.d/sudo | 7 + templates/Fedora/36/etc/pam.d/sudo-i | 6 + templates/Fedora/36/etc/sudo.conf | 124 ++++++++++++++++++ templates/Fedora/36/etc/sudoers | 120 +++++++++++++++++ .../Fedora/36/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-36-default.yml | 38 ++++++ 7 files changed, 302 insertions(+) create mode 100644 templates/Fedora/36/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/36/etc/pam.d/sudo create mode 100644 templates/Fedora/36/etc/pam.d/sudo-i create mode 100644 templates/Fedora/36/etc/sudo.conf create mode 100644 templates/Fedora/36/etc/sudoers create mode 100644 templates/Fedora/36/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-36-default.yml diff --git a/templates/Fedora/36/etc/dnf/protected.d/sudo.conf b/templates/Fedora/36/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/36/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/36/etc/pam.d/sudo b/templates/Fedora/36/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/36/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/36/etc/pam.d/sudo-i b/templates/Fedora/36/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/36/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/36/etc/sudo.conf b/templates/Fedora/36/etc/sudo.conf new file mode 100644 index 0000000..cb23433 --- /dev/null +++ b/templates/Fedora/36/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/36/etc/sudoers b/templates/Fedora/36/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/36/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/36/etc/sudoers.d/session_log.j2 b/templates/Fedora/36/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/36/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-36-default.yml b/vars/Fedora-36-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-36-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 8de48b63e3b8adc882c3886249d1b927ccce380b Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Mon, 3 Oct 2022 00:03:08 -0500 Subject: [PATCH 18/40] Add sudo_intercept.so comments from latest sudo package --- templates/Fedora/36/etc/sudo.conf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/templates/Fedora/36/etc/sudo.conf b/templates/Fedora/36/etc/sudo.conf index cb23433..773a0e0 100644 --- a/templates/Fedora/36/etc/sudo.conf +++ b/templates/Fedora/36/etc/sudo.conf @@ -38,6 +38,21 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so From de222f0b71c9d089219e634e6d707cd11c3943ea Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 6 Dec 2022 21:40:03 -0600 Subject: [PATCH 19/40] Add Fedora 37 --- .../Fedora/37/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/37/etc/pam.d/sudo | 7 + templates/Fedora/37/etc/pam.d/sudo-i | 6 + templates/Fedora/37/etc/sudo.conf | 139 ++++++++++++++++++ templates/Fedora/37/etc/sudoers | 120 +++++++++++++++ .../Fedora/37/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-37-default.yml | 38 +++++ 7 files changed, 317 insertions(+) create mode 100644 templates/Fedora/37/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/37/etc/pam.d/sudo create mode 100644 templates/Fedora/37/etc/pam.d/sudo-i create mode 100644 templates/Fedora/37/etc/sudo.conf create mode 100644 templates/Fedora/37/etc/sudoers create mode 100644 templates/Fedora/37/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-37-default.yml diff --git a/templates/Fedora/37/etc/dnf/protected.d/sudo.conf b/templates/Fedora/37/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/37/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/37/etc/pam.d/sudo b/templates/Fedora/37/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/37/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/37/etc/pam.d/sudo-i b/templates/Fedora/37/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/37/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/37/etc/sudo.conf b/templates/Fedora/37/etc/sudo.conf new file mode 100644 index 0000000..fe92dad --- /dev/null +++ b/templates/Fedora/37/etc/sudo.conf @@ -0,0 +1,139 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/37/etc/sudoers b/templates/Fedora/37/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/37/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/37/etc/sudoers.d/session_log.j2 b/templates/Fedora/37/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/37/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-37-default.yml b/vars/Fedora-37-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-37-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 55e38f33700d4e648ca621e11192201650e52bd6 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 12 Feb 2023 21:25:25 -0600 Subject: [PATCH 20/40] Fedora 36 likes Oxford Comma now? --- templates/Fedora/36/etc/sudo.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/Fedora/36/etc/sudo.conf b/templates/Fedora/36/etc/sudo.conf index 773a0e0..fe92dad 100644 --- a/templates/Fedora/36/etc/sudo.conf +++ b/templates/Fedora/36/etc/sudo.conf @@ -129,10 +129,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug From 45434263c7531bc502bc0c7814b9f9a136235633 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 12 Feb 2023 22:27:18 -0600 Subject: [PATCH 21/40] Fedora 37 hates the oxford comma? --- templates/Fedora/37/etc/sudo.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/Fedora/37/etc/sudo.conf b/templates/Fedora/37/etc/sudo.conf index fe92dad..773a0e0 100644 --- a/templates/Fedora/37/etc/sudo.conf +++ b/templates/Fedora/37/etc/sudo.conf @@ -129,10 +129,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug From 0a788d5c4e40ceceed2018ee66bef70734686215 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 23 Apr 2023 16:46:02 -0500 Subject: [PATCH 22/40] Add Fedora 38 --- .../Fedora/38/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/38/etc/pam.d/sudo | 7 + templates/Fedora/38/etc/pam.d/sudo-i | 6 + templates/Fedora/38/etc/sudo.conf | 139 ++++++++++++++++++ templates/Fedora/38/etc/sudoers | 120 +++++++++++++++ .../Fedora/38/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-38-default.yml | 38 +++++ 7 files changed, 317 insertions(+) create mode 100644 templates/Fedora/38/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/38/etc/pam.d/sudo create mode 100644 templates/Fedora/38/etc/pam.d/sudo-i create mode 100644 templates/Fedora/38/etc/sudo.conf create mode 100644 templates/Fedora/38/etc/sudoers create mode 100644 templates/Fedora/38/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-38-default.yml diff --git a/templates/Fedora/38/etc/dnf/protected.d/sudo.conf b/templates/Fedora/38/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/38/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/38/etc/pam.d/sudo b/templates/Fedora/38/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/38/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/38/etc/pam.d/sudo-i b/templates/Fedora/38/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/38/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/38/etc/sudo.conf b/templates/Fedora/38/etc/sudo.conf new file mode 100644 index 0000000..773a0e0 --- /dev/null +++ b/templates/Fedora/38/etc/sudo.conf @@ -0,0 +1,139 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/38/etc/sudoers b/templates/Fedora/38/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/38/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/38/etc/sudoers.d/session_log.j2 b/templates/Fedora/38/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/38/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-38-default.yml b/vars/Fedora-38-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-38-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 01481b534ecd8db82ebfd78eb5e42679e41b11f8 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 23 Apr 2023 17:02:34 -0500 Subject: [PATCH 23/40] Use Fedora 38 sudo.conf --- templates/Fedora/38/etc/sudo.conf | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/templates/Fedora/38/etc/sudo.conf b/templates/Fedora/38/etc/sudo.conf index 773a0e0..1c499a7 100644 --- a/templates/Fedora/38/etc/sudo.conf +++ b/templates/Fedora/38/etc/sudo.conf @@ -51,7 +51,7 @@ # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. # -#Path intercept /usr/libexec/sudo/sudo_intercept.so +#Path intercept disabled # # Sudo noexec: @@ -76,14 +76,6 @@ # #Path plugin_dir /usr/libexec/sudo -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - # # Core dumps: # Set disable_coredump true|false @@ -129,10 +121,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug From d6b0136276f53036f71a96b32ecbc62148c94e9c Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sat, 16 Mar 2024 20:25:22 -0500 Subject: [PATCH 24/40] Add Fedora 39 --- .../Fedora/39/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/39/etc/pam.d/sudo | 7 + templates/Fedora/39/etc/pam.d/sudo-i | 6 + templates/Fedora/39/etc/sudo.conf | 131 ++++++++++++++++++ templates/Fedora/39/etc/sudoers | 120 ++++++++++++++++ .../Fedora/39/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-39-default.yml | 38 +++++ 7 files changed, 309 insertions(+) create mode 100644 templates/Fedora/39/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/39/etc/pam.d/sudo create mode 100644 templates/Fedora/39/etc/pam.d/sudo-i create mode 100644 templates/Fedora/39/etc/sudo.conf create mode 100644 templates/Fedora/39/etc/sudoers create mode 100644 templates/Fedora/39/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-39-default.yml diff --git a/templates/Fedora/39/etc/dnf/protected.d/sudo.conf b/templates/Fedora/39/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/39/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/39/etc/pam.d/sudo b/templates/Fedora/39/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/39/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/39/etc/pam.d/sudo-i b/templates/Fedora/39/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/39/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/39/etc/sudo.conf b/templates/Fedora/39/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Fedora/39/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/39/etc/sudoers b/templates/Fedora/39/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/39/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/39/etc/sudoers.d/session_log.j2 b/templates/Fedora/39/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/39/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-39-default.yml b/vars/Fedora-39-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-39-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 0c312ee0ad044f355704d7c78352e450e324d21e Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 2 Jun 2024 12:27:32 -0500 Subject: [PATCH 25/40] Fedora 40 support Signed-off-by: Jason Rothstein --- .../Fedora/40/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/40/etc/pam.d/sudo | 7 + templates/Fedora/40/etc/pam.d/sudo-i | 6 + templates/Fedora/40/etc/sudo.conf | 131 ++++++++++++++++++ templates/Fedora/40/etc/sudoers | 120 ++++++++++++++++ .../Fedora/40/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-40-default.yml | 38 +++++ 7 files changed, 309 insertions(+) create mode 100644 templates/Fedora/40/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/40/etc/pam.d/sudo create mode 100644 templates/Fedora/40/etc/pam.d/sudo-i create mode 100644 templates/Fedora/40/etc/sudo.conf create mode 100644 templates/Fedora/40/etc/sudoers create mode 100644 templates/Fedora/40/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-40-default.yml diff --git a/templates/Fedora/40/etc/dnf/protected.d/sudo.conf b/templates/Fedora/40/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/40/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/40/etc/pam.d/sudo b/templates/Fedora/40/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/40/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/40/etc/pam.d/sudo-i b/templates/Fedora/40/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/40/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/40/etc/sudo.conf b/templates/Fedora/40/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Fedora/40/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/40/etc/sudoers b/templates/Fedora/40/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/40/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/40/etc/sudoers.d/session_log.j2 b/templates/Fedora/40/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/40/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-40-default.yml b/vars/Fedora-40-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-40-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 1114295b031bb8581f62e168ad28f114565714e7 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 30 Jun 2024 23:04:25 -0500 Subject: [PATCH 26/40] Add Alma/CentOS/Oracle/Rocky 9 Signed-off-by: Jason Rothstein --- .../9/9/etc/dnf/protected.d/sudo.conf | 1 + templates/AlmaLinux/9/9/etc/pam.d/sudo | 5 + templates/AlmaLinux/9/9/etc/pam.d/sudo-i | 6 + templates/AlmaLinux/9/9/etc/sudo.conf | 124 +++++++++++++++++ templates/AlmaLinux/9/9/etc/sudoers | 120 ++++++++++++++++ .../9/9/etc/sudoers.d/session_log.j2 | 6 + .../AlmaLinux/9/etc/dnf/protected.d/sudo.conf | 1 + templates/AlmaLinux/9/etc/pam.d/sudo | 7 + templates/AlmaLinux/9/etc/pam.d/sudo-i | 6 + templates/AlmaLinux/9/etc/sudo.conf | 131 ++++++++++++++++++ templates/AlmaLinux/9/etc/sudoers | 120 ++++++++++++++++ .../AlmaLinux/9/etc/sudoers.d/session_log.j2 | 6 + .../CentOS/9/etc/dnf/protected.d/sudo.conf | 1 + templates/CentOS/9/etc/pam.d/sudo | 5 + templates/CentOS/9/etc/pam.d/sudo-i | 6 + templates/CentOS/9/etc/sudo.conf | 124 +++++++++++++++++ templates/CentOS/9/etc/sudoers | 120 ++++++++++++++++ .../CentOS/9/etc/sudoers.d/session_log.j2 | 6 + .../9/9/etc/dnf/protected.d/sudo.conf | 1 + templates/OracleLinux/9/9/etc/pam.d/sudo | 5 + templates/OracleLinux/9/9/etc/pam.d/sudo-i | 6 + templates/OracleLinux/9/9/etc/sudo.conf | 124 +++++++++++++++++ templates/OracleLinux/9/9/etc/sudoers | 120 ++++++++++++++++ .../9/9/etc/sudoers.d/session_log.j2 | 6 + .../9/etc/dnf/protected.d/sudo.conf | 1 + templates/OracleLinux/9/etc/pam.d/sudo | 7 + templates/OracleLinux/9/etc/pam.d/sudo-i | 6 + templates/OracleLinux/9/etc/sudo.conf | 131 ++++++++++++++++++ templates/OracleLinux/9/etc/sudoers | 120 ++++++++++++++++ .../9/etc/sudoers.d/session_log.j2 | 6 + .../Rocky/9/9/etc/dnf/protected.d/sudo.conf | 1 + templates/Rocky/9/9/etc/pam.d/sudo | 5 + templates/Rocky/9/9/etc/pam.d/sudo-i | 6 + templates/Rocky/9/9/etc/sudo.conf | 124 +++++++++++++++++ templates/Rocky/9/9/etc/sudoers | 120 ++++++++++++++++ .../Rocky/9/9/etc/sudoers.d/session_log.j2 | 6 + .../Rocky/9/etc/dnf/protected.d/sudo.conf | 1 + templates/Rocky/9/etc/pam.d/sudo | 7 + templates/Rocky/9/etc/pam.d/sudo-i | 6 + templates/Rocky/9/etc/sudo.conf | 131 ++++++++++++++++++ templates/Rocky/9/etc/sudoers | 120 ++++++++++++++++ .../Rocky/9/etc/sudoers.d/session_log.j2 | 6 + vars/AlmaLinux-9-default.yml | 38 +++++ vars/CentOS-9-default.yml | 38 +++++ vars/OracleLinux-9-default.yml | 38 +++++ vars/Rocky-9-default.yml | 38 +++++ 46 files changed, 2013 insertions(+) create mode 100644 templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/AlmaLinux/9/9/etc/pam.d/sudo create mode 100644 templates/AlmaLinux/9/9/etc/pam.d/sudo-i create mode 100644 templates/AlmaLinux/9/9/etc/sudo.conf create mode 100644 templates/AlmaLinux/9/9/etc/sudoers create mode 100644 templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/AlmaLinux/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/AlmaLinux/9/etc/pam.d/sudo create mode 100644 templates/AlmaLinux/9/etc/pam.d/sudo-i create mode 100644 templates/AlmaLinux/9/etc/sudo.conf create mode 100644 templates/AlmaLinux/9/etc/sudoers create mode 100644 templates/AlmaLinux/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/CentOS/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/CentOS/9/etc/pam.d/sudo create mode 100644 templates/CentOS/9/etc/pam.d/sudo-i create mode 100644 templates/CentOS/9/etc/sudo.conf create mode 100644 templates/CentOS/9/etc/sudoers create mode 100644 templates/CentOS/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/OracleLinux/9/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/OracleLinux/9/9/etc/pam.d/sudo create mode 100644 templates/OracleLinux/9/9/etc/pam.d/sudo-i create mode 100644 templates/OracleLinux/9/9/etc/sudo.conf create mode 100644 templates/OracleLinux/9/9/etc/sudoers create mode 100644 templates/OracleLinux/9/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/OracleLinux/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/OracleLinux/9/etc/pam.d/sudo create mode 100644 templates/OracleLinux/9/etc/pam.d/sudo-i create mode 100644 templates/OracleLinux/9/etc/sudo.conf create mode 100644 templates/OracleLinux/9/etc/sudoers create mode 100644 templates/OracleLinux/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/Rocky/9/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Rocky/9/9/etc/pam.d/sudo create mode 100644 templates/Rocky/9/9/etc/pam.d/sudo-i create mode 100644 templates/Rocky/9/9/etc/sudo.conf create mode 100644 templates/Rocky/9/9/etc/sudoers create mode 100644 templates/Rocky/9/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/Rocky/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Rocky/9/etc/pam.d/sudo create mode 100644 templates/Rocky/9/etc/pam.d/sudo-i create mode 100644 templates/Rocky/9/etc/sudo.conf create mode 100644 templates/Rocky/9/etc/sudoers create mode 100644 templates/Rocky/9/etc/sudoers.d/session_log.j2 create mode 100644 vars/AlmaLinux-9-default.yml create mode 100644 vars/CentOS-9-default.yml create mode 100644 vars/OracleLinux-9-default.yml create mode 100644 vars/Rocky-9-default.yml diff --git a/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/AlmaLinux/9/9/etc/pam.d/sudo b/templates/AlmaLinux/9/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/AlmaLinux/9/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/AlmaLinux/9/9/etc/pam.d/sudo-i b/templates/AlmaLinux/9/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/AlmaLinux/9/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/AlmaLinux/9/9/etc/sudo.conf b/templates/AlmaLinux/9/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/AlmaLinux/9/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/9/9/etc/sudoers b/templates/AlmaLinux/9/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/AlmaLinux/9/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/AlmaLinux/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/AlmaLinux/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/AlmaLinux/9/etc/pam.d/sudo b/templates/AlmaLinux/9/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/AlmaLinux/9/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/AlmaLinux/9/etc/pam.d/sudo-i b/templates/AlmaLinux/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/AlmaLinux/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/AlmaLinux/9/etc/sudo.conf b/templates/AlmaLinux/9/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/AlmaLinux/9/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/9/etc/sudoers b/templates/AlmaLinux/9/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/AlmaLinux/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/AlmaLinux/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/CentOS/9/etc/dnf/protected.d/sudo.conf b/templates/CentOS/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/CentOS/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/CentOS/9/etc/pam.d/sudo b/templates/CentOS/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/CentOS/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/CentOS/9/etc/pam.d/sudo-i b/templates/CentOS/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/CentOS/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/CentOS/9/etc/sudo.conf b/templates/CentOS/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/CentOS/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/CentOS/9/etc/sudoers b/templates/CentOS/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/CentOS/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/CentOS/9/etc/sudoers.d/session_log.j2 b/templates/CentOS/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/CentOS/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/OracleLinux/9/9/etc/dnf/protected.d/sudo.conf b/templates/OracleLinux/9/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/OracleLinux/9/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/OracleLinux/9/9/etc/pam.d/sudo b/templates/OracleLinux/9/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/OracleLinux/9/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/OracleLinux/9/9/etc/pam.d/sudo-i b/templates/OracleLinux/9/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/OracleLinux/9/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/OracleLinux/9/9/etc/sudo.conf b/templates/OracleLinux/9/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/OracleLinux/9/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/OracleLinux/9/9/etc/sudoers b/templates/OracleLinux/9/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/OracleLinux/9/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/OracleLinux/9/9/etc/sudoers.d/session_log.j2 b/templates/OracleLinux/9/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/OracleLinux/9/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/OracleLinux/9/etc/dnf/protected.d/sudo.conf b/templates/OracleLinux/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/OracleLinux/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/OracleLinux/9/etc/pam.d/sudo b/templates/OracleLinux/9/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/OracleLinux/9/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/OracleLinux/9/etc/pam.d/sudo-i b/templates/OracleLinux/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/OracleLinux/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/OracleLinux/9/etc/sudo.conf b/templates/OracleLinux/9/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/OracleLinux/9/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/OracleLinux/9/etc/sudoers b/templates/OracleLinux/9/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/OracleLinux/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/OracleLinux/9/etc/sudoers.d/session_log.j2 b/templates/OracleLinux/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/OracleLinux/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/Rocky/9/9/etc/dnf/protected.d/sudo.conf b/templates/Rocky/9/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Rocky/9/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Rocky/9/9/etc/pam.d/sudo b/templates/Rocky/9/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/Rocky/9/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/Rocky/9/9/etc/pam.d/sudo-i b/templates/Rocky/9/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Rocky/9/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Rocky/9/9/etc/sudo.conf b/templates/Rocky/9/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/Rocky/9/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Rocky/9/9/etc/sudoers b/templates/Rocky/9/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/Rocky/9/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Rocky/9/9/etc/sudoers.d/session_log.j2 b/templates/Rocky/9/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Rocky/9/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/Rocky/9/etc/dnf/protected.d/sudo.conf b/templates/Rocky/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Rocky/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Rocky/9/etc/pam.d/sudo b/templates/Rocky/9/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Rocky/9/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Rocky/9/etc/pam.d/sudo-i b/templates/Rocky/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Rocky/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Rocky/9/etc/sudo.conf b/templates/Rocky/9/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Rocky/9/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Rocky/9/etc/sudoers b/templates/Rocky/9/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Rocky/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Rocky/9/etc/sudoers.d/session_log.j2 b/templates/Rocky/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Rocky/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/AlmaLinux-9-default.yml b/vars/AlmaLinux-9-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/AlmaLinux-9-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/CentOS-9-default.yml b/vars/CentOS-9-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/CentOS-9-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/OracleLinux-9-default.yml b/vars/OracleLinux-9-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/OracleLinux-9-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Rocky-9-default.yml b/vars/Rocky-9-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Rocky-9-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 9646e3da300b5b243b882a9eea1de11b2b3c123e Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Fri, 27 Dec 2024 15:56:01 -0600 Subject: [PATCH 27/40] Fedora 41 Signed-off-by: Jason Rothstein --- .../Fedora/41/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/41/etc/pam.d/sudo | 7 + templates/Fedora/41/etc/pam.d/sudo-i | 6 + templates/Fedora/41/etc/sudo.conf | 131 ++++++++++++++++++ templates/Fedora/41/etc/sudoers | 120 ++++++++++++++++ .../Fedora/41/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-41-default.yml | 38 +++++ 7 files changed, 309 insertions(+) create mode 100644 templates/Fedora/41/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/41/etc/pam.d/sudo create mode 100644 templates/Fedora/41/etc/pam.d/sudo-i create mode 100644 templates/Fedora/41/etc/sudo.conf create mode 100644 templates/Fedora/41/etc/sudoers create mode 100644 templates/Fedora/41/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-41-default.yml diff --git a/templates/Fedora/41/etc/dnf/protected.d/sudo.conf b/templates/Fedora/41/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/41/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/41/etc/pam.d/sudo b/templates/Fedora/41/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/41/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/41/etc/pam.d/sudo-i b/templates/Fedora/41/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/41/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/41/etc/sudo.conf b/templates/Fedora/41/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Fedora/41/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/41/etc/sudoers b/templates/Fedora/41/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/41/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/41/etc/sudoers.d/session_log.j2 b/templates/Fedora/41/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/41/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-41-default.yml b/vars/Fedora-41-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-41-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 7fd1b46cdc2d256db09d8dfbe5f05090d90e17dc Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 27 Apr 2025 12:49:05 -0500 Subject: [PATCH 28/40] Fedora 42 Signed-off-by: Jason Rothstein --- .../Fedora/42/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/42/etc/pam.d/sudo | 7 + templates/Fedora/42/etc/pam.d/sudo-i | 6 + templates/Fedora/42/etc/sudo.conf | 131 ++++++++++++++++++ templates/Fedora/42/etc/sudoers | 120 ++++++++++++++++ .../Fedora/42/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-42-default.yml | 38 +++++ 7 files changed, 309 insertions(+) create mode 100644 templates/Fedora/42/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/42/etc/pam.d/sudo create mode 100644 templates/Fedora/42/etc/pam.d/sudo-i create mode 100644 templates/Fedora/42/etc/sudo.conf create mode 100644 templates/Fedora/42/etc/sudoers create mode 100644 templates/Fedora/42/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-42-default.yml diff --git a/templates/Fedora/42/etc/dnf/protected.d/sudo.conf b/templates/Fedora/42/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/42/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/42/etc/pam.d/sudo b/templates/Fedora/42/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/42/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/42/etc/pam.d/sudo-i b/templates/Fedora/42/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/42/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/42/etc/sudo.conf b/templates/Fedora/42/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Fedora/42/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/42/etc/sudoers b/templates/Fedora/42/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/42/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/42/etc/sudoers.d/session_log.j2 b/templates/Fedora/42/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/42/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-42-default.yml b/vars/Fedora-42-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-42-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' From 113904a84609c79f40fa18fc83372d4c8e5d6b83 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 25 May 2025 20:14:03 -0500 Subject: [PATCH 29/40] Handler Improvements Signed-off-by: Jason Rothstein --- handlers/main.yml | 4 +++- tasks/main.yml | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index b3263a8..877e01a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -11,7 +11,7 @@ - ensure_sudo is defined ansible.builtin.systemd: daemon_reload: 'yes' -- name: 'ensure_sudo.services' +- name: 'ensure_sudo.service_restart' when: - ansible_system == 'Linux' - ensure_sudo is defined @@ -25,3 +25,5 @@ loop: '{{ ensure_sudo.service_list }}' loop_control: label: '{{ item.name }} will be restarted' +... + diff --git a/tasks/main.yml b/tasks/main.yml index 1e74845..44a22c8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -67,6 +67,8 @@ notify: - 'ensure_sudo.package_facts' - 'ensure_sudo.service_facts' + - 'ensure_sudo.service_reload' + - 'ensure_sudo.service_restart' - name: 'ensure services' when: - ansible_system == 'Linux' @@ -112,4 +114,5 @@ label: '{{ item.path }} to be removed' - name: 'flush handlers' meta: 'flush_handlers' +... From 0c5e392b055330dcec63bed4bb59c00faffb0192 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 14:32:46 -0500 Subject: [PATCH 30/40] Ansible core 2.20 fixes and supported OS change Signed-off-by: Jason Rothstein --- tasks/main.yml | 28 ++-- templates/Fedora/33/etc/sudo.conf | 124 ---------------- templates/Fedora/34/etc/sudo.conf | 124 ---------------- .../Fedora/35/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/35/etc/pam.d/sudo | 7 - templates/Fedora/35/etc/pam.d/sudo-i | 6 - templates/Fedora/35/etc/sudo.conf | 124 ---------------- templates/Fedora/35/etc/sudoers | 120 --------------- .../Fedora/35/etc/sudoers.d/session_log.j2 | 6 - .../Fedora/36/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/36/etc/pam.d/sudo | 7 - templates/Fedora/36/etc/pam.d/sudo-i | 6 - templates/Fedora/36/etc/sudo.conf | 139 ------------------ templates/Fedora/36/etc/sudoers | 120 --------------- .../Fedora/36/etc/sudoers.d/session_log.j2 | 6 - .../Fedora/37/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/37/etc/pam.d/sudo | 7 - templates/Fedora/37/etc/pam.d/sudo-i | 6 - templates/Fedora/37/etc/sudo.conf | 139 ------------------ templates/Fedora/37/etc/sudoers | 120 --------------- .../Fedora/37/etc/sudoers.d/session_log.j2 | 6 - .../Fedora/38/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/38/etc/pam.d/sudo | 7 - templates/Fedora/38/etc/pam.d/sudo-i | 6 - templates/Fedora/38/etc/sudoers | 120 --------------- .../Fedora/38/etc/sudoers.d/session_log.j2 | 6 - .../Fedora/39/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/39/etc/pam.d/sudo | 7 - templates/Fedora/39/etc/pam.d/sudo-i | 6 - templates/Fedora/39/etc/sudoers | 120 --------------- .../Fedora/39/etc/sudoers.d/session_log.j2 | 6 - .../Fedora/40/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/40/etc/pam.d/sudo | 7 - templates/Fedora/40/etc/pam.d/sudo-i | 6 - templates/Fedora/40/etc/sudo.conf | 131 ----------------- templates/Fedora/40/etc/sudoers | 120 --------------- .../Fedora/40/etc/sudoers.d/session_log.j2 | 6 - .../Fedora/41/etc/dnf/protected.d/sudo.conf | 1 - templates/Fedora/41/etc/pam.d/sudo | 7 - templates/Fedora/41/etc/pam.d/sudo-i | 6 - templates/Fedora/41/etc/sudo.conf | 131 ----------------- templates/Fedora/41/etc/sudoers | 120 --------------- .../Fedora/41/etc/sudoers.d/session_log.j2 | 6 - .../{33 => 43}/etc/dnf/protected.d/sudo.conf | 0 templates/Fedora/{33 => 43}/etc/pam.d/sudo | 0 templates/Fedora/{33 => 43}/etc/pam.d/sudo-i | 0 templates/Fedora/{38 => 43}/etc/sudo.conf | 0 templates/Fedora/{33 => 43}/etc/sudoers | 0 .../{33 => 43}/etc/sudoers.d/session_log.j2 | 0 .../{34 => 44}/etc/dnf/protected.d/sudo.conf | 0 templates/Fedora/{34 => 44}/etc/pam.d/sudo | 0 templates/Fedora/{34 => 44}/etc/pam.d/sudo-i | 0 templates/Fedora/{39 => 44}/etc/sudo.conf | 0 templates/Fedora/{34 => 44}/etc/sudoers | 0 .../{34 => 44}/etc/sudoers.d/session_log.j2 | 0 vars/AlmaLinux-10-default.yml | 9 ++ vars/AlmaLinux-8-default.yml | 9 ++ vars/AlmaLinux-9-default.yml | 14 +- vars/CentOS-10-default.yml | 9 ++ vars/CentOS-8-default.yml | 9 ++ vars/CentOS-9-default.yml | 12 +- vars/Fedora-33-default.yml | 38 ----- vars/Fedora-34-default.yml | 38 ----- vars/Fedora-35-default.yml | 38 ----- vars/Fedora-36-default.yml | 38 ----- vars/Fedora-37-default.yml | 38 ----- vars/Fedora-38-default.yml | 38 ----- vars/Fedora-39-default.yml | 38 ----- vars/Fedora-40-default.yml | 38 ----- vars/Fedora-41-default.yml | 38 ----- vars/Fedora-42-default.yml | 12 +- vars/Fedora-43-default.yml | 38 +++++ vars/Fedora-44-default.yml | 38 +++++ vars/OracleLinux-10-default.yml | 9 ++ vars/OracleLinux-8-default.yml | 9 ++ vars/OracleLinux-9-default.yml | 12 +- vars/Rocky-10-default.yml | 9 ++ vars/Rocky-8-default.yml | 9 ++ vars/Rocky-9-default.yml | 12 +- 79 files changed, 194 insertions(+), 2278 deletions(-) delete mode 100644 templates/Fedora/33/etc/sudo.conf delete mode 100644 templates/Fedora/34/etc/sudo.conf delete mode 100644 templates/Fedora/35/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/35/etc/pam.d/sudo delete mode 100644 templates/Fedora/35/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/35/etc/sudo.conf delete mode 100644 templates/Fedora/35/etc/sudoers delete mode 100644 templates/Fedora/35/etc/sudoers.d/session_log.j2 delete mode 100644 templates/Fedora/36/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/36/etc/pam.d/sudo delete mode 100644 templates/Fedora/36/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/36/etc/sudo.conf delete mode 100644 templates/Fedora/36/etc/sudoers delete mode 100644 templates/Fedora/36/etc/sudoers.d/session_log.j2 delete mode 100644 templates/Fedora/37/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/37/etc/pam.d/sudo delete mode 100644 templates/Fedora/37/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/37/etc/sudo.conf delete mode 100644 templates/Fedora/37/etc/sudoers delete mode 100644 templates/Fedora/37/etc/sudoers.d/session_log.j2 delete mode 100644 templates/Fedora/38/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/38/etc/pam.d/sudo delete mode 100644 templates/Fedora/38/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/38/etc/sudoers delete mode 100644 templates/Fedora/38/etc/sudoers.d/session_log.j2 delete mode 100644 templates/Fedora/39/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/39/etc/pam.d/sudo delete mode 100644 templates/Fedora/39/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/39/etc/sudoers delete mode 100644 templates/Fedora/39/etc/sudoers.d/session_log.j2 delete mode 100644 templates/Fedora/40/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/40/etc/pam.d/sudo delete mode 100644 templates/Fedora/40/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/40/etc/sudo.conf delete mode 100644 templates/Fedora/40/etc/sudoers delete mode 100644 templates/Fedora/40/etc/sudoers.d/session_log.j2 delete mode 100644 templates/Fedora/41/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/Fedora/41/etc/pam.d/sudo delete mode 100644 templates/Fedora/41/etc/pam.d/sudo-i delete mode 100644 templates/Fedora/41/etc/sudo.conf delete mode 100644 templates/Fedora/41/etc/sudoers delete mode 100644 templates/Fedora/41/etc/sudoers.d/session_log.j2 rename templates/Fedora/{33 => 43}/etc/dnf/protected.d/sudo.conf (100%) rename templates/Fedora/{33 => 43}/etc/pam.d/sudo (100%) rename templates/Fedora/{33 => 43}/etc/pam.d/sudo-i (100%) rename templates/Fedora/{38 => 43}/etc/sudo.conf (100%) rename templates/Fedora/{33 => 43}/etc/sudoers (100%) rename templates/Fedora/{33 => 43}/etc/sudoers.d/session_log.j2 (100%) rename templates/Fedora/{34 => 44}/etc/dnf/protected.d/sudo.conf (100%) rename templates/Fedora/{34 => 44}/etc/pam.d/sudo (100%) rename templates/Fedora/{34 => 44}/etc/pam.d/sudo-i (100%) rename templates/Fedora/{39 => 44}/etc/sudo.conf (100%) rename templates/Fedora/{34 => 44}/etc/sudoers (100%) rename templates/Fedora/{34 => 44}/etc/sudoers.d/session_log.j2 (100%) create mode 100644 vars/AlmaLinux-10-default.yml create mode 100644 vars/AlmaLinux-8-default.yml create mode 100644 vars/CentOS-10-default.yml create mode 100644 vars/CentOS-8-default.yml delete mode 100644 vars/Fedora-33-default.yml delete mode 100644 vars/Fedora-34-default.yml delete mode 100644 vars/Fedora-35-default.yml delete mode 100644 vars/Fedora-36-default.yml delete mode 100644 vars/Fedora-37-default.yml delete mode 100644 vars/Fedora-38-default.yml delete mode 100644 vars/Fedora-39-default.yml delete mode 100644 vars/Fedora-40-default.yml delete mode 100644 vars/Fedora-41-default.yml create mode 100644 vars/Fedora-43-default.yml create mode 100644 vars/Fedora-44-default.yml create mode 100644 vars/OracleLinux-10-default.yml create mode 100644 vars/OracleLinux-8-default.yml create mode 100644 vars/Rocky-10-default.yml create mode 100644 vars/Rocky-8-default.yml diff --git a/tasks/main.yml b/tasks/main.yml index 44a22c8..ef2c9f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,18 +2,18 @@ # tasks file for ensure_sudo - name: 'include vendor / version specific variables' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' include_vars: file: '{{ lookup("first_found", findme ) }}' name: 'ensure_sudo' vars: findme: files: - - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml' - - '{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-default.yml' - - '{{ ansible_distribution }}-default.yml' - - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}.yml' - - '{{ ansible_os_family }}-{{ ansible_distribution_major_version }}-default.yml' + - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_architecture }}.yml' + - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' + - '{{ ansible_facts["distribution"] }}-default.yml' + - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_architecture }}.yml' + - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' - '{{ ansible_os_family }}-default.yml' - 'default.yml' paths: @@ -21,17 +21,17 @@ errors: 'ignore' - name: 'package discovery' when: - - ansible_system == 'Linux' - - packages is not defined + - ansible_facts["system"] == 'Linux' + - ansible_facts["packages"] is not defined ansible.builtin.package_facts: - name: 'service discovery' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - services is not defined ansible.builtin.service_facts: - name: 'ensure packages' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.package_list is defined - ensure_sudo.package_list is iterable @@ -46,7 +46,7 @@ - 'ensure_sudo.service_facts' - name: 'ensure configurations' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.template_list is defined - ensure_sudo.template_list is iterable @@ -71,7 +71,7 @@ - 'ensure_sudo.service_restart' - name: 'ensure services' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.service_list is defined - ensure_sudo.service_list is iterable @@ -87,7 +87,7 @@ - 'ensure_sudo.service_facts' - name: 'find directories over log retention window under /var/log/sudo-io' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - sudo_log_retention is defined - sudo_log_retention is regex('^[0-9]*[smhdw]$') @@ -101,7 +101,7 @@ register: 'results' - name: 'And drop them' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - sudo_log_retention is defined - sudo_log_retention is regex('^[0-9]*[smhdw]$') diff --git a/templates/Fedora/33/etc/sudo.conf b/templates/Fedora/33/etc/sudo.conf deleted file mode 100644 index e4fccc3..0000000 --- a/templates/Fedora/33/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing dummy versions of the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/34/etc/sudo.conf b/templates/Fedora/34/etc/sudo.conf deleted file mode 100644 index cb23433..0000000 --- a/templates/Fedora/34/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/35/etc/dnf/protected.d/sudo.conf b/templates/Fedora/35/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/35/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/35/etc/pam.d/sudo b/templates/Fedora/35/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/35/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/35/etc/pam.d/sudo-i b/templates/Fedora/35/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/35/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/35/etc/sudo.conf b/templates/Fedora/35/etc/sudo.conf deleted file mode 100644 index cb23433..0000000 --- a/templates/Fedora/35/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/35/etc/sudoers b/templates/Fedora/35/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/35/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/35/etc/sudoers.d/session_log.j2 b/templates/Fedora/35/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/35/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/36/etc/dnf/protected.d/sudo.conf b/templates/Fedora/36/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/36/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/36/etc/pam.d/sudo b/templates/Fedora/36/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/36/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/36/etc/pam.d/sudo-i b/templates/Fedora/36/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/36/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/36/etc/sudo.conf b/templates/Fedora/36/etc/sudo.conf deleted file mode 100644 index fe92dad..0000000 --- a/templates/Fedora/36/etc/sudo.conf +++ /dev/null @@ -1,139 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept /usr/libexec/sudo/sudo_intercept.so - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/36/etc/sudoers b/templates/Fedora/36/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/36/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/36/etc/sudoers.d/session_log.j2 b/templates/Fedora/36/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/36/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/37/etc/dnf/protected.d/sudo.conf b/templates/Fedora/37/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/37/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/37/etc/pam.d/sudo b/templates/Fedora/37/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/37/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/37/etc/pam.d/sudo-i b/templates/Fedora/37/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/37/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/37/etc/sudo.conf b/templates/Fedora/37/etc/sudo.conf deleted file mode 100644 index 773a0e0..0000000 --- a/templates/Fedora/37/etc/sudo.conf +++ /dev/null @@ -1,139 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept /usr/libexec/sudo/sudo_intercept.so - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/37/etc/sudoers b/templates/Fedora/37/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/37/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/37/etc/sudoers.d/session_log.j2 b/templates/Fedora/37/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/37/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/38/etc/dnf/protected.d/sudo.conf b/templates/Fedora/38/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/38/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/38/etc/pam.d/sudo b/templates/Fedora/38/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/38/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/38/etc/pam.d/sudo-i b/templates/Fedora/38/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/38/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/38/etc/sudoers b/templates/Fedora/38/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/38/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/38/etc/sudoers.d/session_log.j2 b/templates/Fedora/38/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/38/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/39/etc/dnf/protected.d/sudo.conf b/templates/Fedora/39/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/39/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/39/etc/pam.d/sudo b/templates/Fedora/39/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/39/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/39/etc/pam.d/sudo-i b/templates/Fedora/39/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/39/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/39/etc/sudoers b/templates/Fedora/39/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/39/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/39/etc/sudoers.d/session_log.j2 b/templates/Fedora/39/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/39/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/40/etc/dnf/protected.d/sudo.conf b/templates/Fedora/40/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/40/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/40/etc/pam.d/sudo b/templates/Fedora/40/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/40/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/40/etc/pam.d/sudo-i b/templates/Fedora/40/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/40/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/40/etc/sudo.conf b/templates/Fedora/40/etc/sudo.conf deleted file mode 100644 index 1c499a7..0000000 --- a/templates/Fedora/40/etc/sudo.conf +++ /dev/null @@ -1,131 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/40/etc/sudoers b/templates/Fedora/40/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/40/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/40/etc/sudoers.d/session_log.j2 b/templates/Fedora/40/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/40/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/41/etc/dnf/protected.d/sudo.conf b/templates/Fedora/41/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/Fedora/41/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/Fedora/41/etc/pam.d/sudo b/templates/Fedora/41/etc/pam.d/sudo deleted file mode 100644 index 284b050..0000000 --- a/templates/Fedora/41/etc/pam.d/sudo +++ /dev/null @@ -1,7 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so -session include system-auth diff --git a/templates/Fedora/41/etc/pam.d/sudo-i b/templates/Fedora/41/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/Fedora/41/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/Fedora/41/etc/sudo.conf b/templates/Fedora/41/etc/sudo.conf deleted file mode 100644 index 1c499a7..0000000 --- a/templates/Fedora/41/etc/sudo.conf +++ /dev/null @@ -1,131 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -#Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/41/etc/sudoers b/templates/Fedora/41/etc/sudoers deleted file mode 100644 index 5f621a8..0000000 --- a/templates/Fedora/41/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/Fedora/41/etc/sudoers.d/session_log.j2 b/templates/Fedora/41/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/Fedora/41/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/Fedora/33/etc/dnf/protected.d/sudo.conf b/templates/Fedora/43/etc/dnf/protected.d/sudo.conf similarity index 100% rename from templates/Fedora/33/etc/dnf/protected.d/sudo.conf rename to templates/Fedora/43/etc/dnf/protected.d/sudo.conf diff --git a/templates/Fedora/33/etc/pam.d/sudo b/templates/Fedora/43/etc/pam.d/sudo similarity index 100% rename from templates/Fedora/33/etc/pam.d/sudo rename to templates/Fedora/43/etc/pam.d/sudo diff --git a/templates/Fedora/33/etc/pam.d/sudo-i b/templates/Fedora/43/etc/pam.d/sudo-i similarity index 100% rename from templates/Fedora/33/etc/pam.d/sudo-i rename to templates/Fedora/43/etc/pam.d/sudo-i diff --git a/templates/Fedora/38/etc/sudo.conf b/templates/Fedora/43/etc/sudo.conf similarity index 100% rename from templates/Fedora/38/etc/sudo.conf rename to templates/Fedora/43/etc/sudo.conf diff --git a/templates/Fedora/33/etc/sudoers b/templates/Fedora/43/etc/sudoers similarity index 100% rename from templates/Fedora/33/etc/sudoers rename to templates/Fedora/43/etc/sudoers diff --git a/templates/Fedora/33/etc/sudoers.d/session_log.j2 b/templates/Fedora/43/etc/sudoers.d/session_log.j2 similarity index 100% rename from templates/Fedora/33/etc/sudoers.d/session_log.j2 rename to templates/Fedora/43/etc/sudoers.d/session_log.j2 diff --git a/templates/Fedora/34/etc/dnf/protected.d/sudo.conf b/templates/Fedora/44/etc/dnf/protected.d/sudo.conf similarity index 100% rename from templates/Fedora/34/etc/dnf/protected.d/sudo.conf rename to templates/Fedora/44/etc/dnf/protected.d/sudo.conf diff --git a/templates/Fedora/34/etc/pam.d/sudo b/templates/Fedora/44/etc/pam.d/sudo similarity index 100% rename from templates/Fedora/34/etc/pam.d/sudo rename to templates/Fedora/44/etc/pam.d/sudo diff --git a/templates/Fedora/34/etc/pam.d/sudo-i b/templates/Fedora/44/etc/pam.d/sudo-i similarity index 100% rename from templates/Fedora/34/etc/pam.d/sudo-i rename to templates/Fedora/44/etc/pam.d/sudo-i diff --git a/templates/Fedora/39/etc/sudo.conf b/templates/Fedora/44/etc/sudo.conf similarity index 100% rename from templates/Fedora/39/etc/sudo.conf rename to templates/Fedora/44/etc/sudo.conf diff --git a/templates/Fedora/34/etc/sudoers b/templates/Fedora/44/etc/sudoers similarity index 100% rename from templates/Fedora/34/etc/sudoers rename to templates/Fedora/44/etc/sudoers diff --git a/templates/Fedora/34/etc/sudoers.d/session_log.j2 b/templates/Fedora/44/etc/sudoers.d/session_log.j2 similarity index 100% rename from templates/Fedora/34/etc/sudoers.d/session_log.j2 rename to templates/Fedora/44/etc/sudoers.d/session_log.j2 diff --git a/vars/AlmaLinux-10-default.yml b/vars/AlmaLinux-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/AlmaLinux-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/AlmaLinux-8-default.yml b/vars/AlmaLinux-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/AlmaLinux-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/AlmaLinux-9-default.yml b/vars/AlmaLinux-9-default.yml index 1e839dc..033c586 100644 --- a/vars/AlmaLinux-9-default.yml +++ b/vars/AlmaLinux-9-default.yml @@ -10,29 +10,31 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/CentOS-10-default.yml b/vars/CentOS-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/CentOS-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/CentOS-8-default.yml b/vars/CentOS-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/CentOS-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/CentOS-9-default.yml b/vars/CentOS-9-default.yml index 1e839dc..289d0e2 100644 --- a/vars/CentOS-9-default.yml +++ b/vars/CentOS-9-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-33-default.yml b/vars/Fedora-33-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-33-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-34-default.yml b/vars/Fedora-34-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-34-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-35-default.yml b/vars/Fedora-35-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-35-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-36-default.yml b/vars/Fedora-36-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-36-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-37-default.yml b/vars/Fedora-37-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-37-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-38-default.yml b/vars/Fedora-38-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-38-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-39-default.yml b/vars/Fedora-39-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-39-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-40-default.yml b/vars/Fedora-40-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-40-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-41-default.yml b/vars/Fedora-41-default.yml deleted file mode 100644 index 1e839dc..0000000 --- a/vars/Fedora-41-default.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -# vars file for ensure_sudo -package_list: - - name: 'libsss_sudo' - state: 'present' - - name: 'sudo' - state: 'present' -template_list: - - dest: '/etc/dnf/protected.d/sudo.conf' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' - - dest: '/etc/pam.d/sudo' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' - - dest: '/etc/pam.d/sudo-i' - group: 'root' - mode: '0644' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' - - dest: '/etc/sudo.conf' - group: 'root' - mode: '0640' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' - - dest: '/etc/sudoers' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' - - dest: '/etc/sudoers.d/session_log' - group: 'root' - mode: '0440' - owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-42-default.yml b/vars/Fedora-42-default.yml index 1e839dc..289d0e2 100644 --- a/vars/Fedora-42-default.yml +++ b/vars/Fedora-42-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-43-default.yml b/vars/Fedora-43-default.yml new file mode 100644 index 0000000..289d0e2 --- /dev/null +++ b/vars/Fedora-43-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Fedora-44-default.yml b/vars/Fedora-44-default.yml new file mode 100644 index 0000000..289d0e2 --- /dev/null +++ b/vars/Fedora-44-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/OracleLinux-10-default.yml b/vars/OracleLinux-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/OracleLinux-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/OracleLinux-8-default.yml b/vars/OracleLinux-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/OracleLinux-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/OracleLinux-9-default.yml b/vars/OracleLinux-9-default.yml index 1e839dc..289d0e2 100644 --- a/vars/OracleLinux-9-default.yml +++ b/vars/OracleLinux-9-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' diff --git a/vars/Rocky-10-default.yml b/vars/Rocky-10-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/Rocky-10-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/Rocky-8-default.yml b/vars/Rocky-8-default.yml new file mode 100644 index 0000000..43b81b6 --- /dev/null +++ b/vars/Rocky-8-default.yml @@ -0,0 +1,9 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +... + diff --git a/vars/Rocky-9-default.yml b/vars/Rocky-9-default.yml index 1e839dc..289d0e2 100644 --- a/vars/Rocky-9-default.yml +++ b/vars/Rocky-9-default.yml @@ -10,29 +10,29 @@ template_list: group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' - dest: '/etc/pam.d/sudo' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' - dest: '/etc/pam.d/sudo-i' group: 'root' mode: '0644' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' - dest: '/etc/sudo.conf' group: 'root' mode: '0640' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' - dest: '/etc/sudoers' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' - dest: '/etc/sudoers.d/session_log' group: 'root' mode: '0440' owner: 'root' - src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' From 4fed9b890a00da8b2a0740646cb0136d1a877443 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 15:03:36 -0500 Subject: [PATCH 31/40] More ansible core 2.20 fixes Signed-off-by: Jason Rothstein --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index ef2c9f2..90d4e02 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,10 +9,10 @@ vars: findme: files: - - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_architecture }}.yml' + - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml' - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' - '{{ ansible_facts["distribution"] }}-default.yml' - - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_architecture }}.yml' + - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml' - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' - '{{ ansible_os_family }}-default.yml' - 'default.yml' From b1dc671bfb5bf11217c68bf263ce0f1b67db6303 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 15:07:58 -0500 Subject: [PATCH 32/40] More ansible core 2.20 fixes Signed-off-by: Jason Rothstein --- handlers/main.yml | 4 ++-- templates/Fedora/43/etc/sudo.conf | 10 +++++----- templates/Fedora/44/etc/sudo.conf | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 877e01a..63b6cde 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,14 +6,14 @@ ansible.builtin.service_facts: - name: 'ensure_sudo.service_reload' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ansible_service_mgr == 'systemd' - ensure_sudo is defined ansible.builtin.systemd: daemon_reload: 'yes' - name: 'ensure_sudo.service_restart' when: - - ansible_system == 'Linux' + - ansible_facts["system"] == 'Linux' - ensure_sudo is defined - ensure_sudo.service_list is defined - ensure_sudo.service_list is iterable diff --git a/templates/Fedora/43/etc/sudo.conf b/templates/Fedora/43/etc/sudo.conf index 1c499a7..a4d5104 100644 --- a/templates/Fedora/43/etc/sudo.conf +++ b/templates/Fedora/43/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo diff --git a/templates/Fedora/44/etc/sudo.conf b/templates/Fedora/44/etc/sudo.conf index 1c499a7..a4d5104 100644 --- a/templates/Fedora/44/etc/sudo.conf +++ b/templates/Fedora/44/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo From dc6c08c0e533b0db951a407c5ba30058c24dcab3 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 17:07:51 -0500 Subject: [PATCH 33/40] More ansible-core 2.20 fixes Signed-off-by: Jason Rothstein --- tasks/main.yml | 8 ++++---- templates/Fedora/43/etc/sudo.conf | 10 +++++----- templates/Fedora/44/etc/sudo.conf | 10 +++++----- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 90d4e02..cded532 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,9 +12,9 @@ - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml' - '{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' - '{{ ansible_facts["distribution"] }}-default.yml' - - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml' - - '{{ ansible_os_family }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' - - '{{ ansible_os_family }}-default.yml' + - '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-{{ ansible_facts["architecture"] }}.yml' + - '{{ ansible_facts["os_family"] }}-{{ ansible_facts["distribution_major_version"] }}-default.yml' + - '{{ ansible_facts["os_family"] }}-default.yml' - 'default.yml' paths: - '../vars/' @@ -27,7 +27,7 @@ - name: 'service discovery' when: - ansible_facts["system"] == 'Linux' - - services is not defined + - ansible_facts["services"] is not defined ansible.builtin.service_facts: - name: 'ensure packages' when: diff --git a/templates/Fedora/43/etc/sudo.conf b/templates/Fedora/43/etc/sudo.conf index a4d5104..1c499a7 100644 --- a/templates/Fedora/43/etc/sudo.conf +++ b/templates/Fedora/43/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions, which perform a policy -# check to verify whether the command is allowed and simply return -# an error if it is not. This is used to implement the "intercept" -# functionality on systems that support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully-qualified path name. +# specified without a fully qualified path name. # #Path plugin_dir /usr/libexec/sudo diff --git a/templates/Fedora/44/etc/sudo.conf b/templates/Fedora/44/etc/sudo.conf index a4d5104..1c499a7 100644 --- a/templates/Fedora/44/etc/sudo.conf +++ b/templates/Fedora/44/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions, which perform a policy -# check to verify whether the command is allowed and simply return -# an error if it is not. This is used to implement the "intercept" -# functionality on systems that support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully-qualified path name. +# specified without a fully qualified path name. # #Path plugin_dir /usr/libexec/sudo From 1a64c362be60a8e873c6e37a3a31e47b93c4b3cd Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 17:09:41 -0500 Subject: [PATCH 34/40] More ansible core 2.20 fixes Signed-off-by: Jason Rothstein --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 63b6cde..7be4b30 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -7,7 +7,7 @@ - name: 'ensure_sudo.service_reload' when: - ansible_facts["system"] == 'Linux' - - ansible_service_mgr == 'systemd' + - ansible_facts["service_mgr"] == 'systemd' - ensure_sudo is defined ansible.builtin.systemd: daemon_reload: 'yes' From 193211d3498fb24c7e952ec9524a4d4be6217df9 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 18:27:53 -0500 Subject: [PATCH 35/40] Add templates for EL 8/9/10 Signed-off-by: Jason Rothstein --- .../10/9/etc/dnf/protected.d/sudo.conf | 1 + templates/AlmaLinux/10/9/etc/pam.d/sudo | 5 + templates/AlmaLinux/10/9/etc/pam.d/sudo-i | 6 + templates/AlmaLinux/10/9/etc/sudo.conf | 124 +++++++++++++++++ templates/AlmaLinux/10/9/etc/sudoers | 120 ++++++++++++++++ .../10/9/etc/sudoers.d/session_log.j2 | 6 + .../10/etc/dnf/protected.d/sudo.conf | 1 + templates/AlmaLinux/10/etc/pam.d/sudo | 7 + templates/AlmaLinux/10/etc/pam.d/sudo-i | 6 + templates/AlmaLinux/10/etc/sudo.conf | 131 ++++++++++++++++++ templates/AlmaLinux/10/etc/sudoers | 120 ++++++++++++++++ .../AlmaLinux/10/etc/sudoers.d/session_log.j2 | 6 + .../8/9/etc/dnf/protected.d/sudo.conf | 1 + templates/AlmaLinux/8/9/etc/pam.d/sudo | 5 + templates/AlmaLinux/8/9/etc/pam.d/sudo-i | 6 + templates/AlmaLinux/8/9/etc/sudo.conf | 124 +++++++++++++++++ templates/AlmaLinux/8/9/etc/sudoers | 120 ++++++++++++++++ .../8/9/etc/sudoers.d/session_log.j2 | 6 + .../AlmaLinux/8/etc/dnf/protected.d/sudo.conf | 1 + templates/AlmaLinux/8/etc/pam.d/sudo | 7 + templates/AlmaLinux/8/etc/pam.d/sudo-i | 6 + templates/AlmaLinux/8/etc/sudo.conf | 131 ++++++++++++++++++ templates/AlmaLinux/8/etc/sudoers | 120 ++++++++++++++++ .../AlmaLinux/8/etc/sudoers.d/session_log.j2 | 6 + .../CentOS/10/etc/dnf/protected.d/sudo.conf | 1 + templates/CentOS/10/etc/pam.d/sudo | 5 + templates/CentOS/10/etc/pam.d/sudo-i | 6 + templates/CentOS/10/etc/sudo.conf | 124 +++++++++++++++++ templates/CentOS/10/etc/sudoers | 120 ++++++++++++++++ .../CentOS/10/etc/sudoers.d/session_log.j2 | 6 + .../CentOS/8/etc/dnf/protected.d/sudo.conf | 1 + templates/CentOS/8/etc/pam.d/sudo | 5 + templates/CentOS/8/etc/pam.d/sudo-i | 6 + templates/CentOS/8/etc/sudo.conf | 124 +++++++++++++++++ templates/CentOS/8/etc/sudoers | 120 ++++++++++++++++ .../CentOS/8/etc/sudoers.d/session_log.j2 | 6 + .../10/9/etc/dnf/protected.d/sudo.conf | 1 + templates/OracleLinux/10/9/etc/pam.d/sudo | 5 + templates/OracleLinux/10/9/etc/pam.d/sudo-i | 6 + templates/OracleLinux/10/9/etc/sudo.conf | 124 +++++++++++++++++ templates/OracleLinux/10/9/etc/sudoers | 120 ++++++++++++++++ .../10/9/etc/sudoers.d/session_log.j2 | 6 + .../10/etc/dnf/protected.d/sudo.conf | 1 + templates/OracleLinux/10/etc/pam.d/sudo | 7 + templates/OracleLinux/10/etc/pam.d/sudo-i | 6 + templates/OracleLinux/10/etc/sudo.conf | 131 ++++++++++++++++++ templates/OracleLinux/10/etc/sudoers | 120 ++++++++++++++++ .../10/etc/sudoers.d/session_log.j2 | 6 + .../8/9/etc/dnf/protected.d/sudo.conf | 1 + templates/OracleLinux/8/9/etc/pam.d/sudo | 5 + templates/OracleLinux/8/9/etc/pam.d/sudo-i | 6 + templates/OracleLinux/8/9/etc/sudo.conf | 124 +++++++++++++++++ templates/OracleLinux/8/9/etc/sudoers | 120 ++++++++++++++++ .../8/9/etc/sudoers.d/session_log.j2 | 6 + .../8/etc/dnf/protected.d/sudo.conf | 1 + templates/OracleLinux/8/etc/pam.d/sudo | 7 + templates/OracleLinux/8/etc/pam.d/sudo-i | 6 + templates/OracleLinux/8/etc/sudo.conf | 131 ++++++++++++++++++ templates/OracleLinux/8/etc/sudoers | 120 ++++++++++++++++ .../8/etc/sudoers.d/session_log.j2 | 6 + .../Rocky/10/9/etc/dnf/protected.d/sudo.conf | 1 + templates/Rocky/10/9/etc/pam.d/sudo | 5 + templates/Rocky/10/9/etc/pam.d/sudo-i | 6 + templates/Rocky/10/9/etc/sudo.conf | 124 +++++++++++++++++ templates/Rocky/10/9/etc/sudoers | 120 ++++++++++++++++ .../Rocky/10/9/etc/sudoers.d/session_log.j2 | 6 + .../Rocky/10/etc/dnf/protected.d/sudo.conf | 1 + templates/Rocky/10/etc/pam.d/sudo | 7 + templates/Rocky/10/etc/pam.d/sudo-i | 6 + templates/Rocky/10/etc/sudo.conf | 131 ++++++++++++++++++ templates/Rocky/10/etc/sudoers | 120 ++++++++++++++++ .../Rocky/10/etc/sudoers.d/session_log.j2 | 6 + .../Rocky/8/9/etc/dnf/protected.d/sudo.conf | 1 + templates/Rocky/8/9/etc/pam.d/sudo | 5 + templates/Rocky/8/9/etc/pam.d/sudo-i | 6 + templates/Rocky/8/9/etc/sudo.conf | 124 +++++++++++++++++ templates/Rocky/8/9/etc/sudoers | 120 ++++++++++++++++ .../Rocky/8/9/etc/sudoers.d/session_log.j2 | 6 + .../Rocky/8/etc/dnf/protected.d/sudo.conf | 1 + templates/Rocky/8/etc/pam.d/sudo | 7 + templates/Rocky/8/etc/pam.d/sudo-i | 6 + templates/Rocky/8/etc/sudo.conf | 131 ++++++++++++++++++ templates/Rocky/8/etc/sudoers | 120 ++++++++++++++++ .../Rocky/8/etc/sudoers.d/session_log.j2 | 6 + vars/AlmaLinux-10-default.yml | 31 +++++ vars/AlmaLinux-8-default.yml | 31 +++++ vars/CentOS-10-default.yml | 31 +++++ vars/CentOS-8-default.yml | 31 +++++ vars/CentOS-9-default.yml | 2 + vars/Fedora-42-default.yml | 2 + vars/Fedora-43-default.yml | 2 + vars/Fedora-44-default.yml | 2 + vars/OracleLinux-10-default.yml | 31 +++++ vars/OracleLinux-8-default.yml | 31 +++++ vars/OracleLinux-9-default.yml | 2 + vars/Rocky-10-default.yml | 31 +++++ vars/Rocky-8-default.yml | 31 +++++ vars/Rocky-9-default.yml | 2 + 98 files changed, 3982 insertions(+) create mode 100644 templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/AlmaLinux/10/9/etc/pam.d/sudo create mode 100644 templates/AlmaLinux/10/9/etc/pam.d/sudo-i create mode 100644 templates/AlmaLinux/10/9/etc/sudo.conf create mode 100644 templates/AlmaLinux/10/9/etc/sudoers create mode 100644 templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/AlmaLinux/10/etc/dnf/protected.d/sudo.conf create mode 100644 templates/AlmaLinux/10/etc/pam.d/sudo create mode 100644 templates/AlmaLinux/10/etc/pam.d/sudo-i create mode 100644 templates/AlmaLinux/10/etc/sudo.conf create mode 100644 templates/AlmaLinux/10/etc/sudoers create mode 100644 templates/AlmaLinux/10/etc/sudoers.d/session_log.j2 create mode 100644 templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/AlmaLinux/8/9/etc/pam.d/sudo create mode 100644 templates/AlmaLinux/8/9/etc/pam.d/sudo-i create mode 100644 templates/AlmaLinux/8/9/etc/sudo.conf create mode 100644 templates/AlmaLinux/8/9/etc/sudoers create mode 100644 templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/AlmaLinux/8/etc/dnf/protected.d/sudo.conf create mode 100644 templates/AlmaLinux/8/etc/pam.d/sudo create mode 100644 templates/AlmaLinux/8/etc/pam.d/sudo-i create mode 100644 templates/AlmaLinux/8/etc/sudo.conf create mode 100644 templates/AlmaLinux/8/etc/sudoers create mode 100644 templates/AlmaLinux/8/etc/sudoers.d/session_log.j2 create mode 100644 templates/CentOS/10/etc/dnf/protected.d/sudo.conf create mode 100644 templates/CentOS/10/etc/pam.d/sudo create mode 100644 templates/CentOS/10/etc/pam.d/sudo-i create mode 100644 templates/CentOS/10/etc/sudo.conf create mode 100644 templates/CentOS/10/etc/sudoers create mode 100644 templates/CentOS/10/etc/sudoers.d/session_log.j2 create mode 100644 templates/CentOS/8/etc/dnf/protected.d/sudo.conf create mode 100644 templates/CentOS/8/etc/pam.d/sudo create mode 100644 templates/CentOS/8/etc/pam.d/sudo-i create mode 100644 templates/CentOS/8/etc/sudo.conf create mode 100644 templates/CentOS/8/etc/sudoers create mode 100644 templates/CentOS/8/etc/sudoers.d/session_log.j2 create mode 100644 templates/OracleLinux/10/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/OracleLinux/10/9/etc/pam.d/sudo create mode 100644 templates/OracleLinux/10/9/etc/pam.d/sudo-i create mode 100644 templates/OracleLinux/10/9/etc/sudo.conf create mode 100644 templates/OracleLinux/10/9/etc/sudoers create mode 100644 templates/OracleLinux/10/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/OracleLinux/10/etc/dnf/protected.d/sudo.conf create mode 100644 templates/OracleLinux/10/etc/pam.d/sudo create mode 100644 templates/OracleLinux/10/etc/pam.d/sudo-i create mode 100644 templates/OracleLinux/10/etc/sudo.conf create mode 100644 templates/OracleLinux/10/etc/sudoers create mode 100644 templates/OracleLinux/10/etc/sudoers.d/session_log.j2 create mode 100644 templates/OracleLinux/8/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/OracleLinux/8/9/etc/pam.d/sudo create mode 100644 templates/OracleLinux/8/9/etc/pam.d/sudo-i create mode 100644 templates/OracleLinux/8/9/etc/sudo.conf create mode 100644 templates/OracleLinux/8/9/etc/sudoers create mode 100644 templates/OracleLinux/8/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/OracleLinux/8/etc/dnf/protected.d/sudo.conf create mode 100644 templates/OracleLinux/8/etc/pam.d/sudo create mode 100644 templates/OracleLinux/8/etc/pam.d/sudo-i create mode 100644 templates/OracleLinux/8/etc/sudo.conf create mode 100644 templates/OracleLinux/8/etc/sudoers create mode 100644 templates/OracleLinux/8/etc/sudoers.d/session_log.j2 create mode 100644 templates/Rocky/10/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Rocky/10/9/etc/pam.d/sudo create mode 100644 templates/Rocky/10/9/etc/pam.d/sudo-i create mode 100644 templates/Rocky/10/9/etc/sudo.conf create mode 100644 templates/Rocky/10/9/etc/sudoers create mode 100644 templates/Rocky/10/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/Rocky/10/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Rocky/10/etc/pam.d/sudo create mode 100644 templates/Rocky/10/etc/pam.d/sudo-i create mode 100644 templates/Rocky/10/etc/sudo.conf create mode 100644 templates/Rocky/10/etc/sudoers create mode 100644 templates/Rocky/10/etc/sudoers.d/session_log.j2 create mode 100644 templates/Rocky/8/9/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Rocky/8/9/etc/pam.d/sudo create mode 100644 templates/Rocky/8/9/etc/pam.d/sudo-i create mode 100644 templates/Rocky/8/9/etc/sudo.conf create mode 100644 templates/Rocky/8/9/etc/sudoers create mode 100644 templates/Rocky/8/9/etc/sudoers.d/session_log.j2 create mode 100644 templates/Rocky/8/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Rocky/8/etc/pam.d/sudo create mode 100644 templates/Rocky/8/etc/pam.d/sudo-i create mode 100644 templates/Rocky/8/etc/sudo.conf create mode 100644 templates/Rocky/8/etc/sudoers create mode 100644 templates/Rocky/8/etc/sudoers.d/session_log.j2 diff --git a/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/AlmaLinux/10/9/etc/pam.d/sudo b/templates/AlmaLinux/10/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/AlmaLinux/10/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/AlmaLinux/10/9/etc/pam.d/sudo-i b/templates/AlmaLinux/10/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/AlmaLinux/10/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/AlmaLinux/10/9/etc/sudo.conf b/templates/AlmaLinux/10/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/AlmaLinux/10/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/10/9/etc/sudoers b/templates/AlmaLinux/10/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/AlmaLinux/10/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/AlmaLinux/10/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/10/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/AlmaLinux/10/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/AlmaLinux/10/etc/pam.d/sudo b/templates/AlmaLinux/10/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/AlmaLinux/10/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/AlmaLinux/10/etc/pam.d/sudo-i b/templates/AlmaLinux/10/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/AlmaLinux/10/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/AlmaLinux/10/etc/sudo.conf b/templates/AlmaLinux/10/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/AlmaLinux/10/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/10/etc/sudoers b/templates/AlmaLinux/10/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/AlmaLinux/10/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/10/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/10/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/AlmaLinux/10/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/AlmaLinux/8/9/etc/pam.d/sudo b/templates/AlmaLinux/8/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/AlmaLinux/8/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/AlmaLinux/8/9/etc/pam.d/sudo-i b/templates/AlmaLinux/8/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/AlmaLinux/8/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/AlmaLinux/8/9/etc/sudo.conf b/templates/AlmaLinux/8/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/AlmaLinux/8/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/8/9/etc/sudoers b/templates/AlmaLinux/8/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/AlmaLinux/8/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/AlmaLinux/8/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/8/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/AlmaLinux/8/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/AlmaLinux/8/etc/pam.d/sudo b/templates/AlmaLinux/8/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/AlmaLinux/8/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/AlmaLinux/8/etc/pam.d/sudo-i b/templates/AlmaLinux/8/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/AlmaLinux/8/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/AlmaLinux/8/etc/sudo.conf b/templates/AlmaLinux/8/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/AlmaLinux/8/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/8/etc/sudoers b/templates/AlmaLinux/8/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/AlmaLinux/8/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/8/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/8/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/AlmaLinux/8/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/CentOS/10/etc/dnf/protected.d/sudo.conf b/templates/CentOS/10/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/CentOS/10/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/CentOS/10/etc/pam.d/sudo b/templates/CentOS/10/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/CentOS/10/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/CentOS/10/etc/pam.d/sudo-i b/templates/CentOS/10/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/CentOS/10/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/CentOS/10/etc/sudo.conf b/templates/CentOS/10/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/CentOS/10/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/CentOS/10/etc/sudoers b/templates/CentOS/10/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/CentOS/10/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/CentOS/10/etc/sudoers.d/session_log.j2 b/templates/CentOS/10/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/CentOS/10/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/CentOS/8/etc/dnf/protected.d/sudo.conf b/templates/CentOS/8/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/CentOS/8/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/CentOS/8/etc/pam.d/sudo b/templates/CentOS/8/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/CentOS/8/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/CentOS/8/etc/pam.d/sudo-i b/templates/CentOS/8/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/CentOS/8/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/CentOS/8/etc/sudo.conf b/templates/CentOS/8/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/CentOS/8/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/CentOS/8/etc/sudoers b/templates/CentOS/8/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/CentOS/8/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/CentOS/8/etc/sudoers.d/session_log.j2 b/templates/CentOS/8/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/CentOS/8/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/OracleLinux/10/9/etc/dnf/protected.d/sudo.conf b/templates/OracleLinux/10/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/OracleLinux/10/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/OracleLinux/10/9/etc/pam.d/sudo b/templates/OracleLinux/10/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/OracleLinux/10/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/OracleLinux/10/9/etc/pam.d/sudo-i b/templates/OracleLinux/10/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/OracleLinux/10/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/OracleLinux/10/9/etc/sudo.conf b/templates/OracleLinux/10/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/OracleLinux/10/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/OracleLinux/10/9/etc/sudoers b/templates/OracleLinux/10/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/OracleLinux/10/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/OracleLinux/10/9/etc/sudoers.d/session_log.j2 b/templates/OracleLinux/10/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/OracleLinux/10/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/OracleLinux/10/etc/dnf/protected.d/sudo.conf b/templates/OracleLinux/10/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/OracleLinux/10/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/OracleLinux/10/etc/pam.d/sudo b/templates/OracleLinux/10/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/OracleLinux/10/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/OracleLinux/10/etc/pam.d/sudo-i b/templates/OracleLinux/10/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/OracleLinux/10/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/OracleLinux/10/etc/sudo.conf b/templates/OracleLinux/10/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/OracleLinux/10/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/OracleLinux/10/etc/sudoers b/templates/OracleLinux/10/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/OracleLinux/10/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/OracleLinux/10/etc/sudoers.d/session_log.j2 b/templates/OracleLinux/10/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/OracleLinux/10/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/OracleLinux/8/9/etc/dnf/protected.d/sudo.conf b/templates/OracleLinux/8/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/OracleLinux/8/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/OracleLinux/8/9/etc/pam.d/sudo b/templates/OracleLinux/8/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/OracleLinux/8/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/OracleLinux/8/9/etc/pam.d/sudo-i b/templates/OracleLinux/8/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/OracleLinux/8/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/OracleLinux/8/9/etc/sudo.conf b/templates/OracleLinux/8/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/OracleLinux/8/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/OracleLinux/8/9/etc/sudoers b/templates/OracleLinux/8/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/OracleLinux/8/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/OracleLinux/8/9/etc/sudoers.d/session_log.j2 b/templates/OracleLinux/8/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/OracleLinux/8/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/OracleLinux/8/etc/dnf/protected.d/sudo.conf b/templates/OracleLinux/8/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/OracleLinux/8/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/OracleLinux/8/etc/pam.d/sudo b/templates/OracleLinux/8/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/OracleLinux/8/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/OracleLinux/8/etc/pam.d/sudo-i b/templates/OracleLinux/8/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/OracleLinux/8/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/OracleLinux/8/etc/sudo.conf b/templates/OracleLinux/8/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/OracleLinux/8/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/OracleLinux/8/etc/sudoers b/templates/OracleLinux/8/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/OracleLinux/8/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/OracleLinux/8/etc/sudoers.d/session_log.j2 b/templates/OracleLinux/8/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/OracleLinux/8/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/Rocky/10/9/etc/dnf/protected.d/sudo.conf b/templates/Rocky/10/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Rocky/10/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Rocky/10/9/etc/pam.d/sudo b/templates/Rocky/10/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/Rocky/10/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/Rocky/10/9/etc/pam.d/sudo-i b/templates/Rocky/10/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Rocky/10/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Rocky/10/9/etc/sudo.conf b/templates/Rocky/10/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/Rocky/10/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Rocky/10/9/etc/sudoers b/templates/Rocky/10/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/Rocky/10/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Rocky/10/9/etc/sudoers.d/session_log.j2 b/templates/Rocky/10/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Rocky/10/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/Rocky/10/etc/dnf/protected.d/sudo.conf b/templates/Rocky/10/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Rocky/10/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Rocky/10/etc/pam.d/sudo b/templates/Rocky/10/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Rocky/10/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Rocky/10/etc/pam.d/sudo-i b/templates/Rocky/10/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Rocky/10/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Rocky/10/etc/sudo.conf b/templates/Rocky/10/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Rocky/10/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Rocky/10/etc/sudoers b/templates/Rocky/10/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Rocky/10/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Rocky/10/etc/sudoers.d/session_log.j2 b/templates/Rocky/10/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Rocky/10/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/Rocky/8/9/etc/dnf/protected.d/sudo.conf b/templates/Rocky/8/9/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Rocky/8/9/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Rocky/8/9/etc/pam.d/sudo b/templates/Rocky/8/9/etc/pam.d/sudo new file mode 100644 index 0000000..fcb7a46 --- /dev/null +++ b/templates/Rocky/8/9/etc/pam.d/sudo @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session include system-auth diff --git a/templates/Rocky/8/9/etc/pam.d/sudo-i b/templates/Rocky/8/9/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Rocky/8/9/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Rocky/8/9/etc/sudo.conf b/templates/Rocky/8/9/etc/sudo.conf new file mode 100644 index 0000000..27ccc72 --- /dev/null +++ b/templates/Rocky/8/9/etc/sudo.conf @@ -0,0 +1,124 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Rocky/8/9/etc/sudoers b/templates/Rocky/8/9/etc/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/templates/Rocky/8/9/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Rocky/8/9/etc/sudoers.d/session_log.j2 b/templates/Rocky/8/9/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Rocky/8/9/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/templates/Rocky/8/etc/dnf/protected.d/sudo.conf b/templates/Rocky/8/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Rocky/8/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Rocky/8/etc/pam.d/sudo b/templates/Rocky/8/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Rocky/8/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Rocky/8/etc/pam.d/sudo-i b/templates/Rocky/8/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Rocky/8/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Rocky/8/etc/sudo.conf b/templates/Rocky/8/etc/sudo.conf new file mode 100644 index 0000000..1c499a7 --- /dev/null +++ b/templates/Rocky/8/etc/sudo.conf @@ -0,0 +1,131 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept disabled + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Rocky/8/etc/sudoers b/templates/Rocky/8/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Rocky/8/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Rocky/8/etc/sudoers.d/session_log.j2 b/templates/Rocky/8/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Rocky/8/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/AlmaLinux-10-default.yml b/vars/AlmaLinux-10-default.yml index 43b81b6..033c586 100644 --- a/vars/AlmaLinux-10-default.yml +++ b/vars/AlmaLinux-10-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/AlmaLinux-8-default.yml b/vars/AlmaLinux-8-default.yml index 43b81b6..033c586 100644 --- a/vars/AlmaLinux-8-default.yml +++ b/vars/AlmaLinux-8-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/CentOS-10-default.yml b/vars/CentOS-10-default.yml index 43b81b6..033c586 100644 --- a/vars/CentOS-10-default.yml +++ b/vars/CentOS-10-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/CentOS-8-default.yml b/vars/CentOS-8-default.yml index 43b81b6..033c586 100644 --- a/vars/CentOS-8-default.yml +++ b/vars/CentOS-8-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/CentOS-9-default.yml b/vars/CentOS-9-default.yml index 289d0e2..033c586 100644 --- a/vars/CentOS-9-default.yml +++ b/vars/CentOS-9-default.yml @@ -36,3 +36,5 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/Fedora-42-default.yml b/vars/Fedora-42-default.yml index 289d0e2..033c586 100644 --- a/vars/Fedora-42-default.yml +++ b/vars/Fedora-42-default.yml @@ -36,3 +36,5 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/Fedora-43-default.yml b/vars/Fedora-43-default.yml index 289d0e2..033c586 100644 --- a/vars/Fedora-43-default.yml +++ b/vars/Fedora-43-default.yml @@ -36,3 +36,5 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/Fedora-44-default.yml b/vars/Fedora-44-default.yml index 289d0e2..033c586 100644 --- a/vars/Fedora-44-default.yml +++ b/vars/Fedora-44-default.yml @@ -36,3 +36,5 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/OracleLinux-10-default.yml b/vars/OracleLinux-10-default.yml index 43b81b6..033c586 100644 --- a/vars/OracleLinux-10-default.yml +++ b/vars/OracleLinux-10-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/OracleLinux-8-default.yml b/vars/OracleLinux-8-default.yml index 43b81b6..033c586 100644 --- a/vars/OracleLinux-8-default.yml +++ b/vars/OracleLinux-8-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/OracleLinux-9-default.yml b/vars/OracleLinux-9-default.yml index 289d0e2..033c586 100644 --- a/vars/OracleLinux-9-default.yml +++ b/vars/OracleLinux-9-default.yml @@ -36,3 +36,5 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + diff --git a/vars/Rocky-10-default.yml b/vars/Rocky-10-default.yml index 43b81b6..033c586 100644 --- a/vars/Rocky-10-default.yml +++ b/vars/Rocky-10-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/Rocky-8-default.yml b/vars/Rocky-8-default.yml index 43b81b6..033c586 100644 --- a/vars/Rocky-8-default.yml +++ b/vars/Rocky-8-default.yml @@ -5,5 +5,36 @@ package_list: state: 'present' - name: 'sudo' state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' ... diff --git a/vars/Rocky-9-default.yml b/vars/Rocky-9-default.yml index 289d0e2..033c586 100644 --- a/vars/Rocky-9-default.yml +++ b/vars/Rocky-9-default.yml @@ -36,3 +36,5 @@ template_list: mode: '0440' owner: 'root' src: '{{ ansible_facts["distribution"] }}/{{ ansible_facts["distribution_major_version"] }}/etc/sudoers.d/session_log.j2' +... + From c729488227218b04fed5f117b7d642498445f40c Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 18:39:01 -0500 Subject: [PATCH 36/40] Fix Fedora 42 sudo.conf Signed-off-by: Jason Rothstein --- templates/Fedora/42/etc/sudo.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/Fedora/42/etc/sudo.conf b/templates/Fedora/42/etc/sudo.conf index 1c499a7..a4d5104 100644 --- a/templates/Fedora/42/etc/sudo.conf +++ b/templates/Fedora/42/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo From 39e701a0bfd3b01f8cd942ec438c74e1b3027ccd Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 18:40:22 -0500 Subject: [PATCH 37/40] Fix fedora 43 sudo.conf Signed-off-by: Jason Rothstein --- templates/Fedora/43/etc/sudo.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/Fedora/43/etc/sudo.conf b/templates/Fedora/43/etc/sudo.conf index 1c499a7..a4d5104 100644 --- a/templates/Fedora/43/etc/sudo.conf +++ b/templates/Fedora/43/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo From 28bb67975e6928e0dd1f04ddecbd6d71044d3ad7 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 18:40:50 -0500 Subject: [PATCH 38/40] Fix fedora 44 sudo.conf Signed-off-by: Jason Rothstein --- templates/Fedora/44/etc/sudo.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/Fedora/44/etc/sudo.conf b/templates/Fedora/44/etc/sudo.conf index 1c499a7..a4d5104 100644 --- a/templates/Fedora/44/etc/sudo.conf +++ b/templates/Fedora/44/etc/sudo.conf @@ -43,10 +43,10 @@ # Path intercept /path/to/sudo_intercept.so # # Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. # # The compiled-in value is usually sufficient and should only be changed # if you rename or move the sudo_intercept.so file. @@ -72,7 +72,7 @@ # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo From 6482720e07eaa20364a2fc1c736db84df398097c Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Tue, 5 May 2026 22:53:32 -0500 Subject: [PATCH 39/40] First pass fix the sudo files for EL Signed-off-by: Jason Rothstein --- .../10/9/etc/dnf/protected.d/sudo.conf | 1 - templates/AlmaLinux/10/9/etc/pam.d/sudo | 5 - templates/AlmaLinux/10/9/etc/pam.d/sudo-i | 6 - templates/AlmaLinux/10/9/etc/sudo.conf | 124 ------------------ templates/AlmaLinux/10/9/etc/sudoers | 120 ----------------- .../10/9/etc/sudoers.d/session_log.j2 | 6 - templates/AlmaLinux/10/etc/pam.d/sudo | 2 - templates/AlmaLinux/10/etc/sudo.conf | 35 ++--- templates/AlmaLinux/10/etc/sudoers | 4 +- .../8/9/etc/dnf/protected.d/sudo.conf | 1 - templates/AlmaLinux/8/9/etc/pam.d/sudo | 5 - templates/AlmaLinux/8/9/etc/pam.d/sudo-i | 6 - templates/AlmaLinux/8/9/etc/sudo.conf | 124 ------------------ templates/AlmaLinux/8/9/etc/sudoers | 120 ----------------- .../8/9/etc/sudoers.d/session_log.j2 | 6 - templates/AlmaLinux/8/etc/pam.d/sudo | 2 - templates/AlmaLinux/8/etc/sudo.conf | 35 ++--- templates/AlmaLinux/8/etc/sudoers | 4 +- .../9/9/etc/dnf/protected.d/sudo.conf | 1 - templates/AlmaLinux/9/9/etc/pam.d/sudo | 5 - templates/AlmaLinux/9/9/etc/pam.d/sudo-i | 6 - templates/AlmaLinux/9/9/etc/sudo.conf | 124 ------------------ templates/AlmaLinux/9/9/etc/sudoers | 120 ----------------- .../9/9/etc/sudoers.d/session_log.j2 | 6 - templates/AlmaLinux/9/etc/pam.d/sudo | 2 - templates/AlmaLinux/9/etc/sudo.conf | 35 ++--- templates/AlmaLinux/9/etc/sudoers | 4 +- templates/OracleLinux/10/etc/pam.d/sudo | 2 - templates/OracleLinux/10/etc/sudo.conf | 35 ++--- templates/OracleLinux/10/etc/sudoers | 4 +- templates/OracleLinux/8/etc/pam.d/sudo | 2 - templates/OracleLinux/8/etc/sudo.conf | 35 ++--- templates/OracleLinux/8/etc/sudoers | 4 +- templates/OracleLinux/9/etc/pam.d/sudo | 2 - templates/OracleLinux/9/etc/sudo.conf | 35 ++--- templates/OracleLinux/9/etc/sudoers | 4 +- templates/Rocky/10/etc/pam.d/sudo | 2 - templates/Rocky/10/etc/sudo.conf | 35 ++--- templates/Rocky/10/etc/sudoers | 4 +- templates/Rocky/8/etc/pam.d/sudo | 2 - templates/Rocky/8/etc/sudo.conf | 35 ++--- templates/Rocky/8/etc/sudoers | 4 +- templates/Rocky/9/etc/pam.d/sudo | 2 - templates/Rocky/9/etc/sudo.conf | 35 ++--- templates/Rocky/9/etc/sudoers | 4 +- 45 files changed, 144 insertions(+), 1011 deletions(-) delete mode 100644 templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/AlmaLinux/10/9/etc/pam.d/sudo delete mode 100644 templates/AlmaLinux/10/9/etc/pam.d/sudo-i delete mode 100644 templates/AlmaLinux/10/9/etc/sudo.conf delete mode 100644 templates/AlmaLinux/10/9/etc/sudoers delete mode 100644 templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 delete mode 100644 templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/AlmaLinux/8/9/etc/pam.d/sudo delete mode 100644 templates/AlmaLinux/8/9/etc/pam.d/sudo-i delete mode 100644 templates/AlmaLinux/8/9/etc/sudo.conf delete mode 100644 templates/AlmaLinux/8/9/etc/sudoers delete mode 100644 templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 delete mode 100644 templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf delete mode 100644 templates/AlmaLinux/9/9/etc/pam.d/sudo delete mode 100644 templates/AlmaLinux/9/9/etc/pam.d/sudo-i delete mode 100644 templates/AlmaLinux/9/9/etc/sudo.conf delete mode 100644 templates/AlmaLinux/9/9/etc/sudoers delete mode 100644 templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 diff --git a/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/AlmaLinux/10/9/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/AlmaLinux/10/9/etc/pam.d/sudo b/templates/AlmaLinux/10/9/etc/pam.d/sudo deleted file mode 100644 index fcb7a46..0000000 --- a/templates/AlmaLinux/10/9/etc/pam.d/sudo +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/templates/AlmaLinux/10/9/etc/pam.d/sudo-i b/templates/AlmaLinux/10/9/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/AlmaLinux/10/9/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/AlmaLinux/10/9/etc/sudo.conf b/templates/AlmaLinux/10/9/etc/sudo.conf deleted file mode 100644 index 27ccc72..0000000 --- a/templates/AlmaLinux/10/9/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/10/9/etc/sudoers b/templates/AlmaLinux/10/9/etc/sudoers deleted file mode 100644 index 93e02ba..0000000 --- a/templates/AlmaLinux/10/9/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/AlmaLinux/10/9/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/AlmaLinux/10/etc/pam.d/sudo b/templates/AlmaLinux/10/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/AlmaLinux/10/etc/pam.d/sudo +++ b/templates/AlmaLinux/10/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/AlmaLinux/10/etc/sudo.conf b/templates/AlmaLinux/10/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/AlmaLinux/10/etc/sudo.conf +++ b/templates/AlmaLinux/10/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/AlmaLinux/10/etc/sudoers b/templates/AlmaLinux/10/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/AlmaLinux/10/etc/sudoers +++ b/templates/AlmaLinux/10/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/AlmaLinux/8/9/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/AlmaLinux/8/9/etc/pam.d/sudo b/templates/AlmaLinux/8/9/etc/pam.d/sudo deleted file mode 100644 index fcb7a46..0000000 --- a/templates/AlmaLinux/8/9/etc/pam.d/sudo +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/templates/AlmaLinux/8/9/etc/pam.d/sudo-i b/templates/AlmaLinux/8/9/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/AlmaLinux/8/9/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/AlmaLinux/8/9/etc/sudo.conf b/templates/AlmaLinux/8/9/etc/sudo.conf deleted file mode 100644 index 27ccc72..0000000 --- a/templates/AlmaLinux/8/9/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/8/9/etc/sudoers b/templates/AlmaLinux/8/9/etc/sudoers deleted file mode 100644 index 93e02ba..0000000 --- a/templates/AlmaLinux/8/9/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/AlmaLinux/8/9/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/AlmaLinux/8/etc/pam.d/sudo b/templates/AlmaLinux/8/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/AlmaLinux/8/etc/pam.d/sudo +++ b/templates/AlmaLinux/8/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/AlmaLinux/8/etc/sudo.conf b/templates/AlmaLinux/8/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/AlmaLinux/8/etc/sudo.conf +++ b/templates/AlmaLinux/8/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/AlmaLinux/8/etc/sudoers b/templates/AlmaLinux/8/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/AlmaLinux/8/etc/sudoers +++ b/templates/AlmaLinux/8/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf b/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf deleted file mode 100644 index 7864d0d..0000000 --- a/templates/AlmaLinux/9/9/etc/dnf/protected.d/sudo.conf +++ /dev/null @@ -1 +0,0 @@ -sudo diff --git a/templates/AlmaLinux/9/9/etc/pam.d/sudo b/templates/AlmaLinux/9/9/etc/pam.d/sudo deleted file mode 100644 index fcb7a46..0000000 --- a/templates/AlmaLinux/9/9/etc/pam.d/sudo +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth include system-auth -account include system-auth -password include system-auth -session include system-auth diff --git a/templates/AlmaLinux/9/9/etc/pam.d/sudo-i b/templates/AlmaLinux/9/9/etc/pam.d/sudo-i deleted file mode 100644 index 3c63733..0000000 --- a/templates/AlmaLinux/9/9/etc/pam.d/sudo-i +++ /dev/null @@ -1,6 +0,0 @@ -#%PAM-1.0 -auth include sudo -account include sudo -password include sudo -session optional pam_keyinit.so force revoke -session include sudo diff --git a/templates/AlmaLinux/9/9/etc/sudo.conf b/templates/AlmaLinux/9/9/etc/sudo.conf deleted file mode 100644 index 27ccc72..0000000 --- a/templates/AlmaLinux/9/9/etc/sudo.conf +++ /dev/null @@ -1,124 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Sudo plugins: -# Plugin plugin_name plugin_path plugin_options ... -# -# The plugin_path is relative to /usr/libexec/sudo unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so -Plugin sudoers_audit sudoers.so - -# -# Sudo askpass: -# Path askpass /path/to/askpass -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own askpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo device search path: -# Path devsearch /dev/path1:/dev/path2:/dev -# -# A colon-separated list of paths to check when searching for a user's -# terminal device. -# -#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev - -# -# Sudo noexec: -# Path noexec /path/to/sudo_noexec.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo/sudo_noexec.so - -# -# Sudo plugin directory: -# Path plugin_dir /path/to/plugins -# -# The default directory to use when searching for plugins that are -# specified without a fully qualified path name. -# -#Path plugin_dir /usr/libexec/sudo - -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - -# -# Core dumps: -# Set disable_coredump true|false -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -Set disable_coredump false - -# -# User groups: -# Set group_source static|dynamic|adaptive -# -# Sudo passes the user's group list to the policy plugin. -# If the user is a member of the maximum number of groups (usually 16), -# sudo will query the group database directly to be sure to include -# the full list of groups. -# -# On some systems, this can be expensive so the behavior is configurable. -# The "group_source" setting has three possible values: -# static - use the user's list of groups returned by the kernel. -# dynamic - query the group database to find the list of groups. -# adaptive - if user is in less than the maximum number of groups. -# use the kernel list, else query the group database. -# -#Set group_source static - -# -# Sudo interface probing: -# Set probe_interfaces true|false -# -# By default, sudo will probe the system's network interfaces and -# pass the IP address of each enabled interface to the policy plugin. -# On systems with a large number of virtual interfaces this may take -# a noticeable amount of time. -# -#Set probe_interfaces false - -# -# Sudo debug files: -# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] -# -# Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. -# -# Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. -# Multiple subsystem@priority may be specified, separated by a comma. -# -#Debug sudo /var/log/sudo_debug all@debug -#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/AlmaLinux/9/9/etc/sudoers b/templates/AlmaLinux/9/9/etc/sudoers deleted file mode 100644 index 93e02ba..0000000 --- a/templates/AlmaLinux/9/9/etc/sudoers +++ /dev/null @@ -1,120 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Refuse to run if unable to disable echo on the tty. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home -Defaults match_group_by_gid - -# Prior to version 1.8.15, groups listed in sudoers that were not -# found in the system group database were passed to the group -# plugin, if any. Starting with 1.8.15, only groups of the form -# %:group are resolved via the group plugin by default. -# We enable always_query_group_plugin to restore old behavior. -# Disable this option for new behavior. -Defaults always_query_group_plugin - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 b/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 deleted file mode 100644 index 1b6d27d..0000000 --- a/templates/AlmaLinux/9/9/etc/sudoers.d/session_log.j2 +++ /dev/null @@ -1,6 +0,0 @@ -# -# {{ ansible_managed }} -# -Defaults log_input -Defaults log_output - diff --git a/templates/AlmaLinux/9/etc/pam.d/sudo b/templates/AlmaLinux/9/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/AlmaLinux/9/etc/pam.d/sudo +++ b/templates/AlmaLinux/9/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/AlmaLinux/9/etc/sudo.conf b/templates/AlmaLinux/9/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/AlmaLinux/9/etc/sudo.conf +++ b/templates/AlmaLinux/9/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/AlmaLinux/9/etc/sudoers b/templates/AlmaLinux/9/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/AlmaLinux/9/etc/sudoers +++ b/templates/AlmaLinux/9/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/OracleLinux/10/etc/pam.d/sudo b/templates/OracleLinux/10/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/OracleLinux/10/etc/pam.d/sudo +++ b/templates/OracleLinux/10/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/OracleLinux/10/etc/sudo.conf b/templates/OracleLinux/10/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/OracleLinux/10/etc/sudo.conf +++ b/templates/OracleLinux/10/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/10/etc/sudoers b/templates/OracleLinux/10/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/OracleLinux/10/etc/sudoers +++ b/templates/OracleLinux/10/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/OracleLinux/8/etc/pam.d/sudo b/templates/OracleLinux/8/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/OracleLinux/8/etc/pam.d/sudo +++ b/templates/OracleLinux/8/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/OracleLinux/8/etc/sudo.conf b/templates/OracleLinux/8/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/OracleLinux/8/etc/sudo.conf +++ b/templates/OracleLinux/8/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/8/etc/sudoers b/templates/OracleLinux/8/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/OracleLinux/8/etc/sudoers +++ b/templates/OracleLinux/8/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/OracleLinux/9/etc/pam.d/sudo b/templates/OracleLinux/9/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/OracleLinux/9/etc/pam.d/sudo +++ b/templates/OracleLinux/9/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/OracleLinux/9/etc/sudo.conf b/templates/OracleLinux/9/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/OracleLinux/9/etc/sudo.conf +++ b/templates/OracleLinux/9/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/9/etc/sudoers b/templates/OracleLinux/9/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/OracleLinux/9/etc/sudoers +++ b/templates/OracleLinux/9/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/Rocky/10/etc/pam.d/sudo b/templates/Rocky/10/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/Rocky/10/etc/pam.d/sudo +++ b/templates/Rocky/10/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/Rocky/10/etc/sudo.conf b/templates/Rocky/10/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/Rocky/10/etc/sudo.conf +++ b/templates/Rocky/10/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/10/etc/sudoers b/templates/Rocky/10/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/Rocky/10/etc/sudoers +++ b/templates/Rocky/10/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/Rocky/8/etc/pam.d/sudo b/templates/Rocky/8/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/Rocky/8/etc/pam.d/sudo +++ b/templates/Rocky/8/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/Rocky/8/etc/sudo.conf b/templates/Rocky/8/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/Rocky/8/etc/sudo.conf +++ b/templates/Rocky/8/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/8/etc/sudoers b/templates/Rocky/8/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/Rocky/8/etc/sudoers +++ b/templates/Rocky/8/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple diff --git a/templates/Rocky/9/etc/pam.d/sudo b/templates/Rocky/9/etc/pam.d/sudo index 284b050..fcb7a46 100644 --- a/templates/Rocky/9/etc/pam.d/sudo +++ b/templates/Rocky/9/etc/pam.d/sudo @@ -2,6 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session optional pam_keyinit.so revoke -session required pam_limits.so session include system-auth diff --git a/templates/Rocky/9/etc/sudo.conf b/templates/Rocky/9/etc/sudo.conf index 1c499a7..27ccc72 100644 --- a/templates/Rocky/9/etc/sudo.conf +++ b/templates/Rocky/9/etc/sudo.conf @@ -11,9 +11,9 @@ # The plugin_options are optional. # # The sudoers plugin is used by default if no Plugin lines are present. -#Plugin sudoers_policy sudoers.so -#Plugin sudoers_io sudoers.so -#Plugin sudoers_audit sudoers.so +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so +Plugin sudoers_audit sudoers.so # # Sudo askpass: @@ -38,21 +38,6 @@ # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev -# -# Sudo command interception: -# Path intercept /path/to/sudo_intercept.so -# -# Path to a shared library containing replacements for the execv(), -# execve() and fexecve() library functions that perform a policy check -# to verify the command is allowed and simply return an error if not. -# This is used to implement the "intercept" functionality on systems that -# support LD_PRELOAD or its equivalent. -# -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_intercept.so file. -# -#Path intercept disabled - # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -76,6 +61,14 @@ # #Path plugin_dir /usr/libexec/sudo +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + # # Core dumps: # Set disable_coredump true|false @@ -85,7 +78,7 @@ # To aid in debugging sudo problems, you may wish to enable core # dumps by setting "disable_coredump" to false. # -#Set disable_coredump false +Set disable_coredump false # # User groups: @@ -121,10 +114,10 @@ # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay, or visudo. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace, or debug. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/9/etc/sudoers b/templates/Rocky/9/etc/sudoers index 5f621a8..93e02ba 100644 --- a/templates/Rocky/9/etc/sudoers +++ b/templates/Rocky/9/etc/sudoers @@ -74,7 +74,7 @@ Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" @@ -85,7 +85,7 @@ Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY # # Defaults env_keep += "HOME" -Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple From 50a7fc890b6096327610c65d40a9e53d60374711 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Wed, 6 May 2026 00:03:26 -0500 Subject: [PATCH 40/40] Fixes for EL10 Signed-off-by: Jason Rothstein --- templates/AlmaLinux/10/etc/sudo.conf | 29 ++++++++++++++++---------- templates/CentOS/10/etc/sudo.conf | 29 ++++++++++++++++---------- templates/OracleLinux/10/etc/sudo.conf | 29 ++++++++++++++++---------- templates/Rocky/10/etc/sudo.conf | 29 ++++++++++++++++---------- 4 files changed, 72 insertions(+), 44 deletions(-) diff --git a/templates/AlmaLinux/10/etc/sudo.conf b/templates/AlmaLinux/10/etc/sudo.conf index 27ccc72..5349d7c 100644 --- a/templates/AlmaLinux/10/etc/sudo.conf +++ b/templates/AlmaLinux/10/etc/sudo.conf @@ -38,6 +38,21 @@ Plugin sudoers_audit sudoers.so # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -57,18 +72,10 @@ Plugin sudoers_audit sudoers.so # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - # # Core dumps: # Set disable_coredump true|false @@ -114,10 +121,10 @@ Set disable_coredump false # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/CentOS/10/etc/sudo.conf b/templates/CentOS/10/etc/sudo.conf index 27ccc72..5349d7c 100644 --- a/templates/CentOS/10/etc/sudo.conf +++ b/templates/CentOS/10/etc/sudo.conf @@ -38,6 +38,21 @@ Plugin sudoers_audit sudoers.so # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -57,18 +72,10 @@ Plugin sudoers_audit sudoers.so # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - # # Core dumps: # Set disable_coredump true|false @@ -114,10 +121,10 @@ Set disable_coredump false # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/OracleLinux/10/etc/sudo.conf b/templates/OracleLinux/10/etc/sudo.conf index 27ccc72..5349d7c 100644 --- a/templates/OracleLinux/10/etc/sudo.conf +++ b/templates/OracleLinux/10/etc/sudo.conf @@ -38,6 +38,21 @@ Plugin sudoers_audit sudoers.so # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -57,18 +72,10 @@ Plugin sudoers_audit sudoers.so # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - # # Core dumps: # Set disable_coredump true|false @@ -114,10 +121,10 @@ Set disable_coredump false # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug diff --git a/templates/Rocky/10/etc/sudo.conf b/templates/Rocky/10/etc/sudo.conf index 27ccc72..5349d7c 100644 --- a/templates/Rocky/10/etc/sudo.conf +++ b/templates/Rocky/10/etc/sudo.conf @@ -38,6 +38,21 @@ Plugin sudoers_audit sudoers.so # #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions, which perform a policy +# check to verify whether the command is allowed and simply return +# an error if it is not. This is used to implement the "intercept" +# functionality on systems that support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + # # Sudo noexec: # Path noexec /path/to/sudo_noexec.so @@ -57,18 +72,10 @@ Plugin sudoers_audit sudoers.so # Path plugin_dir /path/to/plugins # # The default directory to use when searching for plugins that are -# specified without a fully qualified path name. +# specified without a fully-qualified path name. # #Path plugin_dir /usr/libexec/sudo -# -# Sudo developer mode: -# Set developer_mode true|false -# -# Allow loading of plugins that are owned by non-root or are writable -# by "group" or "other". Should only be used during plugin development. -#Set developer_mode true - # # Core dumps: # Set disable_coredump true|false @@ -114,10 +121,10 @@ Set disable_coredump false # Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] # # Sudo and related programs support logging debug information to a file. -# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# The program is typically sudo, sudoers.so, sudoreplay, or visudo. # # Subsystems vary based on the program; "all" matches all subsystems. -# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Priority may be crit, err, warn, notice, diag, info, trace, or debug. # Multiple subsystem@priority may be specified, separated by a comma. # #Debug sudo /var/log/sudo_debug all@debug