Skip to content

Commit

Permalink
Adding some more config options, cleanup of docs, implement current b…
Browse files Browse the repository at this point in the history 
…est-practices. Add some debugs. Fixes #28.
  • Loading branch information
Andrew J Huffman committed Dec 31, 2018
1 parent 5628f56 commit afac185
Show file tree
Hide file tree
Showing 8 changed files with 215 additions and 195 deletions.
220 changes: 107 additions & 113 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# wtcross.sudoers
An Ansible role for configuring the /etc/sudoers file and /etc/sudoers.d files.
An Ansible role for configuring the `/etc/sudoers` file and `/etc/sudoers.d` files.

This role makes it possible to completely define your sudoers configuration with Ansible. All of the following are configurable:
- defaults
Expand All @@ -12,101 +12,20 @@ This role makes it possible to completely define your sudoers configuration with

*Tip:* Here's a [great document about sudoers configuration](https://help.ubuntu.com/community/Sudoers)

Role Tunables
--------------
## Role Variables

By default this role configures and manages all sudo specs. These are various
variables that can be set to adjust how the role will affect existing sudo
configurations.

| Variable name | Variable type | Description | Default Value |
| --- | --- | --- | --- |
| `sudoer_rewrite_sudoers_file` | boolean | Use role default or user defined `default_specs` replacing distro supplied `/etc/sudoers` file. | True |
| `sudoer_remove_unauthorized_specs` | boolean | Each sudoer spec not generated by role will be removed. ***Very Dangerous***. | True |
| `sudoer_separate_specs` | boolean | Each sudoer spec will be placed in a separate file within the `/etc/sudoers.d/` directory. | True |

## About and Usage
The top level `/etc/sudoers` file can be kept as light as possible by specifying sudoer_separate_specs: True in either the defaults or your playbook. sudoer_separate_specs is set to True by default.

***Warning, this role will clean out /etc/sudoers.d/ if sudoer_separate_specs is set to false. You will lose any files stored there even if not generated by this role.***

If sudoer_separate_specs is set to true, it will include all defaults and aliases in /etc/sudoers rather than breaking the specs out into their own files in /etc/sudoers.d/.

All sudoer specifications will each be placed in their own file within the `/etc/sudoers.d/` directory. A specification consists of the following:
- `name`: the name of the specification (file name in `/etc/sudoers.d/`)
- `users`: user list or user alias
- `hosts`: host list or host alias
- `operators`: operator list or runas alias
- `commands`: command list or

The following properties are optional:
- `tags`: list of tags (ex: NOPASSWD)
- `comment`: A comment you'd like to add to your spec for clarity

Valid sudoer tags are: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT.

User/Group specific defaults can be added to the defaults list by a preceding ':' followed by the user/group whitespace then the option. For example:
| Variable Name | Description | Default Value | Variable Type |
| --- | --- | :---: | :---: |
| sudoer_rewrite_sudoers_file | Use role default or user defined `default_specs` replacing distro supplied `/etc/sudoers` file. | True | boolean |
| sudoer_remove_unauthorized_specs | Each existing sudoer spec on the filesystem not generated by this role's values will be removed. ***Very Dangerous***. | False | boolean |
| sudoer_separate_specs | Each sudoer spec will be placed in a separate file within the `/etc/sudoers.d/` directory. | True | boolean |
| sudoer_separate_specs_cleanup | Remove any remaining files in `/etc/sudoers.d` if `sudoer_separate_specs` is set to `False`. If this value is set to `False`, the existing files from a previous configuration will be untouched. Set to `True` if you want this role's configuration to be your source of truth and remove old files. | False | boolean |
| sudoer_backup | Whether or not to create a backup of a changed /etc/sudoers file (does not pertain to files to be removed or individual spec files). Backup of individual spec files could create problematic configurations, as they will exist as a separate spec. in the /etc/sudoers.d directory.| True | boolean |

```yaml
---
sudoer_defaults:
- :MONITOR_USER !logfile
```
This will generate a line:
```
Defaults:MONITOR_USER !logfile
```


## Example Playbook
```yaml
- hosts: all
vars:
sudoer_aliases:
user:
- name: ADMINS
comment: Group of admin users
users:
- "%admin"
runas:
- name: ROOT
comment: Root stuff
users:
- '#0'
host:
- name: SERVERS
comment: XYZ servers
hosts:
- 192.168.0.1
- 192.168.0.2
command:
- name: ADMIN_CMNDS
comment: Stuff admins need
commands:
- /usr/sbin/passwd
- /usr/sbin/useradd
- /usr/sbin/userdel
- /usr/sbin/usermod
- /usr/sbin/visudo

sudoer_specs:
- name: administrators
comment: Stuff for admins
users: ADMIN
hosts: SERVERS
operators: ROOT
tags: NOPASSWD
commands: ADMIN_CMNDS
defaults:
- '!requiretty'

roles:
- wtcross.sudoers
```
## Defaults:
## Role Default Variables
```yaml
sudoer_aliases: {}
sudoer_specs: []
Expand Down Expand Up @@ -149,19 +68,11 @@ sudoer_defaults:
- secure_path: /sbin:/bin:/usr/sbin:/usr/bin
sudoer_separate_specs: True
sudoer_rewrite_sudoers_file: True
sudoer_remove_unauthorized_specs: True
sudoer_remove_unauthorized_specs: False
sudoer_separate_specs_cleanup: False
sudoer_backup: True
```
## Requirements
The host operating system must be a member of one of the following OS families:
- Debian
- RedHat
- SUSE
## Dependencies
None
## Variable Schemas
```yaml
# host alias
Expand Down Expand Up @@ -193,20 +104,103 @@ tags: string|[string]
comment: string #procedes the alias with a comment
defaults: string|[string]

## Role Variables
- `sudoer_aliases`: a dictionary that specifies which aliases to configure
- `sudoer_aliases.host`: a list of host alias descriptions
- `sudoer_aliases.user`: a list of user or group alias descriptions
- `sudoer_aliases.runas`: a list of runas alias descriptions
- `sudoer_aliases.command`: a list of command alias descriptions
- `sudoer_specs`: a list of sudoer specifications
- `sudoer_defaults`: a list of default settings
## Other Variables
- sudoer_aliases: a dictionary that specifies which aliases to configure
- sudoer_aliases.host: a list of host alias descriptions
- sudoer_aliases.user: a list of user or group alias descriptions
- sudoer_aliases.runas: a list of runas alias descriptions
- sudoer_aliases.command: a list of command alias descriptions
- sudoer_specs: a list of sudoer specifications
- sudoer_defaults: a list of default settings
- can be any of the following types
- `string`
- `string: string`
- `string: [string]`
- string
- string: string
- string: [string]
```
## About and Usage
The top level `/etc/sudoers` file can be kept as light as possible by specifying `sudoer_separate_specs: True` in either the role's `defaults/main.yml` or your playbook's variables. Please be aware that `sudoer_separate_specs` is set to `True` by default, and therefore your changes will be expected in `/etc/sudoers.d` unless set to `False`.

If sudoer_separate_specs is set to `False`, it will include all defaults and aliases in /etc/sudoers rather than breaking the specs out into their own files in /etc/sudoers.d/.

All sudoer specifications will each be placed in their own file within the `/etc/sudoers.d/` directory. A specification consists of the following:
- `name`: the name of the specification (file name in `/etc/sudoers.d/`)
- `users`: user list or user alias
- `hosts`: host list or host alias
- `operators`: operator list or runas alias
- `commands`: command list or

The following properties are optional:
- `tags`: list of tags (ex: NOPASSWD)
- `comment`: A comment you'd like to add to your spec for clarity

Valid sudoer tags are: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT.

User/Group specific defaults can be added to the defaults list by a preceding ':' followed by the user/group whitespace then the option. For example:

```yaml
---
sudoer_defaults:
- :MONITOR_USER !logfile
```

This will generate a line:

```
Defaults:MONITOR_USER !logfile
```


## Example Playbook
```yaml
- hosts: "all"
roles:
- role: "wtcross.sudoers"
sudoer_aliases:
user:
- name: "ADMINS"
comment: "Group of admin users"
users:
- "%admin"
runas:
- name: "ROOT"
comment: "Root stuff"
users:
- "#0"
host:
- name: "SERVERS"
comment: "XYZ servers"
hosts:
- "192.168.0.1"
- "192.168.0.2"
command:
- name: "ADMIN_CMNDS"
comment: "Stuff admins need"
commands:
- "/usr/sbin/passwd"
- "/usr/sbin/useradd"
- "/usr/sbin/userdel"
- "/usr/sbin/usermod"
- "/usr/sbin/visudo"
sudoer_specs:
- name: "administrators"
comment: "Stuff for admins"
users: "ADMIN"
hosts: "SERVERS"
operators: "ROOT"
tags: "NOPASSWD"
commands: "ADMIN_CMNDS"
defaults:
- '!requiretty'
```

## Requirements
The host operating system must be a member of one of the following OS families:

- Debian
- RedHat
- SUSE

## License
[MIT](LICENSE)

Expand Down
4 changes: 3 additions & 1 deletion defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,7 @@ sudoer_defaults:
- XAUTHORITY
- secure_path: /sbin:/bin:/usr/sbin:/usr/bin
sudoer_separate_specs: True
sudoer_separate_specs_cleanup: False
sudoer_rewrite_sudoers_file: True
sudoer_remove_unauthorized_specs: True
sudoer_remove_unauthorized_specs: False
sudoer_backup: True
4 changes: 2 additions & 2 deletions meta/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@ galaxy_info:
author:
- Tyler Cross
- Andrew J. Huffman
company: "Red Hat"
description: Controls the configuration of the sudoers file and /etc/sudoers.d/ files
issue_tracker_url: https://github.com/wtcross/ansible-sudoers/issues
license: MIT
min_ansible_version: 2.0
min_ansible_version: 2.3
#github_branch: master
platforms:
- name: EL
Expand Down Expand Up @@ -33,7 +34,6 @@ galaxy_info:
galaxy_tags:
- sudo
- sudoers
- sudoers.d
- admin
- system

Expand Down
Loading

0 comments on commit afac185

Please sign in to comment.