sudo

Notice: This module is still a work in progress. I do not recommend production use until this notice is removed.

Table of Contents

1. Module Description
2. Setup
   • What sudo affects
   • Beginning with sudo
3. Usage
4. Reference
   • Classes
5. Limitations

Module Description

Sudo is powerful tool used to manage extending users privileges. This module is intended to offer extended customizability of sudo configuration in order to fully leverage its use.

Setup

What sudo affects

• The sudo package.
• The main sudo configuration file (/etc/sudoers).
• Potentially the rkhunter database if the rkhunter package is installed.

Beginning with sudo

To install sudo with a basic configuration:

include sudo

Usage

Providing custom configuration.

The sudo class is the main class of the module and is where all configuration is done.

class { 'sudo':
  defaults_content     => 'Defaults	editor=/usr/bin/vim, env_reset, mail_badpass, noexec',
  host_aliases_content => 'Host_Alias	SANS = backup1, backup2',
  user_aliases_content => 'User_Alias	PEONS = jim, joe, jack',
  cmnd_aliases_content => 'Cmnd_Alias	BACKUP = /bin/tar, /bin/cpio, /bin/mount',
  runas_spec_content   => 'PEONS	SANS = (admin) EXEC: BACKUP',
}

Of course if you need to add more complex content you can pass in a file or template output.

If the content of the created policy contains invalid syntax the module will remove the configuration file instead of installing a broken sudoers policy.

Including your own custom files

If passing content to the main sudoers policy is not flexible enough to achieve the desired configuration, you can directly manage the configuration files and just include them in the main policy.

file { '/home/me/my_policies/polity1':
  ensure  => file,
  content => tempate('/path/to/templates/polity1'),
}

file { '/home/me/my_policies/policy2':
  ensure  => file,
  content => template('/path/to/templates/policy2'),
}

class { 'sudo':
  include => ['/home/me/my_policies/polity1', '/home/me/my_policies/polity2']
}

Configuring with Hiera

The sudo class was designed with the intent that hiera would be used in parameter definition. If merging is enabled even more specific policy can be generated. Given a hierarchy like the following defined in hiera.yaml:

---
:backends:
  - yaml
:hierarchy:
  - "role/%{::role}"
  - common
:yaml:
   :datadir: /etc/puppet/hieradata
:merge_behavior: deeper

A base configuration can be established in common.yaml:

# common.yaml
---
sudo::defaults_content: 'Defaults	editor=/usr/bin/vim, env_reset, mail_badpass, noexec',
sudo::host_aliases_content: 'Host_Alias	SANS = backup1, backup2',
sudo::user_aliases_content: 'User_Alias	PEONS = jim, joe, jack',
sudo::cmnd_aliases_content: 'Cmnd_Alias	BACKUP = /bin/tar, /bin/cpio, /bin/mount',
sudo::runas_spec_content: 'PEONS	SANS = (admin) EXEC: BACKUP',

Now if you want you the new guy, Albert, to be able to only work on the demo servers:

# role/demo.yaml
---
sudo::user_aliases_content: 'User_Alias	PEONS = jim, joe, jack, albert',

Integration with rkhunter

Rkhunter is a great tool to help monitor system security. It will, however, error if you update the sudoers policy without notifying it of the change. This module does that for you if you say to:

class { 'sudo':
  runas_spec_content => '%sudo	ALL = (ALL:ALL) ALL',
  update_rkhunter    => true,
}

Reference

Classes

sudo

Manages the Sudo package and its authorization capabilities.

sudo::package_name

(String) Name of sudo package the module will install.

Default value: 'sudo'

sudo::sudoers_file

(Absolute Path) Location of the main sudoers configuration file.

Default value: '/etc/sudoers'

sudo::include

(Array) File paths to include in the sudoers policy.

Default value: []

sudo::include_dir

(String) Absolute path to directory for system package policies.

This ensures the directory is specifies in the main policy to be included as the place where the system package manager can drop sudoers rules into as part of the package installation.

Default value: '/etc/sudoers.d'

sudo::include_dirs

(Array) Directories to include in the main sudoers file.

All additional files found in these directories are treated as sudo configuration files.

Default value: ['/etc/sudoers.d']

sudo::defaults_content

(String) Content of the defaults section of the sudoers file.

sudo::host_aliases_content

(String) Content of the host_aliases section of the sudoers file.

sudo::user_aliases_content

(String) Content of the user_aliases section of the sudoers file.

sudo::cmnd_aliases_content

(String) Content of the cmnd_aliases section of the sudoers file.

sudo::runas_spec_content

(String) Content of the runas_spec section of the sudoers file.

sudo::update_rkhunter

(Boolean) Specify if rkhunter should be updated after any change is made.

Any changes to the sudoers policy will cause rkhunter to error. This provides a convenient way to automatically update rkhunter of changes to the sudoers policy.

Default value: false

Limitations

This module has received limited testing on Debian based operating systems and CentOS 7.0.