-
Notifications
You must be signed in to change notification settings - Fork 9
/
sudoers.j2
108 lines (102 loc) · 4.67 KB
/
sudoers.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
##
## Cmnd alias specification
##
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less, /usr/bin/pager
{% if not sudo_ids %}
Cmnd_Alias SHELLS = /bin/sh "", /bin/bash "", /bin/dash "", /bin/zsh "", /bin/csh "", /bin/tcsh ""
{% endif %}
{% if ansible_distribution == "Debian" or ansible_distribution == "Kali" %}
Cmnd_Alias APT_GET = /usr/bin/apt-get update, /usr/bin/apt-get upgrade, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get autoremove, /usr/bin/apt-get clean, /usr/bin/apt-get autoclean, /usr/bin/apt-file update
{% endif %}
## These should be enough. You can do "sudo cat | grep" etc. tail is for following.
Cmnd_Alias READ_FILES = /bin/ls, /bin/tail, /bin/cat
Cmnd_Alias LOGIN_RECORD_VIEWERS = /usr/bin/lastlog, /usr/bin/lastb, /usr/bin/last, /usr/bin/who
Cmnd_Alias ANSIBLE = \
/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ;\ \ /home/{{ ansible_user_id }}/.ansible/tmp/ansible-tmp-??????????.*-*/*, \
/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; /usr/bin/python3 /home/{{ ansible_user_id }}/.ansible/tmp/ansible-tmp-??????????.*-*-*/AnsiballZ_*.py, \
/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; ANSIBLE_ASYNC_DIR='~/.ansible_async' /usr/bin/python3 /home/{{ ansible_user_id }}/.ansible/tmp/ansible-tmp-??????????.*-*-*/async_wrapper.py * * /home/{{ ansible_user_id }}/.ansible/tmp/ansible-tmp-??????????.*-*-*/AnsiballZ_*.py _, \
/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; cat /proc/sys/kernel/random/boot_id, \
/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; /sbin/shutdown -r 0 "Reboot initiated by Ansible", \
/bin/sh -c echo BECOME-SUCCESS-???????????????????????????????? ; whoami
Cmnd_Alias NOIOLOG = /usr/bin/sudoreplay
##
## Defaults specification
##
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
Defaults mail_badpass, mail_no_host, mail_no_perms, mail_no_user
Defaults env_reset
{% if ansible_distribution == "Slackware" %}
Defaults syslog=auth, syslog_pid
{% else %}
Defaults syslog=auth
{% endif %}
# Defaults log_year, log_host, logfile=/var/log/sudo.log
Defaults noexec
Defaults listpw=always
Defaults timestamp_timeout=0
Defaults requiretty
Defaults !visiblepw
Defaults !pwfeedback
Defaults verifypw=always
Defaults always_set_home
Defaults passwd_tries=2, passwd_timeout=1
# Defaults rootpw
Defaults sudoedit_checkdir, !sudoedit_follow
Defaults ignore_dot
Defaults env_file=/etc/sudo_env
Defaults use_pty
Defaults timestamp_type=tty
Defaults!NOIOLOG !log_output
{% if sudo_iolog %}
Defaults log_output
{% endif %}
## For pam_ssh_agent_auth
# Defaults env_keep += "SSH_AUTH_SOCK"
##
## User privilege specification
##
root {{ ansible_hostname }}=(ALL:ALL) EXEC: ALL
{{ ansible_user_id }} {{ ansible_hostname }}=(root) PASSWD:EXEC: ANSIBLE
## wheel group
{% if ansible_distribution == "Slackware" or ansible_os_family == "RedHat" %}
{% if not sudo_ids %}
%wheel {{ ansible_hostname }}=(root) TIMEOUT={{ session_timeout }}m PASSWD:EXEC: SHELLS
{% endif %}
%wheel {{ ansible_hostname }}=(root) TIMEOUT={{ session_timeout }}m PASSWD:NOEXEC: sudoedit
%wheel {{ ansible_hostname }}=(root) TIMEOUT=1m PASSWD:NOEXEC: /bin/dmesg
%wheel {{ ansible_hostname }}=(:adm) PASSWD:NOEXEC: READ_FILES
%wheel {{ ansible_hostname }}=(:adm) PASSWD:NOEXEC: LOGIN_RECORD_VIEWERS
{% if ansible_os_family == "RedHat" %}
%wheel {{ ansible_hostname }}=(root) PASSWD:EXEC: /bin/yum update
{% endif %}
{% if sudo_iolog %}
%wheel {{ ansible_hostname }}=(root) PASSWD:NOEXEC: /usr/bin/sudoreplay
{% endif %}
{% endif %}
## sudo group (Debian)
{% if ansible_distribution == "Debian" or ansible_distribution == "Kali" %}
{% if not sudo_ids %}
%sudo {{ ansible_hostname }}=(root) TIMEOUT={{ session_timeout }}m PASSWD:EXEC: SHELLS
{% endif %}
%sudo {{ ansible_hostname }}=(:systemd-journal) PASSWD:EXEC: /bin/journalctl
%sudo {{ ansible_hostname }}=(root) TIMEOUT=1m PASSWD:NOEXEC: /bin/dmesg
%sudo {{ ansible_hostname }}=(:adm) PASSWD:NOEXEC: READ_FILES
%sudo {{ ansible_hostname }}=(root) PASSWD:EXEC: APT_GET
%sudo {{ ansible_hostname }}=(root) TIMEOUT={{ session_timeout }}m PASSWD:NOEXEC: sudoedit
%sudo {{ ansible_hostname }}=(logcheck) TIMEOUT=1m PASSWD:EXEC: /usr/sbin/logcheck
%sudo {{ ansible_hostname }}=(:debian-tor) PASSWD:NOEXEC: /usr/bin/nyx ""
{% if sudo_iolog %}
%sudo {{ ansible_hostname }}=(root) PASSWD:NOEXEC: /usr/bin/sudoreplay
{% endif %}
{% endif %}
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d