diff --git a/sudoers/defaults.yaml b/sudoers/defaults.yaml new file mode 100644 index 0000000..6115c5b --- /dev/null +++ b/sudoers/defaults.yaml @@ -0,0 +1,11 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +sudoers: + pkg: sudo + manage_main_config: true + configpath: /etc + group: root + execprefix: /usr/sbin + includedir: /etc/sudoers.d + included_files: {} diff --git a/sudoers/included.sls b/sudoers/included.sls index c9df483..1b6490c 100644 --- a/sudoers/included.sls +++ b/sudoers/included.sls @@ -1,31 +1,35 @@ -{% from "sudoers/map.jinja" import sudoers with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_config_file = tplroot ~ '.config.file' %} +{%- from tplroot ~ "/map.jinja" import sudoers with context %} include: - sudoers -{% do sudoers.update(pillar.get('sudoers', {})) %} -{% set includedir = sudoers.get('includedir', '/etc/sudoers.d') %} -{% set included_files = sudoers.get('included_files', {}) %} -{% for included_file,spec in included_files.items() -%} +{% set included_files = sudoers.included_files %} +{% for included_file, spec in included_files.items() -%} sudoers include {{ included_file }}: file.managed: {% if '/' in included_file %} - name: {{ included_file }} {% else %} - - name: {{ includedir }}/{{ included_file }} + - name: {{ sudoers.includedir }}/{{ included_file }} {% endif %} - user: root - - group: {{ sudoers.get('group', 'root') }} + - group: {{ sudoers.group }} - mode: 440 - makedirs: True - template: jinja - source: salt://sudoers/files/sudoers - - check_cmd: {{ sudoers.get('execprefix', '/usr/sbin') }}/visudo -c -f + - check_cmd: {{ sudoers.execprefix }}/visudo -c -f - context: included: True sudoers: {{ spec|json }} - {% if salt['pillar.get']('sudoers:manage_main_config', True) %} + {% if sudoers.manage_main_config %} - require: - - file: {{ sudoers.get('configpath', '/etc') }}/sudoers + - file: {{ sudoers.configpath }}/sudoers {% endif %} {% endfor %} diff --git a/sudoers/init.sls b/sudoers/init.sls index 0a964f0..362b3e8 100644 --- a/sudoers/init.sls +++ b/sudoers/init.sls @@ -1,19 +1,25 @@ -{% from "sudoers/map.jinja" import sudoers with context %} +# -*- coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_config_file = tplroot ~ '.config.file' %} +{%- from tplroot ~ "/map.jinja" import sudoers with context %} sudo: pkg.installed: - name: {{ sudoers.pkg }} -{% if salt['pillar.get']('sudoers:manage_main_config', True) %} +{% if sudoers.manage_main_config %} -{{ sudoers.get('configpath', '/etc') }}/sudoers: +{{ sudoers.configpath }}/sudoers: file.managed: - user: root - - group: {{ sudoers.get('group', 'root') }} + - group: {{ sudoers.group }} - mode: 440 - template: jinja - source: salt://sudoers/files/sudoers - - check_cmd: {{ sudoers.get('execprefix', '/usr/sbin') }}/visudo -c -f + - check_cmd: {{ sudoers.execprefix }}/visudo -c -f - context: included: False - require: @@ -21,7 +27,7 @@ sudo: {% else %} -{{ sudoers.get('configpath', '/etc') }}/sudoers: +{{ sudoers.configpath }}/sudoers: test.show_notification: - name: Skipping management of main sudoers file - text: Pillar manage_main_config is False diff --git a/sudoers/map.jinja b/sudoers/map.jinja index 281a4fb..d90456d 100644 --- a/sudoers/map.jinja +++ b/sudoers/map.jinja @@ -1,17 +1,55 @@ -{% set sudoers = salt['grains.filter_by']({ - 'Debian': {'pkg': 'sudo'}, - 'Ubuntu': {'pkg': 'sudo'}, - 'CentOS': {'pkg': 'sudo'}, - 'Fedora': {'pkg': 'sudo'}, - 'RedHat': {'pkg': 'sudo'}, - 'Amazon': {'pkg': 'sudo'}, - 'Gentoo': {'pkg': 'app-admin/sudo'}, - 'Mint': {'pkg': 'sudo'}, - 'Arch': {'pkg': 'sudo'}, - 'Suse': {'pkg': 'sudo'}, - 'FreeBSD': {'pkg': 'sudo', - 'configpath': '/usr/local/etc', - 'includedir': '/usr/local/etc/sudoers.d', - 'execprefix': '/usr/local/sbin', - 'group': 'wheel'}, -}, merge=salt['pillar.get']('sudoers:lookup')) %} +# -*- coding: utf-8 -*- +# vim: ft=jinja + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{#- Start imports as #} +{%- import_yaml tplroot ~ "/defaults.yaml" as default_settings %} +{%- import_yaml tplroot ~ "/osarchmap.yaml" as osarchmap %} +{%- import_yaml tplroot ~ "/osfamilymap.yaml" as osfamilymap %} +{%- import_yaml tplroot ~ "/osmap.yaml" as osmap %} +{%- import_yaml tplroot ~ "/osfingermap.yaml" as osfingermap %} + +{#- Retrieve the config dict only once #} +{%- set _config = salt['config.get'](tplroot, default={}) %} + +{%- set defaults = salt['grains.filter_by']( + default_settings, + default=tplroot, + merge=salt['grains.filter_by']( + osarchmap, + grain='osarch', + merge=salt['grains.filter_by']( + osfamilymap, + grain='os_family', + merge=salt['grains.filter_by']( + osmap, + grain='os', + merge=salt['grains.filter_by']( + osfingermap, + grain='osfinger', + merge=salt['grains.filter_by']( + _config, + default='lookup' + ) + ) + ) + ) + ) + ) +%} + +{%- set config = salt['grains.filter_by']( + {'defaults': defaults}, + default='defaults', + merge=_config + ) +%} + +{%- set sudoers = config %} + +{#- Post-processing for specific non-YAML customisations #} +{%- if grains.os == 'MacOS' %} +{%- set macos_group = salt['cmd.run']("stat -f '%Sg' /dev/console") %} +{%- do sudoers.update({'rootgroup': macos_group}) %} +{%- endif %} diff --git a/sudoers/osarchmap.yaml b/sudoers/osarchmap.yaml new file mode 100644 index 0000000..ab3bc1f --- /dev/null +++ b/sudoers/osarchmap.yaml @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Setup variables using grains['osarch'] based logic. +# You just need to add the key:values for an `osarch` that differ +# from `defaults.yaml`. +# Only add an `osarch` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `osarch` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osarch: {} +--- +amd64: + arch: amd64 + +x86_64: + arch: amd64 + +386: + arch: 386 + +arm64: + arch: arm64 + +armv6l: + arch: armv6l + +armv7l: + arch: armv7l + +ppc64le: + arch: ppc64le + +s390x: + arch: s390x diff --git a/sudoers/osfamilymap.yaml b/sudoers/osfamilymap.yaml new file mode 100644 index 0000000..12b2cd9 --- /dev/null +++ b/sudoers/osfamilymap.yaml @@ -0,0 +1,38 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Setup variables using grains['os_family'] based logic. +# You just need to add the key:values for an `os_family` that differ +# from `defaults.yaml` + `osarch.yaml`. +# Only add an `os_family` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os_family` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osfamilymap: {} +--- +Debian: {} + +RedHat: {} + +Suse: {} + +Gentoo: + pkg: app-admin/sudo + +Arch: {} + +Alpine: {} + +FreeBSD: + configpath: /usr/local/etc + includedir: /usr/local/etc/sudoers.d + execprefix: /usr/local/sbin + group: wheel + +OpenBSD: {} + +Solaris: {} + +Windows: {} + +MacOS: {} diff --git a/sudoers/osfingermap.yaml b/sudoers/osfingermap.yaml new file mode 100644 index 0000000..431f97a --- /dev/null +++ b/sudoers/osfingermap.yaml @@ -0,0 +1,14 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Setup variables using grains['osfinger'] based logic. +# You just need to add the key:values for an `osfinger` that differ +# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml` + `osmap.yaml`. +# Only add an `osfinger` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os_finger` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osfingermap: {} +--- +# os: Debian +osfingermap: {} diff --git a/sudoers/osmap.yaml b/sudoers/osmap.yaml new file mode 100644 index 0000000..2ec94b4 --- /dev/null +++ b/sudoers/osmap.yaml @@ -0,0 +1,13 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +# +# Setup variables using grains['os'] based logic. +# You just need to add the key:values for an `os` that differ +# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml`. +# Only add an `os` which is/will be supported by the formula. +# +# If you do not need to provide defaults via the `os` grain, +# you will need to provide at least an empty dict in this file, e.g. +# osmap: {} +--- +osmap: {} diff --git a/test/integration/default/controls/_mapdata_spec.rb b/test/integration/default/controls/_mapdata_spec.rb index bd3e990..7e49d30 100644 --- a/test/integration/default/controls/_mapdata_spec.rb +++ b/test/integration/default/controls/_mapdata_spec.rb @@ -8,6 +8,6 @@ control '`map.jinja` YAML dump' do describe file('/tmp/salt_mapdata_dump.yaml') do it { should exist } - its('content') { should include mapdata_dump } + its('content') { should eq mapdata_dump } end end diff --git a/test/integration/default/files/_mapdata/amazonlinux-1.yaml b/test/integration/default/files/_mapdata/amazonlinux-1.yaml index 07b23f8..edef984 100644 --- a/test/integration/default/files/_mapdata/amazonlinux-1.yaml +++ b/test/integration/default/files/_mapdata/amazonlinux-1.yaml @@ -2,4 +2,68 @@ # Amazon Linux AMI-2018 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/amazonlinux-2.yaml b/test/integration/default/files/_mapdata/amazonlinux-2.yaml index e42b341..5852272 100644 --- a/test/integration/default/files/_mapdata/amazonlinux-2.yaml +++ b/test/integration/default/files/_mapdata/amazonlinux-2.yaml @@ -2,4 +2,68 @@ # Amazon Linux-2 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/arch-base-latest.yaml b/test/integration/default/files/_mapdata/arch-base-latest.yaml index c9dbfc3..035e66a 100644 --- a/test/integration/default/files/_mapdata/arch-base-latest.yaml +++ b/test/integration/default/files/_mapdata/arch-base-latest.yaml @@ -2,4 +2,68 @@ # Arch --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/centos-6.yaml b/test/integration/default/files/_mapdata/centos-6.yaml index 9f1a778..24115e8 100644 --- a/test/integration/default/files/_mapdata/centos-6.yaml +++ b/test/integration/default/files/_mapdata/centos-6.yaml @@ -2,4 +2,68 @@ # CentOS-6 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/centos-7.yaml b/test/integration/default/files/_mapdata/centos-7.yaml index db20b1d..3ff7930 100644 --- a/test/integration/default/files/_mapdata/centos-7.yaml +++ b/test/integration/default/files/_mapdata/centos-7.yaml @@ -2,4 +2,68 @@ # CentOS Linux-7 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/centos-8.yaml b/test/integration/default/files/_mapdata/centos-8.yaml index 3093f8c..e3e1d7e 100644 --- a/test/integration/default/files/_mapdata/centos-8.yaml +++ b/test/integration/default/files/_mapdata/centos-8.yaml @@ -2,4 +2,68 @@ # CentOS Linux-8 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/debian-10.yaml b/test/integration/default/files/_mapdata/debian-10.yaml index f8357d5..a20a280 100644 --- a/test/integration/default/files/_mapdata/debian-10.yaml +++ b/test/integration/default/files/_mapdata/debian-10.yaml @@ -2,4 +2,68 @@ # Debian-10 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/debian-9.yaml b/test/integration/default/files/_mapdata/debian-9.yaml index f280c9f..0eb7db2 100644 --- a/test/integration/default/files/_mapdata/debian-9.yaml +++ b/test/integration/default/files/_mapdata/debian-9.yaml @@ -2,4 +2,68 @@ # Debian-9 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/fedora-31.yaml b/test/integration/default/files/_mapdata/fedora-31.yaml index 1aaf4af..22fb5b5 100644 --- a/test/integration/default/files/_mapdata/fedora-31.yaml +++ b/test/integration/default/files/_mapdata/fedora-31.yaml @@ -2,4 +2,68 @@ # Fedora-31 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/fedora-32.yaml b/test/integration/default/files/_mapdata/fedora-32.yaml index 671d375..04d31e3 100644 --- a/test/integration/default/files/_mapdata/fedora-32.yaml +++ b/test/integration/default/files/_mapdata/fedora-32.yaml @@ -2,4 +2,68 @@ # Fedora-32 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/opensuse-15.yaml b/test/integration/default/files/_mapdata/opensuse-15.yaml index 611c6ef..f2cbe4f 100644 --- a/test/integration/default/files/_mapdata/opensuse-15.yaml +++ b/test/integration/default/files/_mapdata/opensuse-15.yaml @@ -2,4 +2,68 @@ # Leap-15 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/ubuntu-16.yaml b/test/integration/default/files/_mapdata/ubuntu-16.yaml index 4f1629b..53e020c 100644 --- a/test/integration/default/files/_mapdata/ubuntu-16.yaml +++ b/test/integration/default/files/_mapdata/ubuntu-16.yaml @@ -2,4 +2,68 @@ # Ubuntu-16.04 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/ubuntu-18.yaml b/test/integration/default/files/_mapdata/ubuntu-18.yaml index 2b9d0d4..ddc1737 100644 --- a/test/integration/default/files/_mapdata/ubuntu-18.yaml +++ b/test/integration/default/files/_mapdata/ubuntu-18.yaml @@ -2,4 +2,68 @@ # Ubuntu-18.04 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL' diff --git a/test/integration/default/files/_mapdata/ubuntu-20.yaml b/test/integration/default/files/_mapdata/ubuntu-20.yaml index c961135..aad863a 100644 --- a/test/integration/default/files/_mapdata/ubuntu-20.yaml +++ b/test/integration/default/files/_mapdata/ubuntu-20.yaml @@ -2,4 +2,68 @@ # Ubuntu-20.04 --- sudoers: + aliases: + commands: + PROCESSES: + - /usr/bin/nice + - /bin/kill + - /usr/bin/renice + - /usr/bin/pkill + - /usr/bin/top + hosts: + WEBSERVERS: + - www1 + - www2 + - www3 + users: + ADMINS: + - millert + - dowdy + - mikef + arch: amd64 + configpath: /etc + defaults: + command_list: + PROCESSES: noexec + generic: + - env_reset + - mail_badpass + - secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + host_list: + www1: log_year, logfile=/var/log/sudo.log + runas_list: + root: '!set_logname' + user_list: + ADMINS: '!lecture' + johndoe: '!requiretty' + execprefix: /usr/sbin + group: root + groups: + sudo: + - ALL=(ALL) ALL + - 'ALL=(nodejs) NOPASSWD: ALL' + included_files: + /etc/sudoers.d/extra-file: + users: + foo: + - ALL=(ALL) ALL + extra-file-2: + groups: + bargroup: + - 'ALL=(ALL) NOPASSWD: ALL' + extra-file-3: + netgroups: + other_netgroup: + - ALL=(ALL) ALL + includedir: /etc/sudoers.d + manage_main_config: true + netgroups: + sysadmins: + - ALL=(ALL) ALL pkg: sudo + users: + johndoe: + - ALL=(ALL) ALL + - 'ALL=(root) NOPASSWD: /etc/init.d/httpd' + kitchen: + - 'ALL=(root) NOPASSWD: ALL'