From 0a788d5c4e40ceceed2018ee66bef70734686215 Mon Sep 17 00:00:00 2001 From: Jason Rothstein Date: Sun, 23 Apr 2023 16:46:02 -0500 Subject: [PATCH] Add Fedora 38 --- .../Fedora/38/etc/dnf/protected.d/sudo.conf | 1 + templates/Fedora/38/etc/pam.d/sudo | 7 + templates/Fedora/38/etc/pam.d/sudo-i | 6 + templates/Fedora/38/etc/sudo.conf | 139 ++++++++++++++++++ templates/Fedora/38/etc/sudoers | 120 +++++++++++++++ .../Fedora/38/etc/sudoers.d/session_log.j2 | 6 + vars/Fedora-38-default.yml | 38 +++++ 7 files changed, 317 insertions(+) create mode 100644 templates/Fedora/38/etc/dnf/protected.d/sudo.conf create mode 100644 templates/Fedora/38/etc/pam.d/sudo create mode 100644 templates/Fedora/38/etc/pam.d/sudo-i create mode 100644 templates/Fedora/38/etc/sudo.conf create mode 100644 templates/Fedora/38/etc/sudoers create mode 100644 templates/Fedora/38/etc/sudoers.d/session_log.j2 create mode 100644 vars/Fedora-38-default.yml diff --git a/templates/Fedora/38/etc/dnf/protected.d/sudo.conf b/templates/Fedora/38/etc/dnf/protected.d/sudo.conf new file mode 100644 index 0000000..7864d0d --- /dev/null +++ b/templates/Fedora/38/etc/dnf/protected.d/sudo.conf @@ -0,0 +1 @@ +sudo diff --git a/templates/Fedora/38/etc/pam.d/sudo b/templates/Fedora/38/etc/pam.d/sudo new file mode 100644 index 0000000..284b050 --- /dev/null +++ b/templates/Fedora/38/etc/pam.d/sudo @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session required pam_limits.so +session include system-auth diff --git a/templates/Fedora/38/etc/pam.d/sudo-i b/templates/Fedora/38/etc/pam.d/sudo-i new file mode 100644 index 0000000..3c63733 --- /dev/null +++ b/templates/Fedora/38/etc/pam.d/sudo-i @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo diff --git a/templates/Fedora/38/etc/sudo.conf b/templates/Fedora/38/etc/sudo.conf new file mode 100644 index 0000000..773a0e0 --- /dev/null +++ b/templates/Fedora/38/etc/sudo.conf @@ -0,0 +1,139 @@ +# +# Default /etc/sudo.conf file +# +# Sudo plugins: +# Plugin plugin_name plugin_path plugin_options ... +# +# The plugin_path is relative to /usr/libexec/sudo unless +# fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +#Plugin sudoers_policy sudoers.so +#Plugin sudoers_io sudoers.so +#Plugin sudoers_audit sudoers.so + +# +# Sudo askpass: +# Path askpass /path/to/askpass +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own askpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo device search path: +# Path devsearch /dev/path1:/dev/path2:/dev +# +# A colon-separated list of paths to check when searching for a user's +# terminal device. +# +#Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev + +# +# Sudo command interception: +# Path intercept /path/to/sudo_intercept.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that perform a policy check +# to verify the command is allowed and simply return an error if not. +# This is used to implement the "intercept" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_intercept.so file. +# +#Path intercept /usr/libexec/sudo/sudo_intercept.so + +# +# Sudo noexec: +# Path noexec /path/to/sudo_noexec.so +# +# Path to a shared library containing replacements for the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support LD_PRELOAD or its equivalent. +# +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo/sudo_noexec.so + +# +# Sudo plugin directory: +# Path plugin_dir /path/to/plugins +# +# The default directory to use when searching for plugins that are +# specified without a fully qualified path name. +# +#Path plugin_dir /usr/libexec/sudo + +# +# Sudo developer mode: +# Set developer_mode true|false +# +# Allow loading of plugins that are owned by non-root or are writable +# by "group" or "other". Should only be used during plugin development. +#Set developer_mode true + +# +# Core dumps: +# Set disable_coredump true|false +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +#Set disable_coredump false + +# +# User groups: +# Set group_source static|dynamic|adaptive +# +# Sudo passes the user's group list to the policy plugin. +# If the user is a member of the maximum number of groups (usually 16), +# sudo will query the group database directly to be sure to include +# the full list of groups. +# +# On some systems, this can be expensive so the behavior is configurable. +# The "group_source" setting has three possible values: +# static - use the user's list of groups returned by the kernel. +# dynamic - query the group database to find the list of groups. +# adaptive - if user is in less than the maximum number of groups. +# use the kernel list, else query the group database. +# +#Set group_source static + +# +# Sudo interface probing: +# Set probe_interfaces true|false +# +# By default, sudo will probe the system's network interfaces and +# pass the IP address of each enabled interface to the policy plugin. +# On systems with a large number of virtual interfaces this may take +# a noticeable amount of time. +# +#Set probe_interfaces false + +# +# Sudo debug files: +# Debug program /path/to/debug_log subsystem@priority[,subsyste@priority] +# +# Sudo and related programs support logging debug information to a file. +# The program is typically sudo, sudoers.so, sudoreplay or visudo. +# +# Subsystems vary based on the program; "all" matches all subsystems. +# Priority may be crit, err, warn, notice, diag, info, trace or debug. +# Multiple subsystem@priority may be specified, separated by a comma. +# +#Debug sudo /var/log/sudo_debug all@debug +#Debug sudoers.so /var/log/sudoers_debug all@debug diff --git a/templates/Fedora/38/etc/sudoers b/templates/Fedora/38/etc/sudoers new file mode 100644 index 0000000..5f621a8 --- /dev/null +++ b/templates/Fedora/38/etc/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/templates/Fedora/38/etc/sudoers.d/session_log.j2 b/templates/Fedora/38/etc/sudoers.d/session_log.j2 new file mode 100644 index 0000000..1b6d27d --- /dev/null +++ b/templates/Fedora/38/etc/sudoers.d/session_log.j2 @@ -0,0 +1,6 @@ +# +# {{ ansible_managed }} +# +Defaults log_input +Defaults log_output + diff --git a/vars/Fedora-38-default.yml b/vars/Fedora-38-default.yml new file mode 100644 index 0000000..1e839dc --- /dev/null +++ b/vars/Fedora-38-default.yml @@ -0,0 +1,38 @@ +--- +# vars file for ensure_sudo +package_list: + - name: 'libsss_sudo' + state: 'present' + - name: 'sudo' + state: 'present' +template_list: + - dest: '/etc/dnf/protected.d/sudo.conf' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf' + - dest: '/etc/pam.d/sudo' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo' + - dest: '/etc/pam.d/sudo-i' + group: 'root' + mode: '0644' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i' + - dest: '/etc/sudo.conf' + group: 'root' + mode: '0640' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf' + - dest: '/etc/sudoers' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers' + - dest: '/etc/sudoers.d/session_log' + group: 'root' + mode: '0440' + owner: 'root' + src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2'