Add Fedora 37

2022-12-06 21:40:03 -06:00
parent 8de48b63e3
commit de222f0b71
7 changed files with 317 additions and 0 deletions
--- a/templates/Fedora/37/etc/dnf/protected.d/sudo.conf
+++ b/templates/Fedora/37/etc/dnf/protected.d/sudo.conf
@@ -0,0 +1 @@
 sudo
--- a/templates/Fedora/37/etc/pam.d/sudo
+++ b/templates/Fedora/37/etc/pam.d/sudo
@@ -0,0 +1,7 @@
 #%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
 session    include      system-auth
--- a/templates/Fedora/37/etc/pam.d/sudo-i
+++ b/templates/Fedora/37/etc/pam.d/sudo-i
@@ -0,0 +1,6 @@
 #%PAM-1.0
 auth       include      sudo
 account    include      sudo
 password   include      sudo
 session    optional     pam_keyinit.so force revoke
 session    include      sudo
--- a/templates/Fedora/37/etc/sudo.conf
+++ b/templates/Fedora/37/etc/sudo.conf
@@ -0,0 +1,139 @@
 #
 # Default /etc/sudo.conf file
 #
 # Sudo plugins:
 #   Plugin plugin_name plugin_path plugin_options ...
 #
 # The plugin_path is relative to /usr/libexec/sudo unless
 #   fully qualified.
 # The plugin_name corresponds to a global symbol in the plugin
 #   that contains the plugin interface structure.
 # The plugin_options are optional.
 #
 # The sudoers plugin is used by default if no Plugin lines are present.
 #Plugin sudoers_policy sudoers.so
 #Plugin sudoers_io sudoers.so
 #Plugin sudoers_audit sudoers.so
 #
 # Sudo askpass:
 #   Path askpass /path/to/askpass
 #
 # An askpass helper program may be specified to provide a graphical
 # password prompt for "sudo -A" support.  Sudo does not ship with its
 # own askpass program but can use the OpenSSH askpass.
 #
 # Use the OpenSSH askpass
 #Path askpass /usr/X11R6/bin/ssh-askpass
 #
 # Use the Gnome OpenSSH askpass
 #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
 #
 # Sudo device search path:
 #   Path devsearch /dev/path1:/dev/path2:/dev
 #
 # A colon-separated list of paths to check when searching for a user's
 # terminal device.
 #
 #Path devsearch /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
 #
 # Sudo command interception:
 #   Path intercept /path/to/sudo_intercept.so
 #
 # Path to a shared library containing replacements for the execv(),
 # execve() and fexecve() library functions that perform a policy check
 # to verify the command is allowed and simply return an error if not.
 # This is used to implement the "intercept" functionality on systems that
 # support LD_PRELOAD or its equivalent.
 #
 # The compiled-in value is usually sufficient and should only be changed
 # if you rename or move the sudo_intercept.so file.
 #
 #Path intercept /usr/libexec/sudo/sudo_intercept.so
 #
 # Sudo noexec:
 #   Path noexec /path/to/sudo_noexec.so
 #
 # Path to a shared library containing replacements for the execv(),
 # execve() and fexecve() library functions that just return an error.
 # This is used to implement the "noexec" functionality on systems that
 # support LD_PRELOAD or its equivalent.
 #
 # The compiled-in value is usually sufficient and should only be changed
 # if you rename or move the sudo_noexec.so file.
 #
 #Path noexec /usr/libexec/sudo/sudo_noexec.so
 #
 # Sudo plugin directory:
 #   Path plugin_dir /path/to/plugins
 #
 # The default directory to use when searching for plugins that are
 # specified without a fully qualified path name.
 #
 #Path plugin_dir /usr/libexec/sudo
 #
 # Sudo developer mode:
 #   Set developer_mode true|false
 #
 # Allow loading of plugins that are owned by non-root or are writable
 # by "group" or "other".  Should only be used during plugin development.
 #Set developer_mode true
 #
 # Core dumps:
 #   Set disable_coredump true|false
 #
 # By default, sudo disables core dumps while it is executing (they
 # are re-enabled for the command that is run).
 # To aid in debugging sudo problems, you may wish to enable core
 # dumps by setting "disable_coredump" to false.
 #
 #Set disable_coredump false
 #
 # User groups:
 #   Set group_source static|dynamic|adaptive
 #
 # Sudo passes the user's group list to the policy plugin.
 # If the user is a member of the maximum number of groups (usually 16),
 # sudo will query the group database directly to be sure to include
 # the full list of groups.
 #
 # On some systems, this can be expensive so the behavior is configurable.
 # The "group_source" setting has three possible values:
 #   static   - use the user's list of groups returned by the kernel.
 #   dynamic  - query the group database to find the list of groups.
 #   adaptive - if user is in less than the maximum number of groups.
 #	       use the kernel list, else query the group database.
 #
 #Set group_source static
 #
 # Sudo interface probing:
 #   Set probe_interfaces true|false
 #
 # By default, sudo will probe the system's network interfaces and
 # pass the IP address of each enabled interface to the policy plugin.
 # On systems with a large number of virtual interfaces this may take
 # a noticeable amount of time.
 #
 #Set probe_interfaces false
 #
 # Sudo debug files:
 #   Debug program /path/to/debug_log subsystem@priority[,subsyste@priority]
 #
 # Sudo and related programs support logging debug information to a file.
 # The program is typically sudo, sudoers.so, sudoreplay, or visudo.
 #
 # Subsystems vary based on the program; "all" matches all subsystems.
 # Priority may be crit, err, warn, notice, diag, info, trace, or debug.
 # Multiple subsystem@priority may be specified, separated by a comma.
 #
 #Debug sudo /var/log/sudo_debug all@debug
 #Debug sudoers.so /var/log/sudoers_debug all@debug
--- a/templates/Fedora/37/etc/sudoers
+++ b/templates/Fedora/37/etc/sudoers
@@ -0,0 +1,120 @@
 ## Sudoers allows particular users to run various commands as
 ## the root user, without needing the root password.
 ##
 ## Examples are provided at the bottom of the file for collections
 ## of related commands, which can then be delegated out to particular
 ## users or groups.
 ## 
 ## This file must be edited with the 'visudo' command.
 ## Host Aliases
 ## Groups of machines. You may prefer to use hostnames (perhaps using 
 ## wildcards for entire domains) or IP addresses instead.
 # Host_Alias     FILESERVERS = fs1, fs2
 # Host_Alias     MAILSERVERS = smtp, smtp2
 ## User Aliases
 ## These aren't often necessary, as you can use regular groups
 ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
 ## rather than USERALIAS
 # User_Alias ADMINS = jsmith, mikem
 ## Command Aliases
 ## These are groups of related commands...
 ## Networking
 # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
 ## Installation and management of software
 # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
 ## Services
 # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
 ## Updating the locate database
 # Cmnd_Alias LOCATE = /usr/bin/updatedb
 ## Storage
 # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
 ## Delegating permissions
 # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
 ## Processes
 # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
 ## Drivers
 # Cmnd_Alias DRIVERS = /sbin/modprobe
 # Defaults specification
 #
 # Refuse to run if unable to disable echo on the tty.
 #
 Defaults   !visiblepw
 #
 # Preserving HOME has security implications since many programs
 # use it when searching for configuration files. Note that HOME
 # is already set when the the env_reset option is enabled, so
 # this option is only effective for configurations where either
 # env_reset is disabled or HOME is present in the env_keep list.
 #
 Defaults    always_set_home
 Defaults    match_group_by_gid
 # Prior to version 1.8.15, groups listed in sudoers that were not
 # found in the system group database were passed to the group
 # plugin, if any. Starting with 1.8.15, only groups of the form
 # %:group are resolved via the group plugin by default.
 # We enable always_query_group_plugin to restore old behavior.
 # Disable this option for new behavior.
 Defaults    always_query_group_plugin
 Defaults    env_reset
 Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
 Defaults    env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
 Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
 Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
 Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
 #
 # Adding HOME to env_keep may enable a user to run unrestricted
 # commands via sudo.
 #
 # Defaults   env_keep += "HOME"
 Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
 ## Next comes the main part: which users can run what software on 
 ## which machines (the sudoers file can be shared between multiple
 ## systems).
 ## Syntax:
 ##
 ## 	user	MACHINE=COMMANDS
 ##
 ## The COMMANDS section may have other options added to it.
 ##
 ## Allow root to run any commands anywhere 
 root	ALL=(ALL) 	ALL
 ## Allows members of the 'sys' group to run networking, software, 
 ## service management apps and more.
 # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
 ## Allows people in group wheel to run all commands
 %wheel	ALL=(ALL)	ALL
 ## Same thing without a password
 # %wheel	ALL=(ALL)	NOPASSWD: ALL
 ## Allows members of the users group to mount and unmount the 
 ## cdrom as root
 # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
 ## Allows members of the users group to shutdown this system
 # %users  localhost=/sbin/shutdown -h now
 ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
 #includedir /etc/sudoers.d
--- a/templates/Fedora/37/etc/sudoers.d/session_log.j2
+++ b/templates/Fedora/37/etc/sudoers.d/session_log.j2
@@ -0,0 +1,6 @@
 #
 # {{ ansible_managed }}
 #
 Defaults log_input
 Defaults log_output
--- a/vars/Fedora-37-default.yml
+++ b/vars/Fedora-37-default.yml
@@ -0,0 +1,38 @@
 ---
 # vars file for ensure_sudo
 package_list:
  - name: 'libsss_sudo'
    state: 'present'
  - name: 'sudo'
    state: 'present'
 template_list:
  - dest: '/etc/dnf/protected.d/sudo.conf'
    group: 'root'
    mode: '0644'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/dnf/protected.d/sudo.conf'
  - dest: '/etc/pam.d/sudo'
    group: 'root'
    mode: '0644'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo'
  - dest: '/etc/pam.d/sudo-i'
    group: 'root'
    mode: '0644'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/pam.d/sudo-i'
  - dest: '/etc/sudo.conf'
    group: 'root'
    mode: '0640'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudo.conf'
  - dest: '/etc/sudoers'
    group: 'root'
    mode: '0440'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers'
  - dest: '/etc/sudoers.d/session_log'
    group: 'root'
    mode: '0440'
    owner: 'root'
    src: '{{ ansible_distribution }}/{{ ansible_distribution_major_version }}/etc/sudoers.d/session_log.j2'