From 745b48a21d7316c285e0c8a9cb791cdcc12a061a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 29 Nov 2023 13:22:22 -0600 Subject: [PATCH 1/3] Fix wrong_value test in sudo_require_authentication !authenticate is not valid in group line in sudoers --- .../sudo/sudo_require_authentication/tests/wrong_value.fail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh index 1c2d98e824a..3c661e2902e 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh @@ -5,6 +5,6 @@ echo "Defaults !authenticate" >> /etc/sudoers chmod 440 /etc/sudoers mkdir -p /etc/sudoers.d -echo "%wheel ALL=(ALL) !authenticate ALL" >> /etc/sudoers.d/sudoers +echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/sudoers echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers chmod 440 /etc/sudoers.d/sudoers From c8fd18201bd88ad6a3cdf9c50aa3b95e1776a516 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 29 Nov 2023 13:23:16 -0600 Subject: [PATCH 2/3] Add docs for ansible_sudo_remove_config --- shared/macros/10-ansible.jinja | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 84bddf54633..987f0bd6232 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -721,7 +721,15 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul mode: 0644 {{%- endmacro %}} +{{# + This macro comments out a given line of the sudoers and then validates it before saving. + +:param parameter: The parameter to remove +:type parameter: str +:param pattern: The pattern to remove +:type pattern: str +#}} {{%- macro ansible_sudo_remove_config(parameter, pattern) -%}} - name: Find /etc/sudoers.d/ files From 722e6d6733be2f8d0f6aa2f0cfc8f4f838fd6aec Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 29 Nov 2023 13:23:39 -0600 Subject: [PATCH 3/3] Move ansible_sudo_remove_config to FQCN --- shared/macros/10-ansible.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 987f0bd6232..d72ff21b634 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -733,13 +733,13 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul {{%- macro ansible_sudo_remove_config(parameter, pattern) -%}} - name: Find /etc/sudoers.d/ files - find: + ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers - name: "Remove lines containing {{{ parameter }}} from sudoers files" - replace: + ansible.builtin.replace: regexp: '(^(?!#).*[\s]+{{{ pattern }}}.*$)' replace: '# \g<1>' path: "{{ item.path }}"