Add more secure sudo configuration

Also update the sudo cookbook
2017-06-09 16:08:36 +02:00
parent 0acc4e65e9
commit afc07c3192
6 changed files with 21 additions and 5 deletions
--- a/site-cookbooks/kosmos-base/recipes/default.rb
+++ b/site-cookbooks/kosmos-base/recipes/default.rb
@@ -28,6 +28,14 @@ users_manage 'sysadmin' do
  action [:remove, :create]
 end

+node.override['authorization']['sudo']['sudoers_defaults'] = [
+  # not default on Ubuntu, explicitely enable. Uses a minimal white list of
+  # environment variables
+  'env_reset',
+  # Send emails on unauthorized attempts
+  'mail_badpass',
+  'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
+]
 node.override['authorization']['sudo']['passwordless'] = true
 include_recipe 'sudo'