kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Add more secure sudo configuration

Browse Source 
Also update the sudo cookbook
This commit is contained in:
Greg Karékinian 2017-06-09 16:08:36 +02:00
parent 0acc4e65e9
commit afc07c3192
6 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Batali
View File

@ -20,7 +20,7 @@ Batali.define do
cookbook 'application_ruby', '~> 4.1.0' cookbook 'application_ruby', '~> 4.1.0'
cookbook 'application_git', '~> 1.1.0' # 1.2.0 doesn't work with knife-solo cookbook 'application_git', '~> 1.1.0' # 1.2.0 doesn't work with knife-solo
cookbook 'users', '~> 5.0.0' cookbook 'users', '~> 5.0.0'
cookbook 'sudo', '~> 3.4.0' cookbook 'sudo', '~> 3.5.0'
cookbook 'hostname' cookbook 'hostname'
cookbook 'redis', cookbook 'redis',
git: 'https://github.com/phlipper/chef-redis.git', git: 'https://github.com/phlipper/chef-redis.git',

6
batali.manifest
View File

@ -912,11 +912,11 @@
"dependencies": [ "dependencies": [
], ],
"version": "3.4.0", "version": "3.5.0",
"source": { "source": {
"type": "Batali::Source::Site", "type": "Batali::Source::Site",
"url": "https://supermarket.chef.io:443/api/v1/cookbooks/sudo/versions/3.4.0/download", "url": "https://supermarket.chef.io:443/api/v1/cookbooks/sudo/versions/3.5.0/download",
"version": "3.4.0" "version": "3.5.0"
} }
}, },
{ {

4
cookbooks/sudo/CHANGELOG.md
View File

@ -2,6 +2,10 @@
This file is used to list changes made in each version of the sudo cookbook. This file is used to list changes made in each version of the sudo cookbook.
## 3.5.0 (2017-05-16)
- Add sudo package management to resource
## 3.4.0 (2017-04-26) ## 3.4.0 (2017-04-26)
- Add lwrp support for only env_keep add/subtract - Add lwrp support for only env_keep add/subtract

2
cookbooks/sudo/metadata.json
View File

File diff suppressed because one or more lines are too long

4
cookbooks/sudo/providers/default.rb
View File

@ -113,6 +113,10 @@ end
action :install do action :install do
target = "#{node['authorization']['sudo']['prefix']}/sudoers.d/" target = "#{node['authorization']['sudo']['prefix']}/sudoers.d/"
package 'sudo' do
not_if 'which sudo'
end
unless ::File.exist?(target) unless ::File.exist?(target)
sudoers_dir = directory target sudoers_dir = directory target
sudoers_dir.run_action(:create) sudoers_dir.run_action(:create)

8
site-cookbooks/kosmos-base/recipes/default.rb
View File

@ -28,6 +28,14 @@ users_manage 'sysadmin' do
action [:remove, :create] action [:remove, :create]
end end
node.override['authorization']['sudo']['sudoers_defaults'] = [
# not default on Ubuntu, explicitely enable. Uses a minimal white list of
# environment variables
'env_reset',
# Send emails on unauthorized attempts
'mail_badpass',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
]
node.override['authorization']['sudo']['passwordless'] = true node.override['authorization']['sudo']['passwordless'] = true
include_recipe 'sudo' include_recipe 'sudo'