Add more secure sudo configuration

Also update the sudo cookbook

Batali

@@ -20,7 +20,7 @@ Batali.define do
   cookbook 'application_ruby',      '~> 4.1.0'
   cookbook 'application_git',       '~> 1.1.0' # 1.2.0 doesn't work with knife-solo
   cookbook 'users',                 '~> 5.0.0'
-  cookbook 'sudo',                  '~> 3.4.0'
+  cookbook 'sudo',                  '~> 3.5.0'
   cookbook 'hostname'
   cookbook 'redis',
            git: 'https://github.com/phlipper/chef-redis.git',

batali.manifest

@@ -912,11 +912,11 @@
       "dependencies": [
 
       ],
-      "version": "3.4.0",
+      "version": "3.5.0",
       "source": {
         "type": "Batali::Source::Site",
-        "url": "https://supermarket.chef.io:443/api/v1/cookbooks/sudo/versions/3.4.0/download",
-        "version": "3.4.0"
+        "url": "https://supermarket.chef.io:443/api/v1/cookbooks/sudo/versions/3.5.0/download",
+        "version": "3.5.0"
       }
     },
     {

cookbooks/sudo/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 This file is used to list changes made in each version of the sudo cookbook.
 
+## 3.5.0 (2017-05-16)
+
+- Add sudo package management to resource 
+
 ## 3.4.0 (2017-04-26)
 
 - Add lwrp support for only env_keep add/subtract

cookbooks/sudo/providers/default.rb

@@ -113,6 +113,10 @@ end
 action :install do
   target = "#{node['authorization']['sudo']['prefix']}/sudoers.d/"
 
+  package 'sudo' do
+    not_if 'which sudo'
+  end
+
   unless ::File.exist?(target)
     sudoers_dir = directory target
     sudoers_dir.run_action(:create)

site-cookbooks/kosmos-base/recipes/default.rb

@@ -28,6 +28,14 @@ users_manage 'sysadmin' do
   action [:remove, :create]
 end
 
+node.override['authorization']['sudo']['sudoers_defaults'] = [
+  # not default on Ubuntu, explicitely enable. Uses a minimal white list of
+  # environment variables
+  'env_reset',
+  # Send emails on unauthorized attempts
+  'mail_badpass',
+  'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
+]
 node.override['authorization']['sudo']['passwordless'] = true
 include_recipe 'sudo'