77 lines
1.9 KiB
YAML
77 lines
1.9 KiB
YAML
---
|
|
# Sudo Configuration (CIS 5.3.x)
|
|
|
|
- name: Ensure sudo is installed
|
|
ansible.builtin.apt:
|
|
name: sudo
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Configure sudo to use pty (CIS 5.3.2)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers.d/cis-hardening
|
|
line: "Defaults use_pty"
|
|
create: yes
|
|
mode: '0440'
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
- name: Configure sudo logfile (CIS 5.3.3)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers.d/cis-hardening
|
|
line: "Defaults logfile=\"/var/log/sudo.log\""
|
|
create: yes
|
|
mode: '0440'
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
- name: Configure sudo timeout
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers.d/cis-hardening
|
|
line: "Defaults timestamp_timeout={{ sudo_timeout }}"
|
|
create: yes
|
|
mode: '0440'
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
- name: Configure sudo password requirement (CIS 5.3.4)
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers.d/cis-hardening
|
|
line: "Defaults !authenticate"
|
|
state: "{{ 'present' if sudo_nopasswd else 'absent' }}"
|
|
create: yes
|
|
mode: '0440'
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
- name: Allow sudo group to use sudo
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/sudoers.d/sudo-group
|
|
line: "%sudo ALL=(ALL:ALL) {{ 'NOPASSWD:' if sudo_nopasswd else '' }}ALL"
|
|
create: yes
|
|
mode: '0440'
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
- name: Create sudo log file
|
|
ansible.builtin.file:
|
|
path: /var/log/sudo.log
|
|
state: touch
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
modification_time: preserve
|
|
access_time: preserve
|
|
|
|
- name: Configure sudo log rotation
|
|
ansible.builtin.copy:
|
|
dest: /etc/logrotate.d/sudo
|
|
content: |
|
|
/var/log/sudo.log {
|
|
weekly
|
|
rotate 4
|
|
compress
|
|
delaycompress
|
|
missingok
|
|
notifempty
|
|
create 0600 root root
|
|
}
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|