sudo module for Puppet

Manage sudo configuration via Puppet

Supported OS

Some family and some specific os are supported by this module

• debian osfamily (debian, ubuntu, kali, ...)
• redhat osfamily (redhat, centos, fedora, ...)
• suse osfamily (suse, opensuse, ...)
• solaris osfamily (Solaris, OmniOS, SmartOS, ...)
• freebsd osfamily
• openbsd osfamily
• aix osfamily
• darwin osfamily
• gentoo operating system
• archlinux operating system
• amazon operating system

Usage

WARNING

This module will purge your current sudo config

If this is not what you're expecting, set purge and/or config_file_replace to false

Install sudo with default sudoers

Purge current sudo config

    class { 'sudo': }

Purge sudoers.d directory, but leave sudoers file as it is

    class { 'sudo':
      config_file_replace => false,
    }

Leave current sudo config as it is

    class { 'sudo':
      purge               => false,
      config_file_replace => false,
    }

Use LDAP along with sudo

Sudo do not always include by default the support for LDAP. On Debian and Ubuntu a special package sudo-ldap will be used. On Gentoo there is also the needing to include puppet portage module by Gentoo. If not present, only a notification will be shown.

    class { 'sudo':
      ldap_enable => true,
    }

Adding sudoers configuration

Using Code

    class { 'sudo': }
    sudo::conf { 'web':
      source => 'puppet:///files/etc/sudoers.d/web',
    }
    sudo::conf { 'admins':
      priority => 10,
      content  => '%admins ALL=(ALL) NOPASSWD: ALL',
    }
    sudo::conf { 'joe':
      priority => 60,
      source   => 'puppet:///files/etc/sudoers.d/users/joe',
    }

Using Hiera

A hiera hash may be used to assemble the sudoers configuration. Hash merging is also enabled, which supports layering the configuration settings.

Examples using:

• YAML backend
• an environment called production
• a /etc/puppet/hiera.yaml hierarchy configuration:

:hierarchy:
  - "%{environment}"
  - "defaults"

Load module

Load the module via Puppet Code or your ENC.

    include sudo

Configure Hiera YAML (defaults.yaml)

These defaults will apply to all systems.

sudo::configs:
    'web':
        'source'    : 'puppet:///files/etc/sudoers.d/web'
    'admins':
        'content'   : '%admins ALL=(ALL) NOPASSWD: ALL'
        'priority'  : 10
    'joe':
        'priority'  : 60
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'

Configure Hiera YAML (production.yaml)

This will only apply to the production environment. In this example we are:

• inheriting/preserving the web configuration
• overriding the admins configuration
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
        'priority'  : 10
    'joe':
        'ensure'    : 'absent'
        'source'    : 'puppet:///files/etc/sudoers.d/users/joe'
    'bill':
        'template'  : "mymodule/bill.erb"

In this example we are:

• inheriting/preserving the web configuration
• overriding the admins:content setting
• inheriting/preserving the admins:priority setting
• inheriting/preserving the joe:source and joe:priority settings
• removing the joe configuration
• adding the bill template

lookup_options:
  sudo::configs:
    merge:
      strategy: deep
      merge_hash_arrays: true

sudo::configs:
    'admins':
        'content'   : "%prodadmins ALL=(ALL) NOPASSWD: ALL"
    'joe':
        'ensure'    : 'absent'
    'bill':
        'template'  : "mymodule/bill.erb"

Override sudoers defaults

You can modify Default_Entry lines by passing a Hash to sudo::defaults, where the key is Defaults parameter name (see man 5 sudoers for more details):

sudo::defaults:
    lecture:
      value: always
    badpass_message:
      value: "Password is wrong, please try again"
    passwd_tries:
      value: 5
    insults:
    mailto:
      value: root@example.com

Set a custom name for the sudoers file

In some edge cases, the automatically generated sudoers file name is insufficient. For example, when an application generates a sudoers file with a fixed file name, using this class with the purge option enabled will always delete the custom file and adding it manually will generate a file with the right content, but the wrong name. To solve this, you can use the sudo_file_name option to manually set the desired file name.

sudo::conf { "foreman-proxy":
    ensure          => "present",
    source          => "puppet:///modules/sudo/foreman-proxy",
    sudo_file_name  => "foreman-proxy",
}

sudo::conf / sudo::configs notes

• One of content or source must be set.
• Content may be an array, string will be added with return carriage after each element.
• In order to properly pass a template() use template instead of content, as hiera would run template function otherwise.

sudo class parameters

See REFERENCE.md

sudo::conf class / sudo::configs hash parameters

See REFERENCE.md