openstack/ansible-hardening
Code Issues Proposed changes

Merge "V-58901: sudo requires auth"

Browse Source
This commit is contained in:
Jenkins 2015-10-23 16:15:29 +00:00 committed by Gerrit Code Review
commit ae3a2cf28b
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/source/developer-notes/V-58901.rst Normal file
View File

@ -0,0 +1,3 @@
The Ansible tasks will search for ``NOPASSWD`` and ``!authenticate`` in the
sudo configuration. If either is found, the playbook will fail and an error
message will be printed.

29
tasks/auth.yml
View File

@ -329,3 +329,32 @@
- auth - auth
- cat3 - cat3
- V-38683 - V-38683
- name: Checking for NOPASSWD in sudoers (for V-58901)
shell: "egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*"
register: v58901_nopasswd_result
changed_when: False
failed_when: v58901_nopasswd_result.rc > 1
tags:
- auth
- cat2
- V-58901
- name: Checking for !authenticate in sudoers (for V-58901)
shell: "egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*"
register: v58901_authenticate_result
changed_when: False
failed_when: v58901_authenticate_result.rc > 1
tags:
- auth
- cat2
- V-58901
- name: V-58901 - The sudo command must require authentication
fail:
msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration"
when: v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0
tags:
- auth
- cat2
- V-58901