1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
- name: "{{{ rule_title }}} - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout'"
ansible.builtin.find:
path: "/etc/sudoers.d"
patterns: "*"
contains: '^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*'
register: sudoers_d_defaults_timestamp_timeout
- name: "{{{ rule_title }}} - Remove 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: '^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*'
state: absent
with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
- name: "{{{ rule_title }}} - Ensure timestamp_timeout has the appropriate value in /etc/sudoers"
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$'
line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
validate: /usr/sbin/visudo -cf %s
backrefs: yes
register: edit_sudoers_timestamp_timeout_option
- name: "{{{ rule_title }}} - Enable timestamp_timeout option with correct value in /etc/sudoers"
ansible.builtin.lineinfile: # noqa 503
path: /etc/sudoers
line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
validate: /usr/sbin/visudo -cf %s
when: >
edit_sudoers_timestamp_timeout_option is defined and
not edit_sudoers_timestamp_timeout_option.changed
- name: "{{{ rule_title }}} - Remove timestamp_timeout wrong values in /etc/sudoers"
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: '^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!{{
var_sudo_timestamp_timeout }}\b)[-]?\w+\b.*$'
state: absent
validate: /usr/sbin/visudo -cf %s
|
