1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
|
# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
{{% if VARIABLE_NAME %}}
{{{ bash_instantiate_variables(VARIABLE_NAME) }}}
{{% endif %}}
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option {{{ OPTION }}}
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
{{%- if not VARIABLE_NAME %}}
fi
{{% else %}}
else
# sudoers file defines Option {{{ OPTION }}}, remediate if appropriate value is not set
if ! grep -P "^[\s]*Defaults.*\b{{{ OPTION_VALUE }}}\b.*$" /etc/sudoers; then
{{% if '/' in OPTION %}}
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
{{% endif %}}
escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
fi
fi
{{% endif %}}
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
|