1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = low
{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', insensitive=false, path='/etc/sudoers', new_line='#includedir /etc/sudoers.d', rule_title=rule_title) }}}
{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^[#@]include[\s]+.*$', insensitive=false, path='/etc/sudoers', state='absent', rule_title=rule_title) }}}
{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t have non-default includedir', regex='^@includedir[\s]+.*$', insensitive=false, path='/etc/sudoers', state='absent', rule_title=rule_title) }}}
- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
ansible.builtin.find:
path: "/etc/sudoers.d"
patterns: "*"
contains: '^[#@]include(dir)?\s.*$'
register: sudoers_d_includes
- name: "Remove found occurrences of file and directory includes from /etc/sudoers.d/* files"
ansible.builtin.lineinfile:
path: "{{ item.path }}"
regexp: '^[#@]include(dir)?\s.*$'
state: absent
with_items: "{{ sudoers_d_includes.files }}"
|
