Sudoers include defined as file

2024-06-15 08:50:16 +00:00 · 2020-12-12 03:28:20 +01:00 · 2020-12-12 03:28:20 +01:00 · af0b20f7a8
commit af0b20f7a8
parent 458d5db418
2 changed files with 11 additions and 10 deletions
--- a/ansible/playbooks/files/etc/sudoers.d/cis
+++ b/ansible/playbooks/files/etc/sudoers.d/cis
@ -0,0 +1,2 @@
+Defaults use_pty
+Defaults logfile="/var/log/sudo.log"
--- a/ansible/playbooks/tasks/harden.yml
+++ b/ansible/playbooks/tasks/harden.yml
@ -7,15 +7,15 @@
        sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
      when: sysctl_overwrite | default()

-    - name: sysctl
+    - name: Kernel parameters
      sysctl:
-        name: '{{ item.key }}'
-        value: '{{ item.value }}'
+        name: "{{ item.key }}"
+        value: "{{ item.value }}"
        state: present
        ignoreerrors: true
        sysctl_set: true
        sysctl_file: /etc/sysctl.d/99-ansible.conf
-      with_dict: '{{ sysctl_config }}'
+      with_dict: "{{ sysctl_config }}"
      tags:
        - harden
        - kernel
@ -103,6 +103,7 @@
      tags:
        - harden

+# TODO: Use pamd module to establish password policy
    - name: pwquality - minlen
      lineinfile:
        line: "minlen = 14"
@ -188,7 +189,7 @@
    name: "{{ item }}"
    enabled: false
    state: stopped
-  with_items: "{{ disable_svc }}"
+  loop: "{{ disable_svc }}"
  register: service_check
  failed_when: service_check is failed and not 'Could not find the requested service' in service_check.msg
  tags:
@ -230,15 +231,13 @@
  tags:
    - harden

- name: cis sudoers configuration
+- name: CIS sudoers configuration
  copy:
-    dest: /etc/sudoers.d/cis
+    src: "etc/sudoers.d/cis"
+    dest: "/etc/sudoers.d/cis"
    owner: root
    group: root
    mode: '0440'
-    content: |
-      Defaults use_pty
-      Defaults logfile="/var/log/sudo.log"
  tags:
    - harden