sudo.pp 3.9 KB
Newer Older
1
2
3
4
5
# Installs sudo and, optionally, enables Duo for sudo.

# $duo: enable pam_duo for sudo. Defaults to false.
#
# $duo_sudoers: A list of users that are allowed to call sudo.
6
7
8
9
10
11
12
13
14
15
16
# Defaults to the empty array.  Only used when $duo is set to true.
#
# $duo_fail_secure: A boolean, normally false.  If set to false, a Duo 
# timeout will cause the Duo step to be skipped.  If set to true, a Duo timeout 
# will cause the Duo step to fail (which means sudo will be blocked).  Only 
# used when $duo is set to true.
#
# $duo_gecos: A boolean, normally true.  If false, then Duo will will use the 
# user's username.  If true, then Duo will use the contents of the user's GECOS 
# field as their username.  This is important if you are using an alternate 
# account.
17
#
Adam Lewenberg's avatar
Adam Lewenberg committed
18
19
20
# $timeout: how long (in minutes) between requiring a new Duo re-auth.
# Default: 30
#
21
22
23
# $debuild: set this true if you need to set up a debuild environment.
# Default: false
#
24
25
26
27
28
29
30
# Example.
# To install sudo with no Duo support:
#
#   include base::sudo
#
# Example.
# To install sudo WITH Duo support
Adam Lewenberg's avatar
Adam Lewenberg committed
31
#
32
#   class { 'base::sudo':
Adam Lewenberg's avatar
Adam Lewenberg committed
33
34
35
36
37
38
39
40
41
42
43
44
#     duo         => true,
#     duo_sudoers => ['adamhl', 'yuelu'],
#   }
#
# Example.
# To install sudo WITH Duo support and require Duo auths
# after 4 minutes.
#
#   class { 'base::sudo':
#     duo         => true,
#     duo_sudoers => ['adamhl', 'yuelu'],
#     timeout     => 4,
45
46
47
#   }

class base::sudo(
48
49
50
51
52
53
  $duo             = false,
  $duo_sudoers     = [],
  $duo_fail_secure = false,
  $duo_gecos       = true,
  $timeout         = 30,
  $debuild         = false,
54
){
55
  # Install the sudo package
56
57
58
59
  package { 'sudo':
    ensure => installed
  }

60
61
62
63
64
65
66
67
68
  # Configure a default timeout
  file_line { 'Set sudo timeout':
    ensure => present,
    path   => '/etc/sudoers',
    line   => "Defaults  timestamp_timeout = $timeout",
    match  => '^Defaults\ +timestamp_timeout',
  }

  # If duo is enabled, require base::duo and set up the sudoers file.
69
  if ($duo) {
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
    # Validate $duo_fail_secure and $duo_gecos
    # base::duo::config does this too, but by doing it here it is clearer to
    # clients where the problem is!
    if !is_bool($duo_fail_secure) {
      fail('base::sudo::duo_fail_secure must be true or false')
    }
    if !is_bool($duo_gecos) {
      fail('base::sudo::duo_gecos must be true or false')
    }

    # Install the Duo config, passing the GECOS and fail-secure settings through
    base::duo::config { '/etc/security/pam_duo_su.conf':
      ensure      => present,
      use_gecos   => $duo_gecos,
      fail_secure => $duo_fail_secure,
    }
86
87
88
89
90

    # Install the pam.d configuration that requires Duo on sudo.
    file {'/etc/pam.d/sudo':
      ensure  => present,
      content => template('base/sudo/etc/pam.d/sudo.erb'),
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
      require => Package['sudo'],
    }

    # Make sure that the sudoers.d directory exists, and is read
    # This is done on alot of OSes already, but not all.
    file { '/etc/sudoers.d':
      ensure  => directory,
      owner   => 'root',
      group   => 'root',
      mode    => '0750',
      require => Package['sudo'],
    }
    file_line { 'Add sudoers.d includedir':
      ensure  => present,
      path    => '/etc/sudoers',
      line    => "#includedir /etc/sudoers.d",
      require => File['/etc/sudoers.d'],
108
    }
Adam Lewenberg's avatar
Adam Lewenberg committed
109

110
111
    # Install the suoders file. This takes the array $duo_sudoers
    # and puts it into /etc/sudoers.d/duo
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
    file {'/etc/sudoers.d/duo':
      ensure  => present,
      content => template('base/sudo/etc/sudoers.d/duo.erb'),
      require => File_line['Add sudoers.d includedir']
    }
  }

  # If we're not using Duo, we still might need to update the sudoers file
  else {
    # Debian's config is fine, but we need to enable wheel in RHEL systems
    if $::osfamily == 'RedHat' {
      file_line { 'Enable wheel sudoers':
        ensure => present,
        path   => '/etc/sudoers',
        line   => '%wheel        ALL=(ALL)       ALL',
        match  => '# %wheel        ALL=(ALL)       ALL',
128
      }
Adam Lewenberg's avatar
Adam Lewenberg committed
129
    }
130
131
  }
}