sudo-enforce-allowed-users

Ensures the following lines 'ALL ALL=(ALL) ALL' and 'ALL ALL=(ALL:ALL) ALL' are not present in the /etc/sudoers.conf file.
Repository Report issue

Maintainer

Nick Anderson

Module stats

Total Downloads: 506
Updated: Feb 7, 2022

Installation version

Version
0.0.2
0.0.1
0.0.2
Released on Feb 7, 2022

Tags

Installation

                    
cfbs add sudo-enforce-allowed-users
Description
Dependencies
Discussion

If the sudoers file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.

This module ensures the following lines are not present in /etc/sudoers.conf. By default this module operates with an action policy of warn which will simply warn when it would remove the lines. Change the behavior of the policy to automatically removing the lines by setting default:sudo_enforce_allowed_users.action_policy.

  • ALL ALL=(ALL) ALL
  • ALL ALL=(ALL:ALL) ALL

Note: This module does not currently attempt to manage configuration from included files, e.g. (/etc/sudoers.d/). https://raw.githubusercontent.com/nickanderson/cfengine-security-hardening/master/sudo-enforce-allowed-users/changes-sudoers-repaired.png

Configuration

default:sudo_enforce_allowed_users.action_policy
When defined the policy will only warn about lines that would be deleted instead of actually deleting them. Valid range ( warn | fix | nop ), default warn. https://raw.githubusercontent.com/nickanderson/cfengine-security-hardening/master/sudo-enforce-allowed-users/host-info-set-action-policy.png

Dependencies

This module has no dependencies

Find related thread in GitHub discussions or Start a new discussion