sudo-enforce-allowed-users

This module ensures the following lines 'ALL ALL=(ALL) ALL' and 'ALL ALL=(ALL:ALL) ALL' are not present in /etc/sudoers.conf

Maintainer

Nick Anderson

Module stats

Total Downloads: 347
Updated: Dec 23, 2021

Installation version

Version
Released on Feb 7, 2022

Tags

Installation

                    
cfbs add sudo-enforce-allowed-users
Description
Dependencies
Comments

If the sudoers file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.

This module ensures the following lines are not present in /etc/sudoers.conf. By default this module operates with an action policy of warn which will simply warn when it would remove the lines. Change the behavior of the policy to automatically removing the lines by setting default:sudo_enforce_allowed_users.action_policy.

  • ALL ALL=(ALL) ALL

  • ALL ALL=(ALL:ALL) ALL

Note: This module does not currently attempt to manage configuration from included files, e.g. (/etc/sudoers.d/). https://raw.githubusercontent.com/nickanderson/cfengine-security-hardening/master/sudo-enforce-allowed-users/changes-sudoers-repaired.png

Configuration

default:sudo_enforce_allowed_users.action_policy

When defined the policy will only warn about lines that would be deleted instead of actually deleting them. Valid range ( warn | fix | nop ), default warn.

https://raw.githubusercontent.com/nickanderson/cfengine-security-hardening/master/sudo-enforce-allowed-users/host-info-set-action-policy.png

Dependencies

This module has no dependencies

comments powered by Disqus