Create Sudoers Role
The create_sudoers
role creates a simple file in the sudoer.d
directory labeled with the username and a Service Request id for audit purposes. It then creates an at
job that will revoke the access by deleting the file after the amount of time set by the time_limit
variable.
The--tags create_sudoers
option is required to execute this.
---
# tasks file for create_sudoers
- import_tasks: create_sudoers.yml
tags:
- create_sudoers
- import_tasks: set_timelimit.yml
tags:
- create_sudoers
...
---
# Create a sudoers.d file
- name: "Searching for sudoers files for {{ username | lower }}"
find:
path: /etc/sudoers.d/
patterns: "{{ username | lower }}_{{ svcrqst }}"
register: o1
- name: "Checking if sudoers file exists for {{ username | lower }} exists"
stat:
path: "{{ item['path'] }}"
with_items: "{{ o1['files'] }}"
register: o2
- name: "Fail if sudoers for {{ username | lower }} is already setup"
fail:
msg: "{{ ansible_hostname }} already has a sudoers file for {{ username | lower }}. Please cleanup first."
when: item.stat.exists
with_items: "{{ o2['results'] }}"
- name: "Create sudoers file for {{ username | lower }}"
template:
src: sudoers.d.j2
dest: "/etc/sudoers.d/{{ username | lower }}_{{ svcrqst }}"
owner: "root"
group: "root"
mode: '0440'
...
#
# File dropped off by Ansible for {{ ansible_hostname }} via [ {{ ansible_play_name }} ].
#
# Temporary Root Access.
{{ username }} ALL=(ALL) ALL
---
# Create at job to remove permissions after a set amount of time.
- name: Verify atd is installed
package:
name: at
state: present
- name: Verify atd is running
service:
name: atd
state: started
enabled: True
- name: "Use at service to remove {{ username }} root access after {{ time_limit }} day(s)"
shell:
cmd: "echo 'rm -rf /etc/sudoers.d/{{ username }}_{{ svcrqst }}' | at now + {{ time_limit | default('1') }} day"
...