ec50013f55
This patch takes two commonly failing tasks and configures them to be fixed if a variable is toggled on. This is needed for gate checks to pass for ansible-functional runs. Closes-bug: 1521233 Change-Id: I4f54ef7af30d530f781d60ce232cc6aacda81ce4
23 lines
984 B
ReStructuredText
23 lines
984 B
ReStructuredText
This STIG requires that ``NOPASSWD`` and ``!authenticate`` are not used within
|
|
the sudoers configuration files. Using these directives reduces the security
|
|
of the system.
|
|
|
|
``NOPASSWD`` allows users to run commands as root without providing a password
|
|
first. Using ``!authenticate`` with the ``Defaults`` directive will disable
|
|
password usage for any users which use ``sudo``.
|
|
|
|
There are two configuration options for handling these changes. By default,
|
|
both of these options are set to ``no``, which means that the sudoers
|
|
configuration files will not be altered:
|
|
|
|
.. code-block:: yaml
|
|
|
|
sudoers_remove_nopasswd: no
|
|
sudoers_remove_authenticate: no
|
|
|
|
Setting ``sudoers_remove_nopasswd`` to ``yes`` will cause the Ansible tasks to
|
|
search for any lines containing ``NOPASSWD`` and comment them out of the
|
|
configuration. Setting ``sudoers_remove_authenticate`` will do the same
|
|
actions on lines containing ``!authenticate``. Lines that are already
|
|
commented will be left unaltered.
|