Control sudo privileges
Add sudo capabilities to your nodes and control sudo permissions using a module from the Forge in conjunction with a simple module you write.
Sudo overview
Sudo is a program that allows users to work using elevated privileges of another user, usually called a superuser.
With sudo, you can more easily protect information or configurations that are most vulnerable to security exploitations by only allowing sudo users with elevated privileges to access them. Only those who can log in as a sudo user can make changes to or see this information. Use PE to manage sudo privileges across your nodes and ensure the correct users have elevated privileges for the right systems.
- Install a module
- Write a module
- Create a node group
- Classify nodes
About module directories
By default, Puppet keeps modules in /etc/puppetlabs/code/environments/production/modules
.
This includes modules that you download from the Forge and those you write
yourself.
PE also creates two other module directories: /opt/puppetlabs/puppet/modules
and /etc/puppetlabs/staging-code/modules
. For this
guide, don't modify or add anything to either of these directories.
There are some resources about modules and the creation of modules that you can reference.
Install the saz-sudo module
To start managing sudo configuration with Puppet Enterprise, install the saz-sudo
module.
puppet module install saz-sudo
.
You should see output similar to the following:
Preparing to install into /etc/puppetlabs/code/environments/production/modules ... Notice: Downloading from http://forgeapi.puppetlabs.com ... Notice: Installing -- do not interrupt ... /etc/puppetlabs/code/environments/production/modules └── saz-sudo (v2.3.6) └── puppetlabs-stdlib (3.2.2) [/opt/puppetlabs/puppet/modules]
That's it! You've just
installed the saz-sudo
module. Wait
a short time for the Puppet server to refresh before
the classes are available to add to your agents.
Write the privileges module
Manage sudo privileges with Puppet Enterprise, by writing a
privileges
module.
The privileges
module contains the following files:
-
privileges/ (the module name)
-
manifests/
-
init.pp (contains the privileges class)
-
-
That's it! You've written a module that contains a class that, when
applied, ensures that your agent nodes have the correct sudo privileges set for the root
user and the "admin" and "wheel" groups. You add this class at the same time you add the
saz-sudo
module.
To learn more about what the resources in this class do, see the
related topic about the resources in the privileges
class.
About the resources in the privileges class
The privileges
module you wrote for managing sudo privileges in your deployment
contains just one class, but several resources. Each resource has a specific
job.
The privileges
module contains the following resources:
user 'root'
: This resource ensures that the root user has a centrally defined password and shell. Puppet enforces this configuration and report on and remediate any drift detected, such as if a rogue admin logs in and changes the password on an agent node.sudo::conf 'admins'
: Create a sudoers rule to ensure that members of the admin group have the ability to run any command using sudo. This resource creates configuration fragment file to define this rule in/etc/sudoers.d/
. It is usually called something like10_admins
.sudo::conf 'wheel'
: Create a sudoers rule to ensure that members of the wheel group have the ability to run any command using sudo. This resource creates a configuration fragment to define this rule in/etc/sudoers.d/
. It is usually called something like10_wheel
.
Create the Sudo node group
To specify which nodes you want to manage sudo on, set up a designated node group.
This group, called Sudo, contains all of your nodes. Depending on your needs or infrastructure, your group might be different.
This rule "dynamically" pins all nodes to the Sudo group. Note that this rule is for testing purposes and that decisions about pinning nodes to groups in a production environment vary. To learn more, see the related topic about dynamically pinning nodes.
Related topics: Adding nodes "dynamically"
Add the privileges and sudo classes
To manage sudo configuration and privileges for the nodes
in your Sudo group, add the privileges
and
sudo
classes to your node
group.
The privileges
module you wrote has only one class (privileges
), but the saz-sudo
module contains several classes. If you don't want to add these
classes to all of your nodes, you can pin the nodes "statically" or write a different
rule to add them "dynamically", depending on your needs. See the related topics about
adding nodes dynamically or statically for more information.
This configures the nodes using the newly-assigned classes. Wait one or two minutes.
Congratulations! You’ve just created the privileges
class that you can use to define and enforce a
sudoers configuration across your PE-managed infrastructure.
Learn more about sudo
Learn more about the sudo module in the Puppet blog.