Question

I have Puppet 6.7 with 1 Linux agent. I am using puppet to manage the sudo previlages of my nodes. I have installed the saz-sudo module from puppet forge for managing those previlages.

puppet module install saz-sudo
Preparing to install into /etc/puppetlabs/code/environments/production/modules …
Notice: Downloading from http://forgeapi.puppetlabs.com ...
    Notice: Installing -- do not interrupt ...
    /etc/puppetlabs/puppet/modules
    └── saz-sudo (v2.3.6)
          └── puppetlabs-stdlib (3.2.2) [/opt/puppet/share/puppet/modules]

How should I use this saz-sudo module to manage the sudo previlages of my nodes?  What more needs to be done?

Answer 1

Now that you have installed saz-sudo module from pupper forge the next thing you should probably do is to 

Step 1: create a module that will contain the previlages class.

You'll have to create the privileges module directory, its manifests subdirectory, and an init.pp manifest file that contains the privileges class.

• From the command line on the master, navigate to the modules directory :

cd /etc/puppetlabs/code/environments/production/modules

• Create the module directory and its manifests directory:

mkdir -p privileges/manifests

• In the manifests directory, use your text editor to create the init.pp file, and edit it so it contains the following Puppet code:

class privileges { 
sudo::conf { 'admins': 
ensure => present, 
content => '%admin ALL=(ALL) ALL', 
} 
}

The sudo::conf 'admins' line creates a sudoers rule that ensures that members of the admins group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/. It's called something like 10_admins.

• Save and exit the file.

• That’s it! You’ve created a module that contains a class that, after it's applied, ensures that your agents have the correct sudo privileges set for the root user and the admins and wheel groups.

Step 2: Next, add the privileges and sudo classes to default nodes.

• From the command line on the master, navigate to the main manifest: 

cd /etc/puppetlabs/code/environments/production/manifests

• Open site.pp with your text editor and add the following Puppet code to the default node:

class { 'sudo': }
sudo::conf { 'web': 
content => "web ALL=(ALL) NOPASSWD: ALL", 
} 
class { 'privileges': } 
sudo::conf { 'jargyle': 
priority => 60, 
content => "jargyle ALL=(ALL) NOPASSWD: ALL",
}

The sudo::conf ‘web’ line creates a sudoers rule to ensure that members of the web group can run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/.

The sudo::conf ‘jargyle’ line creates a sudoers rule to ensure that the user jargyle can run any command using sudo. This resource creates a configuration fragment to define this rule in /etc/sudoers.d/. It's called something like 60_jargyle.

• Save and exit the file.

• On your master, ensure that there are no errors:

puppet parser validate site.pp

• The parser returns nothing if there are no errors.

• From the command line on your agent, run 

Puppet: puppet agent -t

• That’s it! You have successfully applied sudo and privileges classes to nodes.

• To confirm it worked, run the following command on an agent:

sudo -l -U jargyle 

• The results should resemble the following:

Matching Defaults entries for jargyle on this host: !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/usr/local/bin\:/sbin\:/bin\:/usr/sbin\:/usr/bin User jargyle may run the following commands on this host: (ALL) NOPASSWD: ALL

For more information on using puppet to manage sudo users you could have a look at: https://puppet.com/blog/module-of-week-saz-sudo-manage-sudo-configuration