Removes nagios sudo privilege definition from evolix-users

The nagios-nrpe role will define those privileges instead.
Move nagios sudo privileges from evolix-users to nagios-nrpe role
2019-05-28 23:06:40 +02:00 · 2019-05-28 22:57:58 +02:00
4 changed files with 15 additions and 12 deletions
--- a/evolinux-users/templates/sudoers_jessie.j2
+++ b/evolinux-users/templates/sudoers_jessie.j2
@ -3,11 +3,5 @@ Defaults        umask=0077
 Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount
 User_Alias      ADMINS = {{ user.name }}

-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
-nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
-
 ADMINS          ALL = (ALL:ALL) ALL
 ADMINS          ALL = NOPASSWD: MAINT
--- a/evolinux-users/templates/sudoers_stretch.j2
+++ b/evolinux-users/templates/sudoers_stretch.j2
@ -2,11 +2,5 @@ Defaults        umask=0077

 Cmnd_Alias      MAINT = /usr/share/scripts/evomaintenance.sh, /usr/share/scripts/listupgrade.sh, /usr/bin/apt, /bin/mount

-nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
-nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
-nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
-nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
-
 %{{ evolinux_sudo_group }}  ALL=(ALL:ALL) ALL
 %{{ evolinux_sudo_group }}  ALL = NOPASSWD: MAINT
--- a/nagios-nrpe/files/nagios_sudoers
+++ b/nagios-nrpe/files/nagios_sudoers
@ -0,0 +1,5 @@
+nagios          ALL = NOPASSWD: /usr/lib/nagios/plugins/check_procs
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_minifirewall
+nagios          ALL = NOPASSWD: /usr/local/lib/nagios/plugins/check_haproxy_stats
+nagios          ALL = NOPASSWD: /usr/sbin/bkctld check
+nagios          ALL = (clamav) NOPASSWD: /usr/bin/clamscan /tmp/safe.txt
--- a/nagios-nrpe/tasks/main.yml
+++ b/nagios-nrpe/tasks/main.yml
@ -72,3 +72,13 @@
  notify: restart nagios-nrpe-server
  tags:
    - nagios-nrpe
+
+- name: Nagios user has proper sudo privileges
+  copy:
+    src: nagios_sudoers
+    dest: /etc/sudoers.d/nagios
+    mode: "0440"
+    validate: '/usr/sbin/visudo -cf %s'
+  tags:
+  - nagios-nrpe
+  - nagios-plugins