Jérémy Dubois
2bf8a7e872
Some checks failed
continuous-integration/drone/push Build is failing
Fix #34 We now use a unique evobsd_group (evolix by default). Each user has 2 groups : evobsd_group and user.name. Only evobsd_group can ssh to server and use doas. I also added a password restrictions block for IPs/group. And we make sure the home folder is only readable by owner.
17 lines
1.2 KiB
Django/Jinja
17 lines
1.2 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
permit setenv {SSH_AUTH_SOCK SSH_TTY PKG_PATH HOME=/root ENV=/root/.profile} :{{ evobsd_group }}
|
|
permit nopass root
|
|
permit setenv {ENV PS1 SSH_AUTH_SOCK SSH_TTY} nopass :{{ evobsd_group }} as root cmd /usr/share/scripts/evomaintenance.sh
|
|
permit nopass _collectd as root cmd /usr/sbin/bgpctl
|
|
permit nopass _nrpe as root cmd /sbin/bioctl args sd2
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_mailq
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/check_dhcp
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ipsecctl.sh
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd_simple
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospfd
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_ospf6d
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openbgpd
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_pf_states
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_connections_state.sh
|
|
permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_packetfilter.sh
|