Add sudo state, salt-managed aliases,users,groups
- apply review comments
- add visudo check cmd
diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index 30968e2..f4bbdfd 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls
@@ -2,10 +2,11 @@
system:
enabled: true
cluster: default
- name: test01
+ name: linux
timezone: Europe/Prague
domain: local
environment: prd
+ hostname: system.pillar.local
apparmor:
enabled: false
haveged:
@@ -18,7 +19,7 @@
rate: 115200
term: xterm
prompt:
- default: "test01.local$"
+ default: "linux.ci.local$"
kernel:
sriov: True
isolcpu: 1,2,3,4
@@ -55,12 +56,43 @@
uid: 9999
full_name: Test User
home: /home/test
+ groups:
+ - root
+ salt_user1:
+ enabled: true
+ name: saltuser1
+ sudo: false
+ uid: 9991
+ full_name: Salt User1
+ home: /home/saltuser1
+ salt_user2:
+ enabled: true
+ name: saltuser2
+ sudo: false
+ uid: 9992
+ full_name: Salt Sudo User2
+ home: /home/saltuser2
group:
test:
enabled: true
name: test
gid: 9999
system: true
+ db-ops:
+ enabled: true
+ name: testgroup
+ salt-ops:
+ enabled: true
+ name: sudogroup0
+ sudogroup1:
+ enabled: true
+ name: sudogroup1
+ sudogroup2:
+ enabled: true
+ name: sudogroup2
+ sudogroup3:
+ enabled: false
+ name: sudogroup3
job:
test:
enabled: true
@@ -88,3 +120,103 @@
enabled: true
autoupdates:
enabled: true
+ sudo:
+ enabled: true
+ alias:
+ runas:
+ DBA:
+ - postgres
+ - mysql
+ SALT:
+ - root
+ host:
+ LOCAL:
+ - localhost
+ PRODUCTION:
+ - db1
+ - db2
+ command:
+ SUDO_RESTRICTED_SU:
+ - /bin/vi /etc/sudoers
+ - /bin/su - root
+ - /bin/su -
+ - /bin/su
+ - /usr/sbin/visudo
+ SUDO_SHELLS:
+ - /bin/sh
+ - /bin/ksh
+ - /bin/bash
+ - /bin/rbash
+ - /bin/dash
+ - /bin/zsh
+ - /bin/csh
+ - /bin/fish
+ - /bin/tcsh
+ - /usr/bin/login
+ - /usr/bin/su
+ - /usr/su
+ SUDO_SALT_SAFE:
+ - /usr/bin/salt state*
+ - /usr/bin/salt service*
+ - /usr/bin/salt pillar*
+ - /usr/bin/salt grains*
+ - /usr/bin/salt saltutil*
+ - /usr/bin/salt-call state*
+ - /usr/bin/salt-call service*
+ - /usr/bin/salt-call pillar*
+ - /usr/bin/salt-call grains*
+ - /usr/bin/salt-call saltutil*
+ SUDO_SALT_TRUSTED:
+ - /usr/bin/salt*
+ users:
+ saltuser1: {}
+ saltuser2:
+ hosts:
+ - LOCAL
+ # User Alias:
+ DBA:
+ hosts:
+ - ALL
+ commands:
+ - SUDO_SALT_SAFE
+ groups:
+ db-ops:
+ hosts:
+ - ALL
+ - '!PRODUCTION'
+ runas:
+ - DBA
+ commands:
+ - /bin/cat *
+ - /bin/less *
+ - /bin/ls *
+ - SUDO_SALT_SAFE
+ - '!SUDO_SHELLS'
+ - '!SUDO_RESTRICTED_SU'
+ salt-ops:
+ hosts:
+ - 'ALL'
+ runas:
+ - SALT
+ commands:
+ - SUDO_SALT_TRUSTED
+ salt-ops2:
+ name: salt-ops
+ runas:
+ - DBA
+ commands:
+ - SUDO_SHELLS
+ sudogroup1:
+ commands:
+ - ALL
+ sudogroup2:
+ commands:
+ - ALL
+ hosts:
+ - localhost
+ users:
+ - test
+ nopasswd: false
+ sudogroup3:
+ commands:
+ - ALL