From 5b94916469edfb9c0276271d3860199e67fb7a60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9o=20-=20Le=20Filament?= <theo@le-filament.com>
Date: Mon, 15 May 2023 15:49:16 +0200
Subject: [PATCH] fix: no log nagios authentifications mistakes

---
 {templates => files}/pam-sudo | 0
 tasks/main.yml                | 8 ++++++++
 templates/sudoers.j2          | 8 ++++----
 3 files changed, 12 insertions(+), 4 deletions(-)
 rename {templates => files}/pam-sudo (100%)

diff --git a/templates/pam-sudo b/files/pam-sudo
similarity index 100%
rename from templates/pam-sudo
rename to files/pam-sudo
diff --git a/tasks/main.yml b/tasks/main.yml
index 7e94fae..d512d45 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -202,6 +202,14 @@
     validate: /usr/sbin/visudo -cf %s
   tags: sudoers
 
+- name: quiet nagios authentification
+  ansible.builtin.copy:
+    src: 'pam-sudo'
+    dest: '/etc/pam.d/sudo'
+    owner: root
+    group: root
+    mode: '0644'
+
 - name: add public key to authorized keys for {{ host_user }}
   authorized_key:
     key: "{{ default_ssh_public_keys }}"
diff --git a/templates/sudoers.j2 b/templates/sudoers.j2
index 1b08686..c8ba703 100644
--- a/templates/sudoers.j2
+++ b/templates/sudoers.j2
@@ -12,15 +12,15 @@ root    ALL=(ALL:ALL) ALL
 {% if host_user2 is defined %}{{ host_user2 }} ALL=(ALL) ALL{% endif %}
 
 Cmnd_Alias NAGIOS_FAIL2BAN = /usr/bin/fail2ban-client ping, /usr/bin/fail2ban-client banned       
-Defaults!NAGIOS_FAIL2BAN !syslog
+Defaults!NAGIOS_FAIL2BAN !log_allowed
 nagios ALL = (root) NOPASSWD: NAGIOS_FAIL2BAN
 
-Cmnd_Alias NAGIOS_DOCKER = /usr/bin/docker ps --format {{.Names}} --filter name=* --no-trunc --quiet --all, /usr/bin/docker ps --format {{.Names}} --filter name=* --no-trunc --quiet, /usr/bin>
-Defaults!NAGIOS_DOCKER !syslog
+Cmnd_Alias NAGIOS_DOCKER = /usr/bin/docker ps --format {{ '{{' }}.Names{{ '}}' }} --filter name=* --no-trunc --quiet --all, /usr/bin/docker ps --format {{ '{{' }}.Names{{ '}}' }} --filter name=* --no-trunc --quiet, /usr/bin/docker stats --format {{ '{{' }}.Name{{ '}}' }}\:{{ '{{' }}.CPUPerc{{ '}}' }}\:{{ '{{' }}.MemPerc{{ '}}' }} --no-stream
+Defaults!NAGIOS_DOCKER !log_allowed
 nagios ALL = (root) NOPASSWD: NAGIOS_DOCKER
 
 {% if inventory_hostname in groups.gitlab %}
 Cmnd_Alias NAGIOS_GITLAB = /opt/gitlab/bin/gitlab-ctl status
-Defaults!NAGIOS_GITLAB !syslog
+Defaults!NAGIOS_GITLAB !log_allowed
 nagios ALL = (root) NOPASSWD: NAGIOS_GITLAB
 {% endif %}
-- 
GitLab