From 91ee7273818e79810da2dd3edeb3571aab824422 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20-=20Le=20Filament?= <theo@le-filament.com> Date: Mon, 15 May 2023 15:04:46 +0200 Subject: [PATCH] change: no log nagios authentifications --- templates/pam-sudo | 12 ++++++++++++ templates/sudoers.j2 | 19 +++++++++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 templates/pam-sudo diff --git a/templates/pam-sudo b/templates/pam-sudo new file mode 100644 index 0000000..1baa5c8 --- /dev/null +++ b/templates/pam-sudo @@ -0,0 +1,12 @@ +#%PAM-1.0 + +# Set up user limits from /etc/security/limits.conf. +session required pam_limits.so + +session required pam_env.so readenv=1 user_readenv=0 +session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 +session [success=done default=ignore] pam_succeed_if.so quiet uid = 0 ruser = nagios + +@include common-auth +@include common-account +@include common-session-noninteractive diff --git a/templates/sudoers.j2 b/templates/sudoers.j2 index 802f0ee..1b08686 100644 --- a/templates/sudoers.j2 +++ b/templates/sudoers.j2 @@ -11,9 +11,16 @@ root ALL=(ALL:ALL) ALL {{ host_user }} ALL=(ALL) ALL {% if host_user2 is defined %}{{ host_user2 }} ALL=(ALL) ALL{% endif %} -nagios ALL=NOPASSWD: /usr/bin/fail2ban-client banned -nagios ALL=NOPASSWD: /usr/bin/fail2ban-client ping -nagios ALL=NOPASSWD: /usr/bin/docker ps --format {{ '{{' }}.Names{{ '}}' }} --filter name=* --no-trunc --quiet --all -nagios ALL=NOPASSWD: /usr/bin/docker ps --format {{ '{{' }}.Names{{ '}}' }} --filter name=* --no-trunc --quiet -nagios ALL=NOPASSWD: /usr/bin/docker stats --format {{ '{{' }}.Name{{ '}}' }}\:{{ '{{' }}.CPUPerc{{ '}}' }}\:{{ '{{' }}.MemPerc{{ '}}' }} --no-stream -{% if inventory_hostname in groups.gitlab %}nagios ALL=NOPASSWD: /opt/gitlab/bin/gitlab-ctl status{% endif %} +Cmnd_Alias NAGIOS_FAIL2BAN = /usr/bin/fail2ban-client ping, /usr/bin/fail2ban-client banned +Defaults!NAGIOS_FAIL2BAN !syslog +nagios ALL = (root) NOPASSWD: NAGIOS_FAIL2BAN + +Cmnd_Alias NAGIOS_DOCKER = /usr/bin/docker ps --format {{.Names}} --filter name=* --no-trunc --quiet --all, /usr/bin/docker ps --format {{.Names}} --filter name=* --no-trunc --quiet, /usr/bin> +Defaults!NAGIOS_DOCKER !syslog +nagios ALL = (root) NOPASSWD: NAGIOS_DOCKER + +{% if inventory_hostname in groups.gitlab %} +Cmnd_Alias NAGIOS_GITLAB = /opt/gitlab/bin/gitlab-ctl status +Defaults!NAGIOS_GITLAB !syslog +nagios ALL = (root) NOPASSWD: NAGIOS_GITLAB +{% endif %} -- GitLab