iiab/roles/iiab-admin/tasks/sudo-prereqs.yml

# roles/2-common/tasks/packages.yml also installed sudo, but that's too late
- name: 'Install package: sudo'
  package:
    name: sudo

- name: Temporarily make file /etc/sudoers editable (0640)
  file:
    path: /etc/sudoers
    mode: 0640

- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'
  lineinfile:
    path: /etc/sudoers
    regexp: logfile
    line: "Defaults     logfile = /var/log/sudo.log"

# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
#- name: Remove all lines that contain 'requiretty'
#  lineinfile:
#    path: /etc/sudoers
#    regexp: requiretty
#    state: absent

- name: End editing file /etc/sudoers -- protect it again (0440)
  file:
    path: /etc/sudoers
    mode: 0440
Refine iiab-admin role for Admin Console etc 2020-10-16 18:00:30 +00:00			`# roles/2-common/tasks/packages.yml also installed sudo, but that's too late`
			`- name: 'Install package: sudo'`
			`package:`
			`name: sudo`

			`- name: Temporarily make file /etc/sudoers editable (0640)`
			`file:`
			`path: /etc/sudoers`
			`mode: 0640`

			`- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'`
			`lineinfile:`
			`path: /etc/sudoers`
			`regexp: logfile`
			`line: "Defaults logfile = /var/log/sudo.log"`

			`# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.`
			`#- name: Remove all lines that contain 'requiretty'`
			`# lineinfile:`
			`# path: /etc/sudoers`
			`# regexp: requiretty`
			`# state: absent`

			`- name: End editing file /etc/sudoers -- protect it again (0440)`
			`file:`
			`path: /etc/sudoers`
			`mode: 0440`