Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-sudosh', '6.5.0'Learn more about managing modules with a PuppetfileDocumentation
sudosh
Table of Contents
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with sudosh
- Usage - Configuration options and additional functionality
- Reference
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Acceptance Tests
Module Description
This class installs sudosh and configures rsyslog and logrotate to support it.
Sudosh supports keystroke logging for users with root privilege. By running
sudo sudosh, a user will be escalated to root, but the sudosh shell will log
that user's keystrokes and output it to /var/log/sudosh/log. The command
sudosh-replay is used to replay the keystrokes of a session.
Setup
What sudosh affects
Sudosh installs sudosh, and optionally configures rsyslog for sudosh logging and logrotates the sudosh user data.
Setup Requirements
To enable the rsyslog and logrotate features, set simp_options::syslog and simp_options::logrotate to true in your hiera data. For example,
---
simp_options:syslog : true
simp_options:logrotate : true
Beginning with sudosh
This module can be used by simply including the sudosh class.
Usage
I want to ensure that my admins use sudosh specifically
To ensure admins use sudosh, so that actions are logged this is best performed
with the simp/sudo module, by creating a sudo rule that ONLY allows admins to
use sudosh.
Example:
sudo::user_specification { 'global_admin':
user_list => '%administrators',
host_list => 'ALL',
runas => 'ALL',
cmnd => '/usr/bin/sudosh',
passwd => 'false'
}
Reference
Classes
Public Classes
sudosh
Class: sudosh
This class has no parameters or options
Limitations
SIMP Puppet modules are generally intended to be used on a Red Hat Enterprise Linux-compatible distribution.
Development
Please read our Contribution Guide.
If you find any issues, they can be submitted to our JIRA.
Acceptance tests
To run the system tests, you need Vagrant installed.
You can then run the following to execute the acceptance tests:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from thespec/fixtures/modulesdirectory, based on the contents of.fixtures.yml. The contents of this directory are usually populated bybundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
sudosh: sudosh class This class installs sudosh and optionally configures rsyslog and logrotate.
Classes
sudosh
sudosh class
This class installs sudosh and optionally configures rsyslog and logrotate.
Examples
Ensuring all sudo operations are run with sudosh
Insert the following code in an appropriate manifest (e.g.,
/etc/puppet/manifests/nodes/default_classes/base_config.pp).
sudo::user_specification { 'global_admin':
user_list => '%administrators',
host_list => 'ALL',
runas => 'ALL',
cmnd => '/usr/bin/sudosh',
passwd => 'false'
}
Parameters
The following parameters are available in the sudosh class:
syslog
Data type: Boolean
Whether to include SIMP's ::rsyslog class and use it to create a specific log file for sudosh (/var/log/sudosh.log)
Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })
logrotate
Data type: Boolean
Whether to include SIMP's logrotate class and to use it to create a log rotate rule for the sudosh log file.
Default value: simplib::lookup('simp_options::logrotate', { 'default_value' => false })
package_ensure
Data type: String
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.5.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.4.0
- Add RockyLinux 8 support
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.3.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed Feb 03 2021 Liz Nemsick lnemsick.simp@gmail.com - 6.2.2
- Expanded simp/rsyslog dependendency range to < 9.0.0.
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 6.2.2
- Removed EL6 support
- Thu Jul 23 2020 jeannegreulich@onyxpoint.com - 6.2.1-0
- Update the upper bounds for simplib in metadata
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.2.0-0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.1-0
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Fri Oct 12 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.0-0
- Added $package_ensure parameter
- Changed the package from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- Update badges and contribution guide URL in README.md
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.0-0
- Drop Hiera 4 support
- Fri Aug 24 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.1.0-0
- Add support for Puppet 5
- Add support for Oracle Linux
- Add basic acceptance testing
- Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.1-0
- Updated logrotate to use new lastaction API
- Update puppet requirement and remove OBE pe requirement in metadata.json
- Mon Jan 23 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.0
- Updated rsyslog rule to remove logic
- Wed Dec 14 2016 Liz Nemsick lnemsick.simp@gmail.com - 6.0.0-0
- Use simp_options module for global catalysts
- Use strong typed parameters
- Thu Dec 01 2016 Nicholas Hughes, Nick Markowski nmarkowski@keywcorp.com - 5.0.1-0
- Prevent log duplication and log where intended.
- Changed naming to XX or YY to come before the default Z_default.conf for local rules, but after the numbered configs used by the log_server class.
- Tue Nov 22 2016 Jeanne Greulich jgreulich@onyxpoint.com - 5.0.0-0
- Major version bump for SIMP 6
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.3-0
- Compliance map removal and general housekeeping
- Mon Jul 11 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.1-0
- Migration to semantic versioning and fix of the build system
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-4
- migration to simplib and simpcat (lib/ only)
- Fri Jul 31 2015 Kendall Moore kmoore@keywcorp.com - 4.1.0-3
- Updated to use the new rsyslog module.
- Fri Feb 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Updated to use the new 'simp' environment.
- Changed calls directly to /etc/init.d/rsyslog to '/sbin/service rsyslog' so that both RHEL6 and RHEL7 are properly supported.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Changed puppet-server requirement to puppet
- Fri Jan 10 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-0
- Updated module for puppet3/hiera compatibility, and optimized code for lint tests, and puppet-rspec.
- Fri Jan 18 2013 Maintenance 4.0.0-5
- Create a Cucumber test that adds a user to the admin group and verifies that sudosh and sudosh-replay works.
- Tue Oct 23 2012 Maintenance 4.0.0-4
- Updated the rsyslog rule to be more concise.
- Wed Apr 11 2012 Maintenance 4.0.0-3
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 4.0.0-2
- Improved test stubs.
- Mon Dec 26 2011 Maintenance 4.0.0-1
- Updated the spec file to not require a separate file list.
- Mon Nov 07 2011 Maintenance 4.0.0-0
- Fixed call to rsyslog restart for RHEL6.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-1
- Converting all spec files to check for directories prior to copy.
- Thu Aug 19 2010 Maintenance 1.0-0
- Initial creation
Dependencies
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/logrotate (>= 6.5.0 < 7.0.0)
- simp/rsyslog (>= 7.6.0 < 9.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
pupmod-simp-sudosh - A Puppet Module for managing Sudosh2
--
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.