Configure sudo

[joubbi]

CIS Benchmark has a section for configuring sudo. I think that the suggestions in that section makes sense, so I have created a playbook to fix that. I think that the os_hardening role could use these changes as well.

This is how I solved it for me:

    - name: copy /etc/sudoers.d/cis to configure sudo - CIS 1.3
      copy:
        src: etc/sudoers.d/cis
        dest: /etc/sudoers.d/cis
        owner: root
        group: root
        mode: '0600'

$ sudo cat /etc/sudoers.d/cis
# CIS 1.3.2 Ensure sudo commands use pty (Scored)
# sudo can be run only from a psuedo-pty. 
# Rationale:
# Attackers can run a malicious program using sudo which would fork a background process
# that remains even when the main program has finished executing.
Defaults use_pty

# CIS 1.3.3 Ensure sudo log file exists (Scored)
# A separate sudo log file simplifies auditing of sudo commands.
Defaults logfile="/var/log/sudo.log"

What do you think?