jonzobrist/gist:3374090

## gistfile1.c
#########################################################################
#
# linux_sudoers.cf - Watch sudoers file for changes, overwrite with master if it changes
#
#
#
#
#########################################################################

bundle agent linux_sudoers {

files:
    linux::
      # make sure the proposed sudoers file is the same as on the policyhub
      # you could possibly combine this with the chang
      "/etc/sudoers.proposed"
        create => "true",
        copy_from => secure_cp("$(sys.workdir)/masterfiles/linux/etc/mastersudoers","$(sys.policy_hub)"),
        classes => if_repaired("proposed_sudoers_needs_syntax_validated"),
        perms => mog("0440","root","root"),
        comment => "Cache the master sudoers file from the policyhub so we can
                    validate its syntax locally before installing it. Raise a
                    class to trigger synatx validation if we have repaired
                    the file (updated from master again)";

      # We use ifvarclass to restrict this copy_from to only happen if the
      # proposed suoders file syntax validated, so this will likely happen on the second pass
      "/etc/sudoers"
        create => "true",
        copy_from => local_dcp("/etc/sudoers.proposed"),
        ifvarclass => "proposed_sudoers_syntax_validated",
        perms => mog("0440","root","root"),
        comment => "We have validated that the synatx is proper, now we ensure that the real sudoers file matches the validated version";

commands:
    linux::
      # This is classed to only execute if we have repaired the proposed sudoers from the masterfile
      # It doenst have to be, but we also dont have to fork off for visudo all the time killing trees
      "/usr/sbin/visudo"
       args => "-c -f /etc/sudoers.proposed",
       classes => if_repaired("proposed_sudoers_syntax_validated"),
       ifvarclass => "proposed_sudoers_needs_syntax_validated",
       comment => "Validate the proposed sudoers from masterfiles if it has been
                   repaired, if its proper raise a class so we can copy it into place.";

}
	#########################################################################
	#
	# linux_sudoers.cf - Watch sudoers file for changes, overwrite with master if it changes
	#
	#
	#
	#
	#########################################################################

	bundle agent linux_sudoers {

	files:
	linux::
	# make sure the proposed sudoers file is the same as on the policyhub
	# you could possibly combine this with the chang
	"/etc/sudoers.proposed"
	create => "true",
	copy_from => secure_cp("$(sys.workdir)/masterfiles/linux/etc/mastersudoers","$(sys.policy_hub)"),
	classes => if_repaired("proposed_sudoers_needs_syntax_validated"),
	perms => mog("0440","root","root"),
	comment => "Cache the master sudoers file from the policyhub so we can
	validate its syntax locally before installing it. Raise a
	class to trigger synatx validation if we have repaired
	the file (updated from master again)";

	# We use ifvarclass to restrict this copy_from to only happen if the
	# proposed suoders file syntax validated, so this will likely happen on the second pass
	"/etc/sudoers"
	create => "true",
	copy_from => local_dcp("/etc/sudoers.proposed"),
	ifvarclass => "proposed_sudoers_syntax_validated",
	perms => mog("0440","root","root"),
	comment => "We have validated that the synatx is proper, now we ensure that the real sudoers file matches the validated version";

	commands:
	linux::
	# This is classed to only execute if we have repaired the proposed sudoers from the masterfile
	# It doenst have to be, but we also dont have to fork off for visudo all the time killing trees
	"/usr/sbin/visudo"
	args => "-c -f /etc/sudoers.proposed",
	classes => if_repaired("proposed_sudoers_syntax_validated"),
	ifvarclass => "proposed_sudoers_needs_syntax_validated",
	comment => "Validate the proposed sudoers from masterfiles if it has been
	repaired, if its proper raise a class so we can copy it into place.";

	}