# * DO NOT EDIT THIS FILE * DO NOT EDIT THIS FILE * DO NOT EDIT THIS FILE * DO NOT EDIT THIS FILE *
#         ________
#        /        \     ____   ___    _   _  ___ _____   _____ ____ ___ _____   _
#       /_ ___ _  _\   |  _ \ / _ \  | \ | |/ _ \_   _| | ____|  _ \_ _|_   _| | |
#      |(_` | / \|_)|  | | | | | | | |  \| | | | || |   |  _| | | | | |  | |   | |
#      |._) | \_/|  |  | |_| | |_| | | |\  | |_| || |   | |___| |_| | |  | |   |_|
#       \          /   |____/ \___/  |_| \_|\___/ |_|   |_____|____/___| |_|   (_)
#        \________/
#            ||
#            ||
#            ||
#            ||
#            ||
#
#          Do not edit this file, it is managed by system configuration and any changes will be
#          overwritten during updates, if you need to override settings for create a new file of
#          the form /etc/sudoers.d/<name> instead which sorts alphabetically after this file and
#          place the necessary overrides in that file.
#
# * DO NOT EDIT THIS FILE * DO NOT EDIT THIS FILE * DO NOT EDIT THIS FILE * DO NOT EDIT THIS FILE *


###################################################################################################
# sudo rules from op-server-config
###################################################################################################

# README:
# Any changes to this file should ALSO be made to the OP Administrators sudoers groups in the Noggin Active Directory
# The vast majority of servers will be using the AD configuration instead of this file
# adimitriadis - 20200903
#

# General Admins + OP Admins + support groupscan act as any 'op' group member
%op-admins  ALL=(%op) ALL
%admins     ALL=(%op) ALL
%support    ALL=(%op) ALL

# Scripts provided by the op-server-config package
# Can be run with or without arguments
Cmnd_Alias OP_RUN_SCRIPTS = 	       \
        /usr/bin/op-create-account,    \
        /usr/bin/op-create-account *,  \
        /usr/bin/op-setperms-secure,   \
        /usr/bin/op-setperms-secure *

# OP Admins can view httpd logs
Cmnd_Alias OP_VIEW_LOGS =               \
        /bin/ls  /var/log/httpd/*,      \
        /bin/ls * /var/log/httpd/*,     \
        /bin/cat /var/log/httpd/*,      \
        /bin/grep /var/log/httpd/*,     \
        /bin/grep * /var/log/httpd/*,   \
        /bin/less /var/log/httpd/*,     \
        /bin/less * /var/log/httpd/*,   \
        /bin/zcat /var/log/httpd/*

# OP Admins can run ng-journalctl as root
%op-admins ALL=(root) /usr/bin/ng-journalctl *
# OP Admins can run scripts provided by the op-server-config package and view httpd logs
%op-admins ALL=(root) OP_RUN_SCRIPTS, OP_VIEW_LOGS

# Allow users run the instance banner
%op-admins ALL=(root) NOPASSWD: /usr/bin/op-instance-banner, /usr/bin/op-instance-banner --detail
%admins    ALL=(root) NOPASSWD: /usr/bin/op-instance-banner, /usr/bin/op-instance-banner --detail

