Add subsection with recommendations for using sudo

[daobrien]

In an attempt to standardize how we use sudo across all courses, we've come up with the following (so far):

Using sudo in Training Courses

Need a useful intro here.

Assumptions

1. Although security is important, it is more important to not have unnecessary classroom security distract from the immediate topic being taught.

General Recommendations

NOTE: These are recommendations, not rules. As with most things, consistency is important. Don't swap between different approaches without reason. Choose which approach works best for your situation and stick to it.

1. In all cases, use the minimum privilege level required to achieve the task.
2. In exercises, use sudo and sudo -i and set this up to work throughout all relevant systems in the classroom. Do not use su - without good cause.
3. When there are a scattered minority of privileged commands in a mostly unprivileged exercise, use sudo on a per-command basis.
4. When the exercise is majority privileged, or has a significant number of privileged commands, use sudo -i either at the beginning of the exercise, or at an appropriate step where the privileged commands begin.
5. In the narrative, do not show the use of su or sudo, but always show privileged commands with the correct prompt.

Exceptions

1. Some courses are specifically designed to teach sudo and its variations, the use of the related files, such as /etc/sudoers and so on. For these courses, use the required variation for the topic being taught.

Ansible Courses

1. Ansible courses typically use a devops user with passwordless sudo ALL=ALL(ALL) access on managed nodes to enable the use of become without a become password as root to do anything.
2. As much as possible, leave the system-wide default as become: false or become: no and if a single task needs privileges, set become: true or become: yes on that task.
3. If most tasks in a play needs privileges, set the entire play to become: true or become: yes and possibly selectively set individual tasks to become: false or become: no.

[mweetman-redhat]

"In all cases, use the minimum privilege level required to achieve the task."
I don't think this is reasonable in a classroom environment, we could spend hours customising the classroom so that only the specific commands the student needs to run are available. But this may prevent any kind of learning exploration not specifically covered in the material, and this level of effort seems unwarranted for a non-production environment.

[daobrien]

"In all cases, use the minimum privilege level required to achieve the task."
I don't think this is reasonable in a classroom environment, we could spend hours customising the classroom so that only the specific commands the student needs to run are available. But this may prevent any kind of learning exploration not specifically covered in the material, and this level of effort seems unwarranted for a non-production environment.

If I understand what you're getting at here, you mean customizing the sudoers file so that only the required commands are available via sudo? That's not what we're proposing. If you mean something different then let me know.

This proposal is about not using root privs unnecessarily. I'm not the person to make the decision, obviously; everything above has come from arch feedback. I just want to make sure we get consensus and then document it.

[bonnevil]

@mweetman-redhat my understanding is the proposal is simply

• if you're running one command as root mixed with a bunch of unprivileged commands, sudo command assuming the user is in group wheel and therefore has ALL=ALL(ALL) set.
• if you're running a string of commands, possibly across several steps, then sudo -i or sudo su - ($PATH might be set differently between the two) and run the commands, exiting when you can go unprivileged.
• if sudo isn't available, then log in as root or su -.

We're not talking about setting additional individual sudo rules here in advance for each lab. Especially since those wouldn't be set in a real world default configuration.

[daobrien]

@nmuller66 @sffrench Looking for suggestions on where this might fit in the Style Guide. Nothing leaps out at me right now. Possibly near 3.4.3. Documenting Command Terminology and Syntax ?

[sffrench]

I wouldn't be nearly as familiar with the guide as you are David, I think where you have suggested would be appropriate.