[image]: prevent password related command into syslog (#1450)

* [image]: prevent password related command into syslog
2018-03-02 21:21:25 -08:00 · 2018-03-02 21:21:25 -08:00 · a9d2e13627
commit a9d2e13627
parent c689253b3f
1 changed files with 5 additions and 0 deletions
--- a/files/image_config/sudoers/sudoers
+++ b/files/image_config/sudoers/sudoers
@ -31,12 +31,17 @@ Cmnd_Alias      READ_ONLY_CMDS = /usr/bin/decode-syseeprom, \
                                 /bin/cat /var/log/syslog, \
                                 /usr/bin/tail -f /var/log/syslog

+Cmnd_Alias      PASSWD_CMDS = /usr/bin/config tacacs passkey *, \
+                              /usr/sbin/chpasswd *
+
 # User privilege specification
 root    ALL=(ALL:ALL) ALL

 # Allow members of group sudo to execute any command
 %sudo   ALL=(ALL:ALL) NOPASSWD: ALL

+# Prevent password related command into syslog
+Defaults!PASSWD_CMDS !syslog

 # See sudoers(5) for more information on "#include" directives: