f166b991a7
[image]: Prevent radius passkey and snmp community string into syslog. (#9727) #### Why I did it Prevent radius passkey and snmp community string into syslog. #### How I did it Add radius and snmp config command to PASSWD_CMDS #### How to verify it Run and pass all UTs. #### Which release branch to backport (provide reason below if selected) <!-- - Note we only backport fixes to a release branch, *not* features! - Please also provide a reason for the backporting below. - e.g. - [x] 202006 --> - [ ] 201811 - [ ] 201911 - [ ] 202006 - [ ] 202012 - [ ] 202106 #### Description for the changelog Add radius and snmp config command to PASSWD_CMDS to prevent radius passkey and snmp community string into syslog. #### A picture of a cute animal (not mandatory but encouraged)
71 lines
3.1 KiB
Plaintext
71 lines
3.1 KiB
Plaintext
#
|
|
# This file MUST be edited with the 'visudo' command as root.
|
|
#
|
|
# Please consider adding local content in /etc/sudoers.d/ instead of
|
|
# directly modifying this file.
|
|
#
|
|
# See the man page for details on how to write a sudoers file.
|
|
#
|
|
Defaults env_reset
|
|
#Defaults mail_badpass
|
|
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
Defaults env_keep += "SONIC_CLI_IFACE_MODE"
|
|
Defaults env_keep += "VTYSH_PAGER"
|
|
Defaults lecture_file = /etc/sudoers.lecture
|
|
|
|
# Host alias specification
|
|
|
|
# User alias specification
|
|
|
|
# Cmnd alias specification
|
|
# Note: bcmcmd is dangerous for users in read only netgroups because it may operate ASIC
|
|
Cmnd_Alias READ_ONLY_CMDS = /bin/cat /var/log/syslog*, \
|
|
/bin/ip netns identify [0-9]*, \
|
|
/sbin/brctl show, \
|
|
/usr/bin/docker exec snmp cat /etc/snmp/snmpd.conf, \
|
|
/usr/bin/docker exec bgp cat /etc/quagga/bgpd.conf, \
|
|
/usr/bin/docker images *, \
|
|
/usr/bin/docker ps *, \
|
|
/usr/bin/docker ps, \
|
|
/usr/bin/lldpctl, \
|
|
/usr/bin/sensors, \
|
|
/usr/bin/tail -F /var/log/syslog, \
|
|
/usr/bin/rvtysh *, \
|
|
/usr/bin/vtysh -c show version, \
|
|
/usr/bin/vtysh -c show bgp ipv[46] summary json, \
|
|
/usr/bin/vtysh -n [0-9] -c show version, \
|
|
/usr/bin/vtysh -n [0-9] -c show bgp ipv[46] summary json, \
|
|
/usr/local/bin/decode-syseeprom, \
|
|
/usr/local/bin/generate_dump, \
|
|
/usr/local/bin/ipintutil, \
|
|
/usr/local/bin/lldpshow, \
|
|
/usr/local/bin/pcieutil *, \
|
|
/usr/local/bin/psuutil *, \
|
|
/usr/local/bin/sonic-installer list, \
|
|
/usr/local/bin/sfputil show *
|
|
|
|
|
|
Cmnd_Alias PASSWD_CMDS = /usr/local/bin/config tacacs passkey *, \
|
|
/usr/local/bin/config radius passkey *, \
|
|
/usr/local/bin/config snmp community add *, \
|
|
/usr/local/bin/config snmp community del *, \
|
|
/usr/local/bin/config snmp community replace * *, \
|
|
/usr/sbin/chpasswd *
|
|
|
|
# User privilege specification
|
|
root ALL=(ALL:ALL) ALL
|
|
|
|
# Allow all users to execute read only commands
|
|
ALL ALL=NOPASSWD: READ_ONLY_CMDS
|
|
|
|
# Allow members of group sudo to execute any command
|
|
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
|
|
|
|
# Prevent password related command into syslog
|
|
Defaults!PASSWD_CMDS !syslog
|
|
|
|
# See sudoers(5) for more information on "#include" directives:
|
|
|
|
#includedir /etc/sudoers.d
|
|
|