sudoers权限管理

该/etc/sudoers文件的权限管理很完善,覆盖了linux中的各种命令,各种shell、编辑器等等,在此留作以后作为参考。

# This file MUST be edited with the 'visudo' command as root.
#
# Modification History
# 09-30-2014 CH10258614 Global Compliance changes with new Include lists
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Defaults specification

#Sets up the sudo log file.
#>> This isn't required, per documentation 'default' is to log via syslog
#>> which is certainly fine. This item was left in, as much as anything,
#>> to serve as a reminder that some 'per account ' customization is
#>> permitted, and may even be very important based on customer requirements.
Defaults logfile=/var/log/sudo.log

#>> The 'NA sudoers standard template' below content comes from
#>> https://ibm.biz/NAsudoTemplates
#>> entry: 201_NArevStandAliases_NA
#>> with customizations of:
#>> Eliminating change control information (most comments 'may' be removed,
#>> but do NOT eliminate the Begin / End comments).
#>> Eliminated 'sample' #include lines, which cause syntax errors.
#>> Commented out: # Defaults!IBM_SHELLESCAPE_ALL noexec
#>> as, for this example, the commercial customer has not approved
#>> this entry. Note: IBM Internal customers must accept this entry.
#>>
# Begin NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 Begin #
# Description Standard sudoers template
#
# Version control
# [ deleted version control data for conciseness, for details see pRAM ]
#------------------------------------------------------------------------------
# Sudo implementation team instruction:
# This special template is NOT to be # included. Instead, this template
# has content which must, for functional purposes, be 'spread over' the
# entire span of the /etc/sudoers file. For instance, the
# Defaults env_file=/etc/sudo.env
# line should be 'early' in the file, while the line:
# ALL ALL=!SUDOSUDO
# needs to be after the last 'additive' sudo entry to ensure all sudo entries
# are appropriately protected.
#
#------------------------------------------------------------------------------
# Defaults
#------------------------------------------------------------------------------
#
# The following entries are required if you allow users to run
# smit / smitty on AIX:
#
# For sudo 1.7.0 and up, include the following entries in the
# /etc/sudo.env file:
# SMIT_SHELL=n
# SMIT_SEMI_COLON=n
# SMIT_QUOTE=n
# and define sudo environment file within /etc/sudoers (or included
# file) via:
# Note: if you are using a sudo level older than 1.7.0 on AIX,
# contact 'Sudo Deployment AG/Hartford/IBM,' for guidance.
#
Defaults env_file=/etc/sudo.env # Includes the sudo environment file
#
#
#-----------------------------------------------------------------------------
#
# The following entry is only required if you are using a secondary logging
# method which cannot capture commands issued in shell outs.
# This will help ensure that commands with shell outs are
# appropriately controled:
#
Defaults!IBM_SHELLESCAPE_ALL noexec
### Account notes: This commercial customer has not approved this entry, and
### thus this entry has been commented out.
# CAUTION: This affects all entries; ensure your customer is aware this is being
# added on first implementation, and appropriate testing is done.
#
#-----------------------------------------------------------------------------
# User Aliases
#-----------------------------------------------------------------------------
# Add ant 'in line' User_Alias here.
#
#-----------------------------------------------------------------------------
# Host Aliases
#-----------------------------------------------------------------------------
# Add any 'in line' Host_Alias here.
#
#
#-----------------------------------------------------------------------------
# Required Command Aliases
#-----------------------------------------------------------------------------
#
# sudo
#
Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
#
# Fully qualified commands not present on the server are not required to be in this list.
# Commands on this list that do not exist on the servers have no impact.
# Add any local paths.
#
# Forbidden commands: Commands only system admin might be permitted.
#
Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *, \
/bin/bash2bug, /usr/bin/bash2bug, \
/usr/bin/chuser *root*, /usr/bin/mkuser, \
/usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*, \
/usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*, \
/usr/bin/view *sudo*, /usr/bin/cp *sudo*, /usr/bin/mv *sudo*, \
/usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*, \
/usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*, \
/usr/bin/vi /etc/security/passwd*, \
/bin/view /etc/security/passwd*, /bin/vim /etc/security/passwd*, \
/bin/vi /etc/security/passwd*, \
/bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \
/usr/sbin/sam, \
/usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command, \
/usr/bin/hostname, /usr/sbin/chdev *hostname*, \
/usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*, \
/bin/chmod * /root/*, /bin/chmod * /*, \
/bin/chown * /etc/*, /bin/chown * /etc/security/*, \
/bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo, \
/bin/chown * /usr/local/sbin/visudo, \
/bin/time *, /usr/bin/time *
# If you remove anything you need to provide documentation,rationale and
# secondary controls if required; if an alternative -technical- control
# is in place, document.
# Commands not present on the server are not required to be in this list.
# Commands on this list that do not exist on the servers have no impact.
# It is permissible to hard code these to the exact directory structure where
# the commands are present on the system if installed in a different location.
#
# su commands
#
Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, \
/bin/su, /bin/su root
# if you remove anything you need to provide documentation,rationale and
# secondary controls if required; if an alternative -technical- control is
# in place, document.
# Commands not present on the server are not required to be in this list.
# Commands on this list that do not exist on the servers have no impact.
#
# Shells
#
Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash, \
/bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, \
/bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 , \
/bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh , \
/bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, \
/bin/pfcsh, /usr/bin/pfcsh , \
/bin/pfksh, /usr/bin/pfksh, /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh, \
/bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, \
/bin/rsh, /usr/bin/rsh, /usr/ucb/rsh, \
/bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh , \
/usr/shell, /usr/bin/shell, \
/bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, /usr/opt/freeware/bin/tclsh, \
/bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4, \
/usr/opt/freeware/bin/tclsh8.4, \
/bin/tcsh, /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh , \
/bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, \
/bin/wish8.4, /usr/bin/wish8.4, /opt/freeware/bin/wish8.4, \
/usr/opt/freeware/bin/wish8.4, \
/bin/wishx, /usr/bin/wishx, \
/bin/zsh, /usr/bin/zsh
# Shells not present on the server are not required to be in this list.
# Shells on this list that do not exist on the servers have no impact.
# Add any local shells.
#
# Shell Escapes
#
Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed, \
/usr/bin/bash2bug, /usr/bin/bashbug, \
/usr/bin/find * -exec *, /usr/bin/find * -ok *, \
/bin/find * -exec *, /bin/find * -ok *, \
/usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \
/bin/find * -execdir *, /bin/find * -okdir *, \
/bin/ftp, /usr/bin/ftp, \
/bin/ex, /usr/bin/ex, /usr/bin/less, /usr/bin/more, /bin/pg, /usr/bin/pg, \
/usr/bin/vi, /bin/vi, /bin/ex, /bin/view, /bin/gvim, /bin/gview, /bin/evim, \
/bin/eview, /bin/vimdiff, /bin/vim, /usr/bin/vim, /usr/bin/ex, \
/usr/bin/view, /usr/bin/gvim, \
/usr/bin/gview, /usr/bin/evim, /usr/bin/eview, /usr/bin/vimdiff, \
/bin/more
# Commands not present on the server are not required to be in this list.
# Commands on this list that do not exist on the servers have no impact.
# Add any local commands.
#
#
# Disallowed editors
#
Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi, /bin/vim, /bin/rvim, /bin/gvim, \
/bin/evim, /bin/emacs, /bin/ed, /usr/bin/vi, /usr/bin/tvi, /usr/bin/vim, \
/usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs, /usr/bin/ed, \
/bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi
#
# Commands not present on the server are not required to be in this list.
# Commands on this list that do not exist on the servers have no impact.
# Add any local commands.
#--------------------------------------------------------------------------------
#
# IBM SA command Aliases
#
Cmnd_Alias IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root, \
/bin/su - root
# This Cmnd_Alias can only be used if secondary logging are in place on the server.
#
#
## END 'top' part of 201_NArevStandAliases_NA

#>> The 'NA System Admin' below content comes from
#>> https://ibm.biz/NAsudoTemplates
#>> entry: 201_SystemAdmin_NA
#>> with the only customization being to set to the 'local' group used by the
#>> SA team:
#>> User_Alias IBM_SA_BAU = %uss
#>>
## Begin NA System Admin Ver 1.2.2 Date 2014-07-15 * Master * Refer NA1001415501 Begin #
# Description
# Software products and versions
# Supported OS platforms : All Unix/Linux variants.
# This sudo profile is the 'typical' system admin sudo entry
# where secondary logging is in use. This entry is only to
# be used where secondary logging 'like' the methods
# documented on: https://ibm.biz/NAsudo2log
# are in use. Implementing team is responsible to ensure
# logging methodology works in their environment. If secondary
# logging is not in use, then the SA team must request an
# 'account-level'override exception.
#
# Self serve access considerations are 'Not applicable' for this template
#
#
# Use of this IBM approved standard template must follow NA
# Sudo deployment requirements.
# Local adjustments, excepting the Host_Alias (For any needed
# segregation of hosts) and User_Alias (to identify the local
# group name in use) for specific customer environments
# must be approved by 'Sudo Deployment AG/Hartford/IBM'
#
#
# Version control
# V1.0 - highc@us.ibm.com - new template
# V1.1 - highc - add IBM_SA_AIXSMIT materials to allow for system
# system admins to use smit with appropriate logging.
# V1.2 - highc - based on v7.1 of standard aliases https://ibm.biz/GsudoStdAlias
# being released,remove 'EXEC: smit' type lines.
# Be certain to include the SMIT_SHELL=n materials from
# v7.1 of the standard aliases on AIX systems.
# V1.2.1 - highc- fix syntax/line continuation error.
# V1.2.2 - highc- adjust user alias to better conform to global standard.
#
# BEGIN the Middleware templates relevant for the server
#include /etc/sudoers.d/010_STD_NEG_GLB
#include /etc/sudoers.d/010_STD_SA_GLB
#include /etc/sudoers.d/102_AWS_GLB
#include /etc/sudoers.d/108_ORACLE_GLB
#include /etc/sudoers.d/113_TEM_GLB
#include /etc/sudoers.d/118_TSM_GLB
#include /etc/sudoers.d/120_WAS_GLB
#include /etc/sudoers.d/123_AE_GLB
#include /etc/sudoers.d/205_ITIMEPAIGANA_LINUX_NA
#include /etc/sudoers.d/217_TADDMDISC_NA
#include /etc/sudoers.d/228_DGNAE_NA
#include /etc/sudoers.d/237_DB2_NA
#include /etc/sudoers.d/402_AWS_NA_IGA_AHE_CPE_ADJ
#include /etc/sudoers.d/402_AWS_NA_IGA_AHE_EPRICER_ADJ
#include /etc/sudoers.d/413_TEM_NA_IGA_AHE_ADJ
#include /etc/sudoers.d/420_WAS_NA_IGA_AHE_CPE_ADJ
#include /etc/sudoers.d/420_WAS_NA_IGA_AHE_EPRICER_ADJ
#include /etc/sudoers.d/460_SAMETIME_NA_IGA_LCL
#include /etc/sudoers.d/461_NUS_W_SSLINUX_NA_IGA_LCL
#include /etc/sudoers.d/461_ODCSISS_NA_IGA_LCL
#include /etc/sudoers.d/462_MKT_NA_IGA_LCL
#include /etc/sudoers.d/476_LDAP_DB2_IGA_NA_LCL
#include /etc/sudoers.d/481_NESSUS_NA_IGA_LCL
#include /etc/sudoers.d/489_AvocentDSView_NA_IGA_AHE_LCL
# END the Middleware templates relevant for the server
#include /etc/sudoers.d/241_CHANGEMANAE_NA


# Start of CUSTOMER SECTION -------------------------------------------------
####
#>> Customer specific items have been removed from sample, but
#>> this would be any of your current content which are sudo entries
#>> for your customers.
####
# End of CUSTOMER SECTION -----------------------------------------------------
## Start of 'bottom' part of 201_NArevStandAliases_NA
#------------------------------------------------------------------------------
#
#
User_Alias ITIMADM5 = %itimadm
ITIMADM5 ALL=NOPASSWD: /bin/cat, /bin/chmod, /bin/cp, /bin/kill, /bin/ls, \
/usr/bin/chage, /bin/ed, /usr/bin/ed, /usr/bin/faillog, /usr/bin/groups, \
/usr/bin/passwd, /usr/bin/tee, /usr/sbin/groupadd, /usr/sbin/groupdel, \
/usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod


Host_Alias LINUX101TO199HOSTLIST = `bhusprv024.bhprod.ibm.com`

User_Alias LINUXV6GRPS = %#101,%#102,%#103,%#103,%#104,%#105,%#106,%#107,%#108,%#109, \
%#110,%#111,%#112,%#113,%#113,%#114,%#115,%#116,%#117,%#118,%#119, \
%#120,%#121,%#122,%#123,%#123,%#124,%#125,%#126,%#127,%#128,%#129, \
%#130,%#131,%#132,%#133,%#133,%#134,%#135,%#136,%#137,%#138,%#139, \
%#140,%#141,%#142,%#143,%#143,%#144,%#145,%#146,%#147,%#148,%#149, \
%#150,%#151,%#152,%#153,%#153,%#154,%#155,%#156,%#157,%#158,%#159, \
%#160,%#161,%#162,%#163,%#163,%#164,%#165,%#166,%#167,%#168,%#169, \
%#170,%#171,%#172,%#173,%#173,%#174,%#175,%#176,%#177,%#178,%#179, \
%#180,%#181,%#182,%#183,%#183,%#184,%#185,%#186,%#187,%#188,%#189, \
%#190,%#191,%#192,%#193,%#193,%#194,%#195,%#196,%#197,%#198,%#199

LINUXV6GRPS LINUX101TO199HOSTLIST = (nobody) /bin/df

#
#Temp sudo access
ghkong ALL=(ALL) ALL
dfcosta0 ALL=(ALL) NOPASSWD:ALL
# The following line must be after the last 'additive' line in this file, only
# 'negations' and comments should follow this:
#
ALL ALL=!SUDOSUDO
#
# End NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 End #
old
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
##      user    MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL

## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

## Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

## Allows members of the users group to mount and unmount the
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
Defaults env_file=/etc/sudo.env  # Includes the sudo environment file
Defaults        !requiretty,authenticate,set_home
Defaults        tty_tickets,!root_sudo,umask=0077,ignore_dot,timestamp_timeout=5
Defaults        syslog=auth
Defaults        logfile=/var/log/sudo.log
Defaults:tdiuser !requiretty
Defaults:uatagnt !requiretty

alias   SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *,   /bin/bash2bug, /usr/bin/bash2bug,   /usr/bin/chuser *root*, /usr/bin/mkuser, \
  /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*,   /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*,   /usr/bin/view *sudo*, \
  /usr/bin/cp *sudo*, /usr/bin/mv *sudo*,   /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*,  \
  /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*,   /usr/bin/vi /etc/security/passwd*, \
  /bin/view /etc/security/passwd*,   /bin/vim /etc/security/passwd*,  /bin/vi /etc/security/passwd*, \
  /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, \
  /usr/sbin/sam,   /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command,   /usr/bin/hostname, /usr/sbin/chdev *hostname*, \
  /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*,   /bin/chmod * /root/*, /bin/chmod * /*,   /bin/chown * /etc/*, \
  /bin/chown * /etc/security/*,   /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo,   /bin/chown * /usr/local/sbin/visudo,   \
  /bin/time *, /usr/bin/time *

Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, /bin/su, /bin/su root

Cmnd_Alias  IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root,    /bin/su - root

Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash,   /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash,  \
  /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 ,   /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh ,   \
  /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93,  /bin/pfcsh, /usr/bin/pfcsh ,   /bin/pfksh, /usr/bin/pfksh, \
  /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh,   /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh,   /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh,\
  /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh ,   /usr/shell, /usr/bin/shell,   /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, \
  /usr/opt/freeware/bin/tclsh,   /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4,   /usr/opt/freeware/bin/tclsh8.4,   /bin/tcsh, \
  /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh ,   /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish,   /bin/wish8.4, \
  /usr/bin/wish8.4, /opt/freeware/bin/wish8.4,  /usr/opt/freeware/bin/wish8.4,   /bin/wishx, /usr/bin/wishx,   /bin/zsh, /usr/bin/zsh

Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed,   /usr/bin/bash2bug, /usr/bin/bashbug, \
  /usr/bin/find * -exec *,  /usr/bin/find * -ok *,   /bin/find * -exec *,      /bin/find * -ok *,   /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, \
  /bin/find * -execdir *,     /bin/find * -okdir *,   /usr/bin/ftp, /bin/ftp,    /usr/bin/ex, /bin/ex,  /usr/bin/less, \
  /usr/bin/more, /bin/more, /usr/bin/pg, /bin/pg,   /usr/bin/vi, /bin/vi, /bin/view, /usr/bin/view,    /usr/bin/gview, /bin/gview, /usr/bin/eview, \
  /bin/eview,   /usr/bin/evim, /bin/evim, /usr/bin/gvim, /bin/gvim,   /usr/bin/vimdiff, /bin/vimdiff,    /usr/bin/vim, /bin/vim,    /usr/sbin/format

Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi,   /bin/vim, /bin/rvim, /bin/gvim, /bin/evim, /bin/emacs, /bin/ed,   /usr/bin/vi, /usr/bin/tvi,   \
  /usr/bin/vim, /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs,   /usr/bin/ed, /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi

Defaults: !IBM_SHELLESCAPE_ALL noexec

Cmnd_Alias   IBM_CAT_NEG  =     !/bin/cat /* *,!/bin/cat * /* *,!/bin/cat *..*,  !/bin/cat *./*
Cmnd_Alias   IBM_CHGRP_NEG =     !/bin/chgrp * /* *,!/bin/chgrp *..*,!/bin/chgrp *./*
Cmnd_Alias   IBM_CHMOD_NEG =      !/bin/chmod * /* *, !/bin/chmod *..*,!/bin/chmod *./*
Cmnd_Alias   IBM_CHOWN_NEG =     !/bin/chown * /* *,!/bin/chown *..*, !/bin/chown *./*
Cmnd_Alias   IBM_COMPRESS_NEG =     !/usr/bin/compress /* *,!/usr/bin/compress * /* *,!/usr/bin/compress *..*, !/usr/bin/compress *./*
Cmnd_Alias   IBM_CP_NEG =     !/bin/cp /* /* *, !/bin/cp * /* /* *, !/bin/cp *..*, !/bin/cp *./*
Cmnd_Alias   IBM_DIFF_NEG =     !/usr/bin/diff /* /* *,!/usr/bin/diff * /* /* *, !/usr/bin/diff *..*, !/usr/bin/diff *./*
Cmnd_Alias   IBM_FIND_NEG =     !/usr/bin/find * -exec *, !/usr/bin/find * -ok *, !/usr/bin/find *..*,     !/usr/bin/find * -execdir *, !/usr/bin/find * -okdir *
Cmnd_Alias   IBM_GUNZIP_NEG =     !/usr/bin/gunzip /* *,!/usr/bin/gunzip -* /* *,!/usr/bin/gunzip *..*, !/usr/bin/gunzip *./*
Cmnd_Alias   IBM_GZIP_NEG =     !/usr/bin/gzip /* *,!/usr/bin/gzip -* /* *,!/usr/bin/gzip *..*, !/usr/bin/gzip *./*
Cmnd_Alias   IBM_HEAD_NEG = !/usr/bin/head  /* *,!/usr/bin/head * /* *,!/usr/bin/head *..*, !/usr/bin/head *./*
        # Authorization of head is discouraged.  Instead, authorize the
        # the team to 'cat', team can then run 'sudo cat /tmp/specified file | head {any flags they need}'
        # While discouraged, negation is effective when head is authorized
Cmnd_Alias   IBM_LN_NEG =     !/bin/ln /* /* *, !/bin/ln -* /* /* *, !/bin/ln *..*, !/bin/ln *./*
Cmnd_Alias   IBM_LS_NEG =             !/bin/ls /* *, !/bin/ls -* /* *, !/bin/ls *..*, !/bin/ls *./*
Cmnd_Alias   IBM_MKDIR_NEG =     !/bin/mkdir /* *,!/bin/mkdir * /* *, !/bin/mkdir *..*, !/bin/mkdir *./*
Cmnd_Alias   IBM_MOUNT_NEG =     !/bin/mount /* *,!/bin/mount * /* *,!/bin/mount *..*, !/bin/mount *./* , !/usr/sbin/mount /* *, \
  !/usr/sbin/mount * /* *,!/usr/sbin/mount *..*, !/usr/sbin/mount *./*
    # Caution:  we have only coded a negation for the 'single directory/device' version of the mount command;
    #           if you need to 'permit' the 'two directory/device' version of the command, it will have to be
    #           with a different negation, and if this negation is used, must be specified AFTER use of this
    #           this negation or the use of IBM_NEG_ALL as this negation will block the two * version.
Cmnd_Alias   IBM_MV_NEG =     !/bin/mv /* /* *,!/bin/mv * /* /* *, !/bin/mv *..*, !/bin/mv *./*
Cmnd_Alias   IBM_RM_NEG =     !/bin/rm /* *,!/bin/rm * /* *, !/bin/rm *..*, !/bin/rm *./*
Cmnd_Alias   IBM_RMDIR_NEG =     !/bin/rmdir /* *,!/bin/rmdir * /* *,!/bin/rmdir *..*,!/bin/rmdir *./*
Cmnd_Alias   IBM_TAIL_NEG =     !/usr/bin/tail /* *,!/usr/bin/tail -* /* *,!/usr/bin/tail *..*,  !/usr/bin/tail *./*
        # authorization of tail 'except for' tail -f is discouraged.  Instead, authorize the
        # the team to 'cat', team can then run 'sudo cat /tmp/specified file | tail {any flags they need}'
        # While discouraged, negation is effective for when tail is authorized to be issued with no flags.
Cmnd_Alias   IBM_TAR_NEG =     !/bin/tar /* /* *,!/bin/tar * /* /* *, !/bin/tar *..*, !/bin/tar *./*
Cmnd_Alias   IBM_TOUCH_NEG =    !/bin/touch /* *, !/bin/touch * /* *, !/bin/touch *..*, !/bin/touch *./* # will block some complex parms such as "-r"
        #Note: PO will need to create custom negation if flags such as -r must be 'allowed for'.
Cmnd_Alias   IBM_UMOUNT_NEG =     !/bin/umount  /* *,!/bin/umount * /* *,!/bin/umount *..*, !/bin/umount *./*, !/usr/sbin/umount /* *, \
  !/usr/sbin/umount * /* *,!/usr/sbin/umount *..*, !/usr/sbin/umount *./*
Cmnd_Alias   IBM_UNCOMPRESS_NEG =     !/usr/bin/uncompress /* *,!/usr/bin/uncompress * /* *,!/usr/bin/uncompress *..*, !/usr/bin/uncompress *./*
Cmnd_Alias   IBM_ZCAT_NEG =     !/bin/zcat /* *, !/bin/zcat *..*, !/bin/zcat *./*
Cmnd_Alias   IBM_ALL_NEG =     IBM_CAT_NEG, IBM_CHGRP_NEG, IBM_CHMOD_NEG, IBM_CHOWN_NEG, IBM_COMPRESS_NEG, IBM_CP_NEG, IBM_DIFF_NEG, IBM_FIND_NEG, \
  IBM_GUNZIP_NEG, IBM_GZIP_NEG, IBM_HEAD_NEG, IBM_LS_NEG, IBM_LN_NEG, IBM_MKDIR_NEG,     IBM_MOUNT_NEG, IBM_MV_NEG, IBM_RM_NEG, IBM_RMDIR_NEG, \
  IBM_TAIL_NEG,     IBM_TAR_NEG, IBM_TOUCH_NEG, IBM_UMOUNT_NEG, IBM_UNCOMPRESS_NEG,IBM_ZCAT_NEG

User_Alias      IBM_SA_BAU = %wheel
Host_Alias      IBM_SA_HOSTS = ALL # Use ALL or indicate
IBM_SA_BAU  IBM_SA_HOSTS = ALL



User_Alias IBM_LIN_UAT_TOOL_BAU = %uatgroup

Host_Alias IBM_LIN_UAT_HOSTS = ALL

Cmnd_Alias IBM_LIN_UAT_BAU_CMDS = /bin/cat /etc/local/etc/sudoers, /bin/cat /etc/local/sudoers, /bin/cat /etc/shadow, \
  /bin/cat /etc/ssh/sshd_config, /bin/cat /etc/sudoers, /bin/cat /syslocal/config/common/sudo/etc/sudoers, \
  /bin/cat /var/log/messages, /bin/cat /var/log/sudo.log, /bin/cat /var/log/secure, /usr/bin/cat /etc/local/etc/sudoers, /usr/bin/cat /etc/local/sudoers, \
  /usr/bin/cat /etc/shadow, /usr/bin/cat /etc/ssh/sshd_config, /usr/bin/cat /etc/sudoers, /usr/bin/cat /syslocal/config/common/sudo/etc/sudoers, \
  /usr/bin/cat /var/log/messages, /usr/bin/cat /var/log/sudo.log, /usr/bin/cat /var/log/secure, /usr/bin/who, \
  /bin/who, /usr/bin/chage, /usr/bin/chmod [0-7][0-7][0145] /home/*, /bin/chmod [0-7][0-7][0145] /home/*, !/bin/chmod [1-7][0-7][0-7][0-7] /home/*, \
  !/usr/bin/chmod [1-7][0-7][0-7][0-7] /home/*, /usr/bin/faillog, /usr/bin/gpasswd, /usr/bin/ls, \
  /bin/ls, /usr/bin/passwd, /usr/sbin/chpasswd, /usr/sbin/faillog, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /sbin/groupmod, \
  /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/rm -rf /home/*, \
  /bin/rm -rf /home/*, /usr/bin/rm -r /home/*, /bin/rm -r /home/*, /usr/bin/rm /home/*, \
  /bin/rm /home/*, /usr/local/bin/uatscripts/uatoracle.sh, /usr/local/bin/uatscripts/uatdb2.sh, \
  /usr/local/bin/uatscripts/uatsap.sh, /usr/local/bin/uatscripts/uathyperion.sh, /usr/bin/find, /bin/find

IBM_LIN_UAT_TOOL_BAU IBM_LIN_UAT_HOSTS = (root) NOPASSWD: IBM_LIN_UAT_BAU_CMDS,IBM_CHMOD_NEG, IBM_FIND_NEG,IBM_RM_NEG
Defaults:%uatgroup !requiretty


%aseanuid ALL = NOPASSWD:\
        /usr/sbin/useradd *, /usr/sbin/userdel *, /usr/sbin/usermod *, \
        /usr/bin/chage *, /usr/bin/passwd *, /usr/bin/gpasswd *, /sbin/pam_tally2 *, \
        /usr/bin/faillog *

%hc ALL = NOPASSWD:\
        /bin/cat *, /bin/zcat *, /usr/bin/tail *, /usr/bin/head *, /bin/grep *, \
        /usr/bin/last *, /usr/bin/who *, /bin/ls *, /usr/bin/find *,/usr/bin/ssh-keygen *, /bin/tar *,\
        /bin/more *, /usr/bin/less * , NOEXEC:IBM_SHELLESCAPE_ALL

%lnxadm ALL=ALL,!IBM_NONE_SA,!IBM_SHELLS_ALL,/usr/bin/su -, NOEXEC: IBM_SHELLESCAPE_ALL


ALL ALL=!SUDOSUDO
new

refer:https://support.nagios.com/forum/viewtopic.php?f=6&t=43772&start=10

posted @ 2019-01-16 11:36  夏覓  Views(442)  Comments(0Edit  收藏  举报