debian-cis/cisharden.sudoers at master · ovh/debian-cis · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Cmnd_Alias SCL_CMD =    /bin/grep ,\
                        /bin/zgrep,\
                        /bin/cat,\
                        /usr/bin/stat,\
                        /usr/bin/getent,\
                        /usr/bin/[,\
                        /usr/bin/test,\
                        /bin/ls,\
                        /usr/bin/find,\
                        ! /usr/bin/find *-exec*, \
                        ! /usr/bin/find *-delete*,\
                        /usr/bin/apt-get update -y,\
                        /usr/bin/apt-get upgrade -s,\
                        /usr/bin/cut,\
                        /sbin/iptables -nL,\
                        /sbin/iptables -nL *,\
                        /sbin/iptables -S *,\
                        /sbin/sysctl net.*,\
                        /sbin/sysctl fs.*,\
                        /sbin/sysctl kernel.*,\
                        /sbin/sysctl -a,\
                        /bin/dmesg "",\
                        /bin/netstat,\
                        /usr/sbin/lsmod,\
                        /sbin/lsmod,\
                        /sbin/modprobe,\
                        /usr/sbin/modprobe -n -v*,\
                        /usr/sbin/apparmor_status,\
                        /usr/bin/ss *,\
                        /bin/ss *,\
                        /usr/bin/pgrep *,\
                        /usr/sbin/nft list *,\
                        /usr/sbin/ufw status *,\
                        /usr/sbin/augenrules --check,\
                        /sbin/augenrules --check,\
                        /usr/sbin/auditctl -s,\
                        /sbin/auditctl -s

cisharden ALL = (root) NOPASSWD: SCL_CMD