• sudoers权限管理


    该/etc/sudoers文件的权限管理很完善,覆盖了linux中的各种命令,各种shell、编辑器等等,在此留作以后作为参考。

    # This file MUST be edited with the 'visudo' command as root.
    #
    # Modification History
    # 09-30-2014 CH10258614 Global Compliance changes with new Include lists
    # This file MUST be edited with the 'visudo' command as root.
    #
    # See the sudoers man page for the details on how to write a sudoers file.
    #
    # Defaults specification
    
    #Sets up the sudo log file.
    #>> This isn't required, per documentation 'default' is to log via syslog
    #>> which is certainly fine. This item was left in, as much as anything,
    #>> to serve as a reminder that some 'per account ' customization is
    #>> permitted, and may even be very important based on customer requirements.
    Defaults logfile=/var/log/sudo.log
    
    #>> The 'NA sudoers standard template' below content comes from
    #>> https://ibm.biz/NAsudoTemplates
    #>> entry: 201_NArevStandAliases_NA
    #>> with customizations of:
    #>> Eliminating change control information (most comments 'may' be removed,
    #>> but do NOT eliminate the Begin / End comments).
    #>> Eliminated 'sample' #include lines, which cause syntax errors.
    #>> Commented out: # Defaults!IBM_SHELLESCAPE_ALL noexec
    #>> as, for this example, the commercial customer has not approved
    #>> this entry. Note: IBM Internal customers must accept this entry.
    #>>
    # Begin NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 Begin #
    # Description Standard sudoers template
    #
    # Version control
    # [ deleted version control data for conciseness, for details see pRAM ]
    #------------------------------------------------------------------------------
    # Sudo implementation team instruction:
    # This special template is NOT to be # included. Instead, this template
    # has content which must, for functional purposes, be 'spread over' the
    # entire span of the /etc/sudoers file. For instance, the
    # Defaults env_file=/etc/sudo.env
    # line should be 'early' in the file, while the line:
    # ALL ALL=!SUDOSUDO
    # needs to be after the last 'additive' sudo entry to ensure all sudo entries
    # are appropriately protected.
    #
    #------------------------------------------------------------------------------
    # Defaults
    #------------------------------------------------------------------------------
    #
    # The following entries are required if you allow users to run
    # smit / smitty on AIX:
    #
    # For sudo 1.7.0 and up, include the following entries in the
    # /etc/sudo.env file:
    # SMIT_SHELL=n
    # SMIT_SEMI_COLON=n
    # SMIT_QUOTE=n
    # and define sudo environment file within /etc/sudoers (or included
    # file) via:
    # Note: if you are using a sudo level older than 1.7.0 on AIX,
    # contact 'Sudo Deployment AG/Hartford/IBM,' for guidance.
    #
    Defaults env_file=/etc/sudo.env # Includes the sudo environment file
    #
    #
    #-----------------------------------------------------------------------------
    #
    # The following entry is only required if you are using a secondary logging
    # method which cannot capture commands issued in shell outs.
    # This will help ensure that commands with shell outs are
    # appropriately controled:
    #
    Defaults!IBM_SHELLESCAPE_ALL noexec
    ### Account notes: This commercial customer has not approved this entry, and
    ### thus this entry has been commented out.
    # CAUTION: This affects all entries; ensure your customer is aware this is being
    # added on first implementation, and appropriate testing is done.
    #
    #-----------------------------------------------------------------------------
    # User Aliases
    #-----------------------------------------------------------------------------
    # Add ant 'in line' User_Alias here.
    #
    #-----------------------------------------------------------------------------
    # Host Aliases
    #-----------------------------------------------------------------------------
    # Add any 'in line' Host_Alias here.
    #
    #
    #-----------------------------------------------------------------------------
    # Required Command Aliases
    #-----------------------------------------------------------------------------
    #
    # sudo
    #
    Cmnd_Alias SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
    #
    # Fully qualified commands not present on the server are not required to be in this list.
    # Commands on this list that do not exist on the servers have no impact.
    # Add any local paths.
    #
    # Forbidden commands: Commands only system admin might be permitted.
    #
    Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *, 
    /bin/bash2bug, /usr/bin/bash2bug, 
    /usr/bin/chuser *root*, /usr/bin/mkuser, 
    /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*, 
    /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*, 
    /usr/bin/view *sudo*, /usr/bin/cp *sudo*, /usr/bin/mv *sudo*, 
    /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*, 
    /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*, 
    /usr/bin/vi /etc/security/passwd*, 
    /bin/view /etc/security/passwd*, /bin/vim /etc/security/passwd*, 
    /bin/vi /etc/security/passwd*, 
    /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, 
    /usr/sbin/sam, 
    /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command, 
    /usr/bin/hostname, /usr/sbin/chdev *hostname*, 
    /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*, 
    /bin/chmod * /root/*, /bin/chmod * /*, 
    /bin/chown * /etc/*, /bin/chown * /etc/security/*, 
    /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo, 
    /bin/chown * /usr/local/sbin/visudo, 
    /bin/time *, /usr/bin/time *
    # If you remove anything you need to provide documentation,rationale and
    # secondary controls if required; if an alternative -technical- control
    # is in place, document.
    # Commands not present on the server are not required to be in this list.
    # Commands on this list that do not exist on the servers have no impact.
    # It is permissible to hard code these to the exact directory structure where
    # the commands are present on the system if installed in a different location.
    #
    # su commands
    #
    Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, 
    /bin/su, /bin/su root
    # if you remove anything you need to provide documentation,rationale and
    # secondary controls if required; if an alternative -technical- control is
    # in place, document.
    # Commands not present on the server are not required to be in this list.
    # Commands on this list that do not exist on the servers have no impact.
    #
    # Shells
    #
    Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash, 
    /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash, 
    /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 , 
    /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh , 
    /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93, 
    /bin/pfcsh, /usr/bin/pfcsh , 
    /bin/pfksh, /usr/bin/pfksh, /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh, 
    /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh, 
    /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh, 
    /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh , 
    /usr/shell, /usr/bin/shell, 
    /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, /usr/opt/freeware/bin/tclsh, 
    /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4, 
    /usr/opt/freeware/bin/tclsh8.4, 
    /bin/tcsh, /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh , 
    /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish, 
    /bin/wish8.4, /usr/bin/wish8.4, /opt/freeware/bin/wish8.4, 
    /usr/opt/freeware/bin/wish8.4, 
    /bin/wishx, /usr/bin/wishx, 
    /bin/zsh, /usr/bin/zsh
    # Shells not present on the server are not required to be in this list.
    # Shells on this list that do not exist on the servers have no impact.
    # Add any local shells.
    #
    # Shell Escapes
    #
    Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed, 
    /usr/bin/bash2bug, /usr/bin/bashbug, 
    /usr/bin/find * -exec *, /usr/bin/find * -ok *, 
    /bin/find * -exec *, /bin/find * -ok *, 
    /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, 
    /bin/find * -execdir *, /bin/find * -okdir *, 
    /bin/ftp, /usr/bin/ftp, 
    /bin/ex, /usr/bin/ex, /usr/bin/less, /usr/bin/more, /bin/pg, /usr/bin/pg, 
    /usr/bin/vi, /bin/vi, /bin/ex, /bin/view, /bin/gvim, /bin/gview, /bin/evim, 
    /bin/eview, /bin/vimdiff, /bin/vim, /usr/bin/vim, /usr/bin/ex, 
    /usr/bin/view, /usr/bin/gvim, 
    /usr/bin/gview, /usr/bin/evim, /usr/bin/eview, /usr/bin/vimdiff, 
    /bin/more
    # Commands not present on the server are not required to be in this list.
    # Commands on this list that do not exist on the servers have no impact.
    # Add any local commands.
    #
    #
    # Disallowed editors
    #
    Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi, /bin/vim, /bin/rvim, /bin/gvim, 
    /bin/evim, /bin/emacs, /bin/ed, /usr/bin/vi, /usr/bin/tvi, /usr/bin/vim, 
    /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs, /usr/bin/ed, 
    /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi
    #
    # Commands not present on the server are not required to be in this list.
    # Commands on this list that do not exist on the servers have no impact.
    # Add any local commands.
    #--------------------------------------------------------------------------------
    #
    # IBM SA command Aliases
    #
    Cmnd_Alias IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root, 
    /bin/su - root
    # This Cmnd_Alias can only be used if secondary logging are in place on the server.
    #
    #
    ## END 'top' part of 201_NArevStandAliases_NA
    
    #>> The 'NA System Admin' below content comes from
    #>> https://ibm.biz/NAsudoTemplates
    #>> entry: 201_SystemAdmin_NA
    #>> with the only customization being to set to the 'local' group used by the
    #>> SA team:
    #>> User_Alias IBM_SA_BAU = %uss
    #>>
    ## Begin NA System Admin Ver 1.2.2 Date 2014-07-15 * Master * Refer NA1001415501 Begin #
    # Description
    # Software products and versions
    # Supported OS platforms : All Unix/Linux variants.
    # This sudo profile is the 'typical' system admin sudo entry
    # where secondary logging is in use. This entry is only to
    # be used where secondary logging 'like' the methods
    # documented on: https://ibm.biz/NAsudo2log
    # are in use. Implementing team is responsible to ensure
    # logging methodology works in their environment. If secondary
    # logging is not in use, then the SA team must request an
    # 'account-level'override exception.
    #
    # Self serve access considerations are 'Not applicable' for this template
    #
    #
    # Use of this IBM approved standard template must follow NA
    # Sudo deployment requirements.
    # Local adjustments, excepting the Host_Alias (For any needed
    # segregation of hosts) and User_Alias (to identify the local
    # group name in use) for specific customer environments
    # must be approved by 'Sudo Deployment AG/Hartford/IBM'
    #
    #
    # Version control
    # V1.0 - highc@us.ibm.com - new template
    # V1.1 - highc - add IBM_SA_AIXSMIT materials to allow for system
    # system admins to use smit with appropriate logging.
    # V1.2 - highc - based on v7.1 of standard aliases https://ibm.biz/GsudoStdAlias
    # being released,remove 'EXEC: smit' type lines.
    # Be certain to include the SMIT_SHELL=n materials from
    # v7.1 of the standard aliases on AIX systems.
    # V1.2.1 - highc- fix syntax/line continuation error.
    # V1.2.2 - highc- adjust user alias to better conform to global standard.
    #
    # BEGIN the Middleware templates relevant for the server
    #include /etc/sudoers.d/010_STD_NEG_GLB
    #include /etc/sudoers.d/010_STD_SA_GLB
    #include /etc/sudoers.d/102_AWS_GLB
    #include /etc/sudoers.d/108_ORACLE_GLB
    #include /etc/sudoers.d/113_TEM_GLB
    #include /etc/sudoers.d/118_TSM_GLB
    #include /etc/sudoers.d/120_WAS_GLB
    #include /etc/sudoers.d/123_AE_GLB
    #include /etc/sudoers.d/205_ITIMEPAIGANA_LINUX_NA
    #include /etc/sudoers.d/217_TADDMDISC_NA
    #include /etc/sudoers.d/228_DGNAE_NA
    #include /etc/sudoers.d/237_DB2_NA
    #include /etc/sudoers.d/402_AWS_NA_IGA_AHE_CPE_ADJ
    #include /etc/sudoers.d/402_AWS_NA_IGA_AHE_EPRICER_ADJ
    #include /etc/sudoers.d/413_TEM_NA_IGA_AHE_ADJ
    #include /etc/sudoers.d/420_WAS_NA_IGA_AHE_CPE_ADJ
    #include /etc/sudoers.d/420_WAS_NA_IGA_AHE_EPRICER_ADJ
    #include /etc/sudoers.d/460_SAMETIME_NA_IGA_LCL
    #include /etc/sudoers.d/461_NUS_W_SSLINUX_NA_IGA_LCL
    #include /etc/sudoers.d/461_ODCSISS_NA_IGA_LCL
    #include /etc/sudoers.d/462_MKT_NA_IGA_LCL
    #include /etc/sudoers.d/476_LDAP_DB2_IGA_NA_LCL
    #include /etc/sudoers.d/481_NESSUS_NA_IGA_LCL
    #include /etc/sudoers.d/489_AvocentDSView_NA_IGA_AHE_LCL
    # END the Middleware templates relevant for the server
    #include /etc/sudoers.d/241_CHANGEMANAE_NA
    
    
    # Start of CUSTOMER SECTION -------------------------------------------------
    ####
    #>> Customer specific items have been removed from sample, but
    #>> this would be any of your current content which are sudo entries
    #>> for your customers.
    ####
    # End of CUSTOMER SECTION -----------------------------------------------------
    ## Start of 'bottom' part of 201_NArevStandAliases_NA
    #------------------------------------------------------------------------------
    #
    #
    User_Alias ITIMADM5 = %itimadm
    ITIMADM5 ALL=NOPASSWD: /bin/cat, /bin/chmod, /bin/cp, /bin/kill, /bin/ls, 
    /usr/bin/chage, /bin/ed, /usr/bin/ed, /usr/bin/faillog, /usr/bin/groups, 
    /usr/bin/passwd, /usr/bin/tee, /usr/sbin/groupadd, /usr/sbin/groupdel, 
    /usr/sbin/groupmod, /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
    
    
    Host_Alias LINUX101TO199HOSTLIST = `bhusprv024.bhprod.ibm.com`
    
    User_Alias LINUXV6GRPS = %#101,%#102,%#103,%#103,%#104,%#105,%#106,%#107,%#108,%#109, 
    %#110,%#111,%#112,%#113,%#113,%#114,%#115,%#116,%#117,%#118,%#119, 
    %#120,%#121,%#122,%#123,%#123,%#124,%#125,%#126,%#127,%#128,%#129, 
    %#130,%#131,%#132,%#133,%#133,%#134,%#135,%#136,%#137,%#138,%#139, 
    %#140,%#141,%#142,%#143,%#143,%#144,%#145,%#146,%#147,%#148,%#149, 
    %#150,%#151,%#152,%#153,%#153,%#154,%#155,%#156,%#157,%#158,%#159, 
    %#160,%#161,%#162,%#163,%#163,%#164,%#165,%#166,%#167,%#168,%#169, 
    %#170,%#171,%#172,%#173,%#173,%#174,%#175,%#176,%#177,%#178,%#179, 
    %#180,%#181,%#182,%#183,%#183,%#184,%#185,%#186,%#187,%#188,%#189, 
    %#190,%#191,%#192,%#193,%#193,%#194,%#195,%#196,%#197,%#198,%#199
    
    LINUXV6GRPS LINUX101TO199HOSTLIST = (nobody) /bin/df
    
    #
    #Temp sudo access
    ghkong ALL=(ALL) ALL
    dfcosta0 ALL=(ALL) NOPASSWD:ALL
    # The following line must be after the last 'additive' line in this file, only
    # 'negations' and comments should follow this:
    #
    ALL ALL=!SUDOSUDO
    #
    # End NA sudoers standard template Ver 8.1NA Date 2014-07-09 * Master * Refer NA14211028 End #
    old
    ## Sudoers allows particular users to run various commands as
    ## the root user, without needing the root password.
    ##
    ## Examples are provided at the bottom of the file for collections
    ## of related commands, which can then be delegated out to particular
    ## users or groups.
    ##
    ## This file must be edited with the 'visudo' command.
    
    ## Host Aliases
    ## Groups of machines. You may prefer to use hostnames (perhaps using
    ## wildcards for entire domains) or IP addresses instead.
    # Host_Alias     FILESERVERS = fs1, fs2
    # Host_Alias     MAILSERVERS = smtp, smtp2
    
    ## User Aliases
    ## These aren't often necessary, as you can use regular groups
    ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
    ## rather than USERALIAS
    # User_Alias ADMINS = jsmith, mikem
    
    
    ## Command Aliases
    ## These are groups of related commands...
    
    ## Networking
    # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
    
    ## Installation and management of software
    # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
    
    ## Services
    # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
    
    ## Updating the locate database
    # Cmnd_Alias LOCATE = /usr/bin/updatedb
    
    ## Storage
    # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
    
    ## Delegating permissions
    # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
    
    ## Processes
    # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
    
    ## Drivers
    # Cmnd_Alias DRIVERS = /sbin/modprobe
    
    # Defaults specification
    
    #
    # Refuse to run if unable to disable echo on the tty.
    #
    Defaults   !visiblepw
    
    #
    # Preserving HOME has security implications since many programs
    # use it when searching for configuration files. Note that HOME
    # is already set when the the env_reset option is enabled, so
    # this option is only effective for configurations where either
    # env_reset is disabled or HOME is present in the env_keep list.
    #
    Defaults    always_set_home
    Defaults    match_group_by_gid
    
    # Prior to version 1.8.15, groups listed in sudoers that were not
    # found in the system group database were passed to the group
    # plugin, if any. Starting with 1.8.15, only groups of the form
    # %:group are resolved via the group plugin by default.
    # We enable always_query_group_plugin to restore old behavior.
    # Disable this option for new behavior.
    Defaults    always_query_group_plugin
    
    Defaults    env_reset
    Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
    Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
    Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
    Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
    Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
    
    #
    # Adding HOME to env_keep may enable a user to run unrestricted
    # commands via sudo.
    #
    # Defaults   env_keep += "HOME"
    
    Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
    
    ## Next comes the main part: which users can run what software on
    ## which machines (the sudoers file can be shared between multiple
    ## systems).
    ## Syntax:
    ##
    ##      user    MACHINE=COMMANDS
    ##
    ## The COMMANDS section may have other options added to it.
    ##
    ## Allow root to run any commands anywhere
    root    ALL=(ALL)       ALL
    
    ## Allows members of the 'sys' group to run networking, software,
    ## service management apps and more.
    # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
    
    ## Allows people in group wheel to run all commands
    %wheel  ALL=(ALL)       ALL
    
    ## Same thing without a password
    # %wheel        ALL=(ALL)       NOPASSWD: ALL
    
    ## Allows members of the users group to mount and unmount the
    ## cdrom as root
    # %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
    
    ## Allows members of the users group to shutdown this system
    # %users  localhost=/sbin/shutdown -h now
    
    ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
    #includedir /etc/sudoers.d
    Defaults env_file=/etc/sudo.env  # Includes the sudo environment file
    Defaults        !requiretty,authenticate,set_home
    Defaults        tty_tickets,!root_sudo,umask=0077,ignore_dot,timestamp_timeout=5
    Defaults        syslog=auth
    Defaults        logfile=/var/log/sudo.log
    Defaults:tdiuser !requiretty
    Defaults:uatagnt !requiretty
    
    alias   SUDOSUDO = /usr/local/bin/sudo, /usr/bin/sudo, /bin/sudo
    Cmnd_Alias IBM_NONE_ALL = /usr/bin/su * , /bin/su *,   /bin/bash2bug, /usr/bin/bash2bug,   /usr/bin/chuser *root*, /usr/bin/mkuser, 
      /usr/bin/chgroup, /usr/bin/chgrpmem -*, /usr/bin/smit*,   /usr/sbin/visudo, /usr/bin/vi *sudo*, /usr/bin/more *sudo*,   /usr/bin/view *sudo*, 
      /usr/bin/cp *sudo*, /usr/bin/mv *sudo*,   /usr/bin/rm *sudo*, /usr/bin/view /etc/passwd*, /usr/bin/vi /etc/passwd*,  
      /usr/bin/view /etc/security/passwd*, /usr/bin/vim /etc/security/passwd*,   /usr/bin/vi /etc/security/passwd*, 
      /bin/view /etc/security/passwd*,   /bin/vim /etc/security/passwd*,  /bin/vi /etc/security/passwd*, 
      /bin/view /etc/shadow*, /usr/bin/vim /etc/shadow*, /bin/vi /etc/shadow*, 
      /usr/sbin/sam,   /usr/bin/view /etc/group*, /usr/bin/vi /etc/group*, /usr/bin/command,   /usr/bin/hostname, /usr/sbin/chdev *hostname*, 
      /usr/local/sbin/visudo, /bin/chmod * /etc/*, /bin/chmod * /etc/security/*,   /bin/chmod * /root/*, /bin/chmod * /*,   /bin/chown * /etc/*, 
      /bin/chown * /etc/security/*,   /bin/chown * /root/*, /bin/chmod * /usr/local/sbin/visudo,   /bin/chown * /usr/local/sbin/visudo,   
      /bin/time *, /usr/bin/time *
    
    Cmnd_Alias IBM_NONE_SA = /usr/bin/su, /usr/bin/su root, /bin/su, /bin/su root
    
    Cmnd_Alias  IBM_UNIX_SA_CMDS = /usr/bin/su -, /bin/su -, /usr/bin/su - root,    /bin/su - root
    
    Cmnd_Alias IBM_SHELLS_ALL = /bin/ash, /usr/bin/ash,   /bin/bash, /usr/bin/bash, /opt/freeware/bin/bash, /usr/opt/freeware/bin/bash,  
      /bin/bash1, /usr/bin/bash1, /bin/bash2, /usr/bin/bash2 ,   /bin/bsh, /usr/bin/bsh, /bin/ch, /usr/bin/ch, /bin/csh, /usr/bin/csh ,   
      /bin/jsh, /usr/bin/jsh, /bin/ksh, /usr/bin/ksh, /bin/ksh93, /usr/bin/ksh93,  /bin/pfcsh, /usr/bin/pfcsh ,   /bin/pfksh, /usr/bin/pfksh, 
      /bin/pfsh, /usr/bin/pfsh, /bin/psh, /usr/bin/psh,   /bin/recsh, /usr/bin/recsh, /bin/rksh, /usr/bin/rksh,   /bin/rsh, /usr/bin/rsh, /usr/ucb/rsh,
      /bin/sh, /usr/bin/sh, /usr/samples/tcpip/sendmail/sh ,   /usr/shell, /usr/bin/shell,   /bin/tclsh, /usr/bin/tclsh, /opt/freeware/bin/tclsh, 
      /usr/opt/freeware/bin/tclsh,   /bin/tclsh8.4, /usr/bin/tclsh8.4, /opt/freeware/bin/tclsh8.4,   /usr/opt/freeware/bin/tclsh8.4,   /bin/tcsh, 
      /usr/bin/tcsh, /bin/tsh, /usr/bin/tsh ,   /bin/wish, /usr/bin/wish, /opt/freeware/bin/wish, /usr/opt/freeware/bin/wish,   /bin/wish8.4, 
      /usr/bin/wish8.4, /opt/freeware/bin/wish8.4,  /usr/opt/freeware/bin/wish8.4,   /bin/wishx, /usr/bin/wishx,   /bin/zsh, /usr/bin/zsh
    
    Cmnd_Alias IBM_SHELLESCAPE_ALL = /usr/bin/ed,   /usr/bin/bash2bug, /usr/bin/bashbug, 
      /usr/bin/find * -exec *,  /usr/bin/find * -ok *,   /bin/find * -exec *,      /bin/find * -ok *,   /usr/bin/find * -execdir *, /usr/bin/find * -okdir *, 
      /bin/find * -execdir *,     /bin/find * -okdir *,   /usr/bin/ftp, /bin/ftp,    /usr/bin/ex, /bin/ex,  /usr/bin/less, 
      /usr/bin/more, /bin/more, /usr/bin/pg, /bin/pg,   /usr/bin/vi, /bin/vi, /bin/view, /usr/bin/view,    /usr/bin/gview, /bin/gview, /usr/bin/eview, 
      /bin/eview,   /usr/bin/evim, /bin/evim, /usr/bin/gvim, /bin/gvim,   /usr/bin/vimdiff, /bin/vimdiff,    /usr/bin/vim, /bin/vim,    /usr/sbin/format
    
    Cmnd_Alias IBM_NONE_EDITOR = /bin/vi, /bin/tvi,   /bin/vim, /bin/rvim, /bin/gvim, /bin/evim, /bin/emacs, /bin/ed,   /usr/bin/vi, /usr/bin/tvi,   
      /usr/bin/vim, /usr/bin/rvim, /usr/bin/gvim, /usr/bin/evim, /usr/bin/emacs,   /usr/bin/ed, /bin/view, /usr/bin/view, /bin/rvi, /usr/bin/rvi
    
    Defaults: !IBM_SHELLESCAPE_ALL noexec
    
    Cmnd_Alias   IBM_CAT_NEG  =     !/bin/cat /* *,!/bin/cat * /* *,!/bin/cat *..*,  !/bin/cat *./*
    Cmnd_Alias   IBM_CHGRP_NEG =     !/bin/chgrp * /* *,!/bin/chgrp *..*,!/bin/chgrp *./*
    Cmnd_Alias   IBM_CHMOD_NEG =      !/bin/chmod * /* *, !/bin/chmod *..*,!/bin/chmod *./*
    Cmnd_Alias   IBM_CHOWN_NEG =     !/bin/chown * /* *,!/bin/chown *..*, !/bin/chown *./*
    Cmnd_Alias   IBM_COMPRESS_NEG =     !/usr/bin/compress /* *,!/usr/bin/compress * /* *,!/usr/bin/compress *..*, !/usr/bin/compress *./*
    Cmnd_Alias   IBM_CP_NEG =     !/bin/cp /* /* *, !/bin/cp * /* /* *, !/bin/cp *..*, !/bin/cp *./*
    Cmnd_Alias   IBM_DIFF_NEG =     !/usr/bin/diff /* /* *,!/usr/bin/diff * /* /* *, !/usr/bin/diff *..*, !/usr/bin/diff *./*
    Cmnd_Alias   IBM_FIND_NEG =     !/usr/bin/find * -exec *, !/usr/bin/find * -ok *, !/usr/bin/find *..*,     !/usr/bin/find * -execdir *, !/usr/bin/find * -okdir *
    Cmnd_Alias   IBM_GUNZIP_NEG =     !/usr/bin/gunzip /* *,!/usr/bin/gunzip -* /* *,!/usr/bin/gunzip *..*, !/usr/bin/gunzip *./*
    Cmnd_Alias   IBM_GZIP_NEG =     !/usr/bin/gzip /* *,!/usr/bin/gzip -* /* *,!/usr/bin/gzip *..*, !/usr/bin/gzip *./*
    Cmnd_Alias   IBM_HEAD_NEG = !/usr/bin/head  /* *,!/usr/bin/head * /* *,!/usr/bin/head *..*, !/usr/bin/head *./*
            # Authorization of head is discouraged.  Instead, authorize the
            # the team to 'cat', team can then run 'sudo cat /tmp/specified file | head {any flags they need}'
            # While discouraged, negation is effective when head is authorized
    Cmnd_Alias   IBM_LN_NEG =     !/bin/ln /* /* *, !/bin/ln -* /* /* *, !/bin/ln *..*, !/bin/ln *./*
    Cmnd_Alias   IBM_LS_NEG =             !/bin/ls /* *, !/bin/ls -* /* *, !/bin/ls *..*, !/bin/ls *./*
    Cmnd_Alias   IBM_MKDIR_NEG =     !/bin/mkdir /* *,!/bin/mkdir * /* *, !/bin/mkdir *..*, !/bin/mkdir *./*
    Cmnd_Alias   IBM_MOUNT_NEG =     !/bin/mount /* *,!/bin/mount * /* *,!/bin/mount *..*, !/bin/mount *./* , !/usr/sbin/mount /* *, 
      !/usr/sbin/mount * /* *,!/usr/sbin/mount *..*, !/usr/sbin/mount *./*
        # Caution:  we have only coded a negation for the 'single directory/device' version of the mount command;
        #           if you need to 'permit' the 'two directory/device' version of the command, it will have to be
        #           with a different negation, and if this negation is used, must be specified AFTER use of this
        #           this negation or the use of IBM_NEG_ALL as this negation will block the two * version.
    Cmnd_Alias   IBM_MV_NEG =     !/bin/mv /* /* *,!/bin/mv * /* /* *, !/bin/mv *..*, !/bin/mv *./*
    Cmnd_Alias   IBM_RM_NEG =     !/bin/rm /* *,!/bin/rm * /* *, !/bin/rm *..*, !/bin/rm *./*
    Cmnd_Alias   IBM_RMDIR_NEG =     !/bin/rmdir /* *,!/bin/rmdir * /* *,!/bin/rmdir *..*,!/bin/rmdir *./*
    Cmnd_Alias   IBM_TAIL_NEG =     !/usr/bin/tail /* *,!/usr/bin/tail -* /* *,!/usr/bin/tail *..*,  !/usr/bin/tail *./*
            # authorization of tail 'except for' tail -f is discouraged.  Instead, authorize the
            # the team to 'cat', team can then run 'sudo cat /tmp/specified file | tail {any flags they need}'
            # While discouraged, negation is effective for when tail is authorized to be issued with no flags.
    Cmnd_Alias   IBM_TAR_NEG =     !/bin/tar /* /* *,!/bin/tar * /* /* *, !/bin/tar *..*, !/bin/tar *./*
    Cmnd_Alias   IBM_TOUCH_NEG =    !/bin/touch /* *, !/bin/touch * /* *, !/bin/touch *..*, !/bin/touch *./* # will block some complex parms such as "-r"
            #Note: PO will need to create custom negation if flags such as -r must be 'allowed for'.
    Cmnd_Alias   IBM_UMOUNT_NEG =     !/bin/umount  /* *,!/bin/umount * /* *,!/bin/umount *..*, !/bin/umount *./*, !/usr/sbin/umount /* *, 
      !/usr/sbin/umount * /* *,!/usr/sbin/umount *..*, !/usr/sbin/umount *./*
    Cmnd_Alias   IBM_UNCOMPRESS_NEG =     !/usr/bin/uncompress /* *,!/usr/bin/uncompress * /* *,!/usr/bin/uncompress *..*, !/usr/bin/uncompress *./*
    Cmnd_Alias   IBM_ZCAT_NEG =     !/bin/zcat /* *, !/bin/zcat *..*, !/bin/zcat *./*
    Cmnd_Alias   IBM_ALL_NEG =     IBM_CAT_NEG, IBM_CHGRP_NEG, IBM_CHMOD_NEG, IBM_CHOWN_NEG, IBM_COMPRESS_NEG, IBM_CP_NEG, IBM_DIFF_NEG, IBM_FIND_NEG, 
      IBM_GUNZIP_NEG, IBM_GZIP_NEG, IBM_HEAD_NEG, IBM_LS_NEG, IBM_LN_NEG, IBM_MKDIR_NEG,     IBM_MOUNT_NEG, IBM_MV_NEG, IBM_RM_NEG, IBM_RMDIR_NEG, 
      IBM_TAIL_NEG,     IBM_TAR_NEG, IBM_TOUCH_NEG, IBM_UMOUNT_NEG, IBM_UNCOMPRESS_NEG,IBM_ZCAT_NEG
    
    User_Alias      IBM_SA_BAU = %wheel
    Host_Alias      IBM_SA_HOSTS = ALL # Use ALL or indicate
    IBM_SA_BAU  IBM_SA_HOSTS = ALL
    
    
    
    User_Alias IBM_LIN_UAT_TOOL_BAU = %uatgroup
    
    Host_Alias IBM_LIN_UAT_HOSTS = ALL
    
    Cmnd_Alias IBM_LIN_UAT_BAU_CMDS = /bin/cat /etc/local/etc/sudoers, /bin/cat /etc/local/sudoers, /bin/cat /etc/shadow, 
      /bin/cat /etc/ssh/sshd_config, /bin/cat /etc/sudoers, /bin/cat /syslocal/config/common/sudo/etc/sudoers, 
      /bin/cat /var/log/messages, /bin/cat /var/log/sudo.log, /bin/cat /var/log/secure, /usr/bin/cat /etc/local/etc/sudoers, /usr/bin/cat /etc/local/sudoers, 
      /usr/bin/cat /etc/shadow, /usr/bin/cat /etc/ssh/sshd_config, /usr/bin/cat /etc/sudoers, /usr/bin/cat /syslocal/config/common/sudo/etc/sudoers, 
      /usr/bin/cat /var/log/messages, /usr/bin/cat /var/log/sudo.log, /usr/bin/cat /var/log/secure, /usr/bin/who, 
      /bin/who, /usr/bin/chage, /usr/bin/chmod [0-7][0-7][0145] /home/*, /bin/chmod [0-7][0-7][0145] /home/*, !/bin/chmod [1-7][0-7][0-7][0-7] /home/*, 
      !/usr/bin/chmod [1-7][0-7][0-7][0-7] /home/*, /usr/bin/faillog, /usr/bin/gpasswd, /usr/bin/ls, 
      /bin/ls, /usr/bin/passwd, /usr/sbin/chpasswd, /usr/sbin/faillog, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /sbin/groupmod, 
      /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/rm -rf /home/*, 
      /bin/rm -rf /home/*, /usr/bin/rm -r /home/*, /bin/rm -r /home/*, /usr/bin/rm /home/*, 
      /bin/rm /home/*, /usr/local/bin/uatscripts/uatoracle.sh, /usr/local/bin/uatscripts/uatdb2.sh, 
      /usr/local/bin/uatscripts/uatsap.sh, /usr/local/bin/uatscripts/uathyperion.sh, /usr/bin/find, /bin/find
    
    IBM_LIN_UAT_TOOL_BAU IBM_LIN_UAT_HOSTS = (root) NOPASSWD: IBM_LIN_UAT_BAU_CMDS,IBM_CHMOD_NEG, IBM_FIND_NEG,IBM_RM_NEG
    Defaults:%uatgroup !requiretty
    
    
    %aseanuid ALL = NOPASSWD:
            /usr/sbin/useradd *, /usr/sbin/userdel *, /usr/sbin/usermod *, 
            /usr/bin/chage *, /usr/bin/passwd *, /usr/bin/gpasswd *, /sbin/pam_tally2 *, 
            /usr/bin/faillog *
    
    %hc ALL = NOPASSWD:
            /bin/cat *, /bin/zcat *, /usr/bin/tail *, /usr/bin/head *, /bin/grep *, 
            /usr/bin/last *, /usr/bin/who *, /bin/ls *, /usr/bin/find *,/usr/bin/ssh-keygen *, /bin/tar *,
            /bin/more *, /usr/bin/less * , NOEXEC:IBM_SHELLESCAPE_ALL
    
    %lnxadm ALL=ALL,!IBM_NONE_SA,!IBM_SHELLS_ALL,/usr/bin/su -, NOEXEC: IBM_SHELLESCAPE_ALL
    
    
    ALL ALL=!SUDOSUDO
    new

    refer:https://support.nagios.com/forum/viewtopic.php?f=6&t=43772&start=10

  • 相关阅读:
    Android四大基本组件介绍与生命周期
    TRIZ系列-创新原理-23-反馈原理
    hibernate之6.one2many单向
    软件评測师真题考试分析-5
    WAS集群系列(3):集群搭建:步骤1:准备文件
    Android Developer:合并清单文件
    移动均值滤波与中值滤波
    使用React的static方法实现同构以及同构的常见问题
    mysql合并同一列的值
    iOS开发
  • 原文地址:https://www.cnblogs.com/xiami-xm/p/10276126.html
Copyright © 2020-2023  润新知