[image]: prevent password related command into syslog #1450

lguohan · 2018-03-02T21:40:34Z

- What I did
prevent password related command into syslog

- How I did it
disable logging for certain commands in sudoer configuration.

- How to verify it
Run command on DUT, tested with syslog on the remote side.

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

jleveque · 2018-03-02T22:25:38Z

files/image_config/sudoers/sudoers

@@ -31,12 +31,17 @@ Cmnd_Alias      READ_ONLY_CMDS = /usr/bin/decode-syseeprom, \
                                 /bin/cat /var/log/syslog, \
                                 /usr/bin/tail -f /var/log/syslog

+Cmnd_Alias      PASSWD_CMD = /usr/bin/config tacacs passkey *, \


Suggest rename to PASSWD_CMDS (plural) for consistency.

taoyl-ms · 2018-03-03T02:35:37Z

Can you add passwd as well as we sometimes use this to manually modify password?

lguohan · 2018-03-03T05:20:46Z

passwd does not accept password as argument, there is no risk for passwd.

admin@str-s6100-acs-4:~$ passwd -h
Usage: passwd [options] [LOGIN]

Options:
  -a, --all                     report password status on all accounts
  -d, --delete                  delete the password for the named account
  -e, --expire                  force expire the password for the named account
  -h, --help                    display this help message and exit
  -k, --keep-tokens             change password only if expired
  -i, --inactive INACTIVE       set password inactive after expiration
                                to INACTIVE
  -l, --lock                    lock the password of the named account
  -n, --mindays MIN_DAYS        set minimum number of days before password
                                change to MIN_DAYS
  -q, --quiet                   quiet mode
  -r, --repository REPOSITORY   change password in REPOSITORY repository
  -R, --root CHROOT_DIR         directory to chroot into
  -S, --status                  report password status on the named account
  -u, --unlock                  unlock the password of the named account
  -w, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS
  -x, --maxdays MAX_DAYS        set maximum number of days before password
                                change to MAX_DAYS

When teamd feature state is disabled the Netdevice created by teamd were not cleaned up. (#1450 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

be51ebc Add IPv6 key item support to request parser (sonic-net#1449) 76e2251 When teamd feature state is disabled the Netdevice created by teamd were (sonic-net#1450) 6aa97ce Use .clear() after std::move() (sonic-net#1444) d5757db Add libzmq to README dependencies (sonic-net#1447) c7b262e Add libzmq to Makefiles (sonic-net#1443) 0b2e59a [drop counters] Clarify log messages for initial counter setup (sonic-net#1445) 003cf24 [dvs] Refactor and add buffer pool wm test (sonic-net#1446) 2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (sonic-net#1433) f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (sonic-net#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

be51ebc Add IPv6 key item support to request parser (#1449) 76e2251 When teamd feature state is disabled the Netdevice created by teamd were (#1450) 6aa97ce Use .clear() after std::move() (#1444) d5757db Add libzmq to README dependencies (#1447) c7b262e Add libzmq to Makefiles (#1443) 0b2e59a [drop counters] Clarify log messages for initial counter setup (#1445) 003cf24 [dvs] Refactor and add buffer pool wm test (#1446) 2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (#1433) f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

…ere (sonic-net#1450) not cleaned up. Issue was seen in Multi-asic platform and seems to be timing issue where SIGTERM send via kill systemcall of teammgrd to teamd was not cleaning all teamd process. Sp fix is Instead of sending explicit SIGTERM to teamd we are calling teamd -k. Using this teamd itself generate SIGTERM and handle the processing. Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

be51ebc Add IPv6 key item support to request parser (sonic-net#1449) 76e2251 When teamd feature state is disabled the Netdevice created by teamd were (sonic-net#1450) 6aa97ce Use .clear() after std::move() (sonic-net#1444) d5757db Add libzmq to README dependencies (sonic-net#1447) c7b262e Add libzmq to Makefiles (sonic-net#1443) 0b2e59a [drop counters] Clarify log messages for initial counter setup (sonic-net#1445) 003cf24 [dvs] Refactor and add buffer pool wm test (sonic-net#1446) 2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (sonic-net#1433) f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (sonic-net#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* 9dba93f disk_check: Check & mount RO as RW using tmpfs (sonic-net#1569) * c3963c5 Fix remove ip rif (sonic-net#1535) * 41d8ddc [config][generic-update] Adding apply-patch, rollback, checkpoints commands (sonic-net#1536) * a3d37f1 [console] Display success message after line cleared (sonic-net#1579) * b10c157 RADIUS Management User Authentication Feature (sonic-net#1521) * 59ed6f3 platform pre-check for reboot in master branch (sonic-net#1556) * f5efe89 [acl] Use a list instead of a comma-separated string for ACL port list (sonic-net#1519) * e296a69 No more IP validation as it is more likely a URL (sonic-net#1555) * d5f5382 [CLI][queue counters] add JSON output option for queue counters (sonic-net#1505) * 176cc4a 1) Loopback interfaces with valid nexthop IP are not ignored/treated as loopback. (sonic-net#1565) * 149ccbd [techsupport] Update show ip interface command (sonic-net#1562) * 0e84418 Stop PMON docker before cold and soft reboots (sonic-net#1514) * eba5c04 Fix Multi-ASIC show specific resursive route by using common parsing function (sonic-net#1560) * e57e7f7 cache the bvid to vlan translations (sonic-net#1523) * 38f9f60 sonic-installer: fix py3 issues in bootloader.aboot (sonic-net#1553) * 02b263a [voq/inbandif] Voq inbandif port (sonic-net#1363) * 0539789 [load_minigraph]: Avoid starting PFCWD for EPMS devicetype (sonic-net#1552) * 030293c Use 'importlib' module in lieu of deprecated 'imp' module (sonic-net#1450) * 50e5c61 Fixed the possibility of using uninitialized variable in route_check.py (sonic-net#1551)

* 9dba93f disk_check: Check & mount RO as RW using tmpfs (#1569) * c3963c5 Fix remove ip rif (#1535) * 41d8ddc [config][generic-update] Adding apply-patch, rollback, checkpoints commands (#1536) * a3d37f1 [console] Display success message after line cleared (#1579) * b10c157 RADIUS Management User Authentication Feature (#1521) * 59ed6f3 platform pre-check for reboot in master branch (#1556) * f5efe89 [acl] Use a list instead of a comma-separated string for ACL port list (#1519) * e296a69 No more IP validation as it is more likely a URL (#1555) * d5f5382 [CLI][queue counters] add JSON output option for queue counters (#1505) * 176cc4a 1) Loopback interfaces with valid nexthop IP are not ignored/treated as loopback. (#1565) * 149ccbd [techsupport] Update show ip interface command (#1562) * 0e84418 Stop PMON docker before cold and soft reboots (#1514) * eba5c04 Fix Multi-ASIC show specific resursive route by using common parsing function (#1560) * e57e7f7 cache the bvid to vlan translations (#1523) * 38f9f60 sonic-installer: fix py3 issues in bootloader.aboot (#1553) * 02b263a [voq/inbandif] Voq inbandif port (#1363) * 0539789 [load_minigraph]: Avoid starting PFCWD for EPMS devicetype (#1552) * 030293c Use 'importlib' module in lieu of deprecated 'imp' module (#1450) * 50e5c61 Fixed the possibility of using uninitialized variable in route_check.py (#1551)

…1450) Migrate from using the `imp` module to using the `importlib` module. As of Python 3, the `imp` module has been deprecated in favor of the `importlib` module. Place logic in a new function, `load_module_from_source()` in a new file, `utilities_common/general.py` Also fix some formatting

* 9dba93f disk_check: Check & mount RO as RW using tmpfs (sonic-net#1569) * c3963c5 Fix remove ip rif (sonic-net#1535) * 41d8ddc [config][generic-update] Adding apply-patch, rollback, checkpoints commands (sonic-net#1536) * a3d37f1 [console] Display success message after line cleared (sonic-net#1579) * b10c157 RADIUS Management User Authentication Feature (sonic-net#1521) * 59ed6f3 platform pre-check for reboot in master branch (sonic-net#1556) * f5efe89 [acl] Use a list instead of a comma-separated string for ACL port list (sonic-net#1519) * e296a69 No more IP validation as it is more likely a URL (sonic-net#1555) * d5f5382 [CLI][queue counters] add JSON output option for queue counters (sonic-net#1505) * 176cc4a 1) Loopback interfaces with valid nexthop IP are not ignored/treated as loopback. (sonic-net#1565) * 149ccbd [techsupport] Update show ip interface command (sonic-net#1562) * 0e84418 Stop PMON docker before cold and soft reboots (sonic-net#1514) * eba5c04 Fix Multi-ASIC show specific resursive route by using common parsing function (sonic-net#1560) * e57e7f7 cache the bvid to vlan translations (sonic-net#1523) * 38f9f60 sonic-installer: fix py3 issues in bootloader.aboot (sonic-net#1553) * 02b263a [voq/inbandif] Voq inbandif port (sonic-net#1363) * 0539789 [load_minigraph]: Avoid starting PFCWD for EPMS devicetype (sonic-net#1552) * 030293c Use 'importlib' module in lieu of deprecated 'imp' module (sonic-net#1450) * 50e5c61 Fixed the possibility of using uninitialized variable in route_check.py (sonic-net#1551)

…ere (sonic-net#1450) not cleaned up. Issue was seen in Multi-asic platform and seems to be timing issue where SIGTERM send via kill systemcall of teammgrd to teamd was not cleaning all teamd process. Sp fix is Instead of sending explicit SIGTERM to teamd we are calling teamd -k. Using this teamd itself generate SIGTERM and handle the processing. Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

[image]: prevent password related command into syslog

5b2bb65

lguohan assigned jleveque and taoyl-ms Mar 2, 2018

jleveque suggested changes Mar 2, 2018

View reviewed changes

change to PASSWD_CMDS

da6ad13

jleveque approved these changes Mar 3, 2018

View reviewed changes

lguohan merged commit a9d2e13 into sonic-net:master Mar 3, 2018

stcheng added the Enhancement ➕ label Mar 7, 2018

abdosi added a commit that referenced this pull request Sep 28, 2020

[submodule update] sonic-swss

a035783

When teamd feature state is disabled the Netdevice created by teamd were not cleaned up. (#1450 Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

abdosi mentioned this pull request Sep 29, 2020

[Submodule update] sonic swss #5489

Merged

3 tasks

renukamanavalan mentioned this pull request Apr 26, 2021

submodule update: sonic-utilities #7439

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[image]: prevent password related command into syslog #1450

[image]: prevent password related command into syslog #1450

lguohan commented Mar 2, 2018

jleveque Mar 2, 2018

taoyl-ms commented Mar 3, 2018

lguohan commented Mar 3, 2018

[image]: prevent password related command into syslog #1450

[image]: prevent password related command into syslog #1450

Conversation

lguohan commented Mar 2, 2018

jleveque Mar 2, 2018

Choose a reason for hiding this comment

taoyl-ms commented Mar 3, 2018

lguohan commented Mar 3, 2018