Lockdown /bin/ip permissions for the monasca-agent

This patch adds addtional arguments to the sudoers entry for the /bin/ip command. It restricts access to only 'ip netns exec'. Change-Id: Ie80c8fbdc851cbace8c82f8c47f490898f5c4d6e
2020-05-08 10:43:04 -04:00 · 2020-05-08 10:43:04 -04:00 · c8ca10e6a9
commit c8ca10e6a9
parent f7a92f5b58
1 changed files with 1 additions and 1 deletions
--- a/openstack/monasca-agent/openstack-monasca-agent.sudoers
+++ b/openstack/monasca-agent/openstack-monasca-agent.sudoers
@ -1,4 +1,4 @@
 # Needed for monasca_agent.collector.checks_d.swift_diags
-monasca-agent ALL = (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip,/usr/bin/ovs-vsctl
+monasca-agent ALL = (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip netns exec qrouter-[! ][! ][! ][! ][! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ]-[! ][! ][! ][! ][! ][! ][! ][! ][! ][! ][! ][! ] /bin/ping *,/usr/bin/ovs-vsctl
 # Needed for monasca_agent.collector.checks_d.postfix
 monasca-agent ALL = (root) NOPASSWD:NOEXEC:/usr/bin/find