# An allow-list of commands that the Agent Proxy user can run as root.
#
# The `requiretty` option is off by default. However it may be set as a
# system-wide default to prevent users from mistakenly disclosing their
# password. The aembit_agent_proxy user has no password to disclose.
# Additionally these commands are all run with the non-interactive flag.
Defaults:aembit_agent_proxy !requiretty

aembit_agent_proxy ALL=(root:root) NOPASSWD: /opt/CrowdStrike/falconctl -g --aid
aembit_agent_proxy ALL=(root:root) NOPASSWD: /usr/sbin/dmidecode --string system-serial-number
# AEMBIT_PRIVILEGED_KEYTAB aembit_agent_proxy ALL=(root:root) NOPASSWD: /usr/bin/sg aembit -c /usr/bin/curl --negotiate --user \: --fail --http1.1 {{ AGENT_CONTROLLER_LOCATION }}/api/v1/attested-document/kerberos
# AEMBIT_PRIVILEGED_KEYTAB aembit_agent_proxy ALL=(root:root) NOPASSWD: /usr/bin/sg aembit -c /usr/bin/kinit -k -t /etc/krb5.keytab '{{ SAMACCOUNT_PRINCIPAL }}' # Note the single quotes
# AEMBIT_STEERING_ALLOWED_HOSTS aembit_agent_proxy ALL=(root:root) NOPASSWD: {{ AEMBIT_AGENT_PROXY_INSTALL_DIR_SCRIPTS }}/rules.sh update *
# AEMBIT_STEERING_WITH_DOCKER_CIDR Defaults:aembit_agent_proxy env_keep+=AEMBIT_DOCKER_CONTAINER_CIDR
