From 5b2bb65051b16c711ff5b91c86d95ed7ed75ba5b Mon Sep 17 00:00:00 2001
From: Guohan Lu <gulv@microsoft.com>
Date: Fri, 2 Mar 2018 21:38:54 +0000
Subject: [PATCH 1/2] [image]: prevent password related command into syslog

---
 files/image_config/sudoers/sudoers | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/files/image_config/sudoers/sudoers b/files/image_config/sudoers/sudoers
index 317ace3bf99f..99a3404c874f 100644
--- a/files/image_config/sudoers/sudoers
+++ b/files/image_config/sudoers/sudoers
@@ -31,12 +31,17 @@ Cmnd_Alias      READ_ONLY_CMDS = /usr/bin/decode-syseeprom, \
                                  /bin/cat /var/log/syslog, \
                                  /usr/bin/tail -f /var/log/syslog
 
+Cmnd_Alias      PASSWD_CMD = /usr/bin/config tacacs passkey *, \
+                             /usr/sbin/chpasswd *
+
 # User privilege specification
 root    ALL=(ALL:ALL) ALL
 
 # Allow members of group sudo to execute any command
 %sudo   ALL=(ALL:ALL) NOPASSWD: ALL
 
+# Prevent password related command into syslog
+Defaults!PASSWD_CMD !syslog
 
 # See sudoers(5) for more information on "#include" directives:
 

From da6ad1308e52240b4a34e2e2b59d1f4e43304879 Mon Sep 17 00:00:00 2001
From: Guohan Lu <gulv@microsoft.com>
Date: Fri, 2 Mar 2018 22:38:07 +0000
Subject: [PATCH 2/2] change to PASSWD_CMDS

---
 files/image_config/sudoers/sudoers | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/files/image_config/sudoers/sudoers b/files/image_config/sudoers/sudoers
index 99a3404c874f..952a2313bad2 100644
--- a/files/image_config/sudoers/sudoers
+++ b/files/image_config/sudoers/sudoers
@@ -31,8 +31,8 @@ Cmnd_Alias      READ_ONLY_CMDS = /usr/bin/decode-syseeprom, \
                                  /bin/cat /var/log/syslog, \
                                  /usr/bin/tail -f /var/log/syslog
 
-Cmnd_Alias      PASSWD_CMD = /usr/bin/config tacacs passkey *, \
-                             /usr/sbin/chpasswd *
+Cmnd_Alias      PASSWD_CMDS = /usr/bin/config tacacs passkey *, \
+                              /usr/sbin/chpasswd *
 
 # User privilege specification
 root    ALL=(ALL:ALL) ALL
@@ -41,7 +41,7 @@ root    ALL=(ALL:ALL) ALL
 %sudo   ALL=(ALL:ALL) NOPASSWD: ALL
 
 # Prevent password related command into syslog
-Defaults!PASSWD_CMD !syslog
+Defaults!PASSWD_CMDS !syslog
 
 # See sudoers(5) for more information on "#include" directives: