Is there a way to block specific sudo commands from being ran? Two specific commands that I have in mind are:
sudo jamf removeFramework or sudo /usr/local/jamf/bin/jamf removeFramework
sudo -s
We don't want users with admin rights to be able to remove the Jamf framework, and we don't want them to be able to elevate their Terminal session to root. We use CyberArk EPM to allow non-admin users to run sudo commands that they need to run as part of their jobs. I recently discovered that non-admin users can run both of these commands with CyberArk installed. Both are very dangerous. We want to be able to allow legitimate admins to be able to run these commands. I sometimes have to run removeFramework to clear out issues with the Jamf agent or Jamf keychain issues. I also frequently elevate terminal sessions to root to be able to view the contents of certain directories where a normal sudo command won't do it. We just want our regular users to not be allowed to run these commands. I can't think of a way for Jamf Pro to restrict the commands. CyberArk seems to allow ALL sudo commands which is dumber than a bag of hammers 😳 It seems to be a total waste of money. It actually makes our Macs LESS secure.