debian-cis/cisharden.sudoers

Cmnd_Alias SCL_CMD =    /bin/grep ,\
                        /bin/zgrep,\
                        /bin/cat,\
                        /usr/bin/stat,\
                        /usr/bin/getent,\
                        /usr/bin/[,\
                        /usr/bin/test,\
                        /bin/ls,\
                        /usr/bin/find,\
                        ! /usr/bin/find *-exec*, \
                        ! /usr/bin/find *-delete*,\
                        /usr/bin/apt-get update -y,\
                        /usr/bin/apt-get upgrade -s,\
                        /usr/bin/cut,\
                        /sbin/iptables -nL,\
                        /sbin/iptables -nL *,\
                        /sbin/iptables -S *,\
                        /sbin/sysctl net.*,\
                        /sbin/sysctl fs.*,\
                        /sbin/sysctl kernel.*,\
                        /sbin/sysctl -a,\
                        /bin/dmesg "",\
                        /bin/netstat,\
                        /usr/sbin/lsmod,\
                        /sbin/lsmod,\
                        /sbin/modprobe,\
                        /usr/sbin/modprobe -n -v*,\
                        /usr/sbin/apparmor_status,\
                        /usr/bin/ss *,\
                        /bin/ss *,\
                        /usr/bin/pgrep *,\
                        /usr/sbin/nft list *,\
                        /usr/sbin/ufw status *

cisharden ALL = (root) NOPASSWD: SCL_CMD