Update sudo config recommendation (influxdata#5337)

Author: vignemail1

plugins/inputs/fail2ban/README.md

@@ -10,15 +10,24 @@ Acquiring the required permissions can be done using several methods:
 
 ### Using sudo
 
-You may edit your sudo configuration with the following:
+You will need the following in your telegraf config:
+```toml
+[[inputs.fail2ban]]
+  use_sudo = true
+```
 
-``` sudo
-telegraf ALL=(root) NOEXEC: NOPASSWD: /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
+You will also need to update your sudoers file:
+```bash
+$ visudo
+# Add the following line:
+Cmnd_Alias FAIL2BAN = /usr/bin/fail2ban-client status, /usr/bin/fail2ban-client status *
+telegraf  ALL=(root) NOEXEC: NOPASSWD: FAIL2BAN
+Defaults!FAIL2BAN !logfile, !syslog, !pam_session
 ```
 
 ### Configuration:
 
-``` toml
+```toml
 # Read metrics from fail2ban.
 [[inputs.fail2ban]]
   ## Use sudo to run fail2ban-client

plugins/inputs/ipset/README.md

@@ -25,10 +25,19 @@ AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
 
 ### Using sudo
 
-You may edit your sudo configuration with the following:
+You will need the following in your telegraf config:
+```toml
+[[inputs.ipset]]
+  use_sudo = true
+```
 
-```sudo
-telegraf ALL=(root) NOPASSWD: /sbin/ipset save
+You will also need to update your sudoers file:
+```bash
+$ visudo
+# Add the following line:
+Cmnd_Alias IPSETSAVE = /sbin/ipset save
+telegraf  ALL=(root) NOPASSWD: IPSETSAVE
+Defaults!IPSETSAVE !logfile, !syslog, !pam_session
 ```
 
 ### Configuration

plugins/inputs/iptables/README.md

@@ -28,10 +28,20 @@ Since telegraf will fork a process to run iptables, `AmbientCapabilities` is req
 
 ### Using sudo
 
-You may edit your sudo configuration with the following:
+You will need the following in your telegraf config:
+```toml
+[[inputs.iptables]]
+  use_sudo = true
+```
+
+You will also need to update your sudoers file:
 
-```sudo
-telegraf ALL=(root) NOPASSWD: /usr/bin/iptables -nvL *
+```bash
+$ visudo
+# Add the following line:
+Cmnd_Alias IPTABLESSHOW = /usr/bin/iptables -nvL *
+telegraf  ALL=(root) NOPASSWD: IPTABLESSHOW
+Defaults!IPTABLESSHOW !logfile, !syslog, !pam_session
 ```
 
 ### Using IPtables lock feature

plugins/inputs/opensmtpd/README.md

@@ -86,7 +86,9 @@ You will also need to update your sudoers file:
 ```bash
 $ visudo
 # Add the following line:
-telegraf ALL=(ALL) NOPASSWD: /usr/sbin/smtpctl
+Cmnd_Alias SMTPCTL = /usr/sbin/smtpctl
+telegraf  ALL=(ALL) NOPASSWD: SMTPCTL
+Defaults!SMTPCTL !logfile, !syslog, !pam_session
 ```
 
 Please use the solution you see as most appropriate.

plugins/inputs/smart/README.md

@@ -61,6 +61,27 @@ smartctl -s on <device>
   # devices = [ "/dev/ada0 -d atacam" ]
 ```
 
+### Permissions:
+
+It's important to note that this plugin references smartctl, which may require additional permissions to execute successfully.
+Depending on the user/group permissions of the telegraf user executing this plugin, you may need to  use sudo.
+
+
+You will need the following in your telegraf config:
+```toml
+[[inputs.smart]]
+  use_sudo = true
+```
+
+You will also need to update your sudoers file:
+```bash
+$ visudo
+# Add the following line:
+Cmnd_Alias SMARTCTL = /usr/bin/smartctl
+telegraf  ALL=(ALL) NOPASSWD: SMARTCTL
+Defaults!SMARTCTL !logfile, !syslog, !pam_session
+```
+
 ### Metrics:
 
 - smart_device:

plugins/inputs/unbound/README.md

@@ -56,7 +56,9 @@ You will also need to update your sudoers file:
 ```bash
 $ visudo
 # Add the following line:
-telegraf ALL=(ALL) NOPASSWD: /usr/sbin/unbound-control
+Cmnd_Alias UNBOUNDCTL = /usr/sbin/unbound-control
+telegraf  ALL=(ALL) NOPASSWD: UNBOUNDCTL
+Defaults!UNBOUNDCTL !logfile, !syslog, !pam_session
 ```
 
 Please use the solution you see as most appropriate.

plugins/inputs/varnish/README.md

@@ -391,7 +391,9 @@ You will also need to update your sudoers file:
 ```bash
 $ visudo
 # Add the following line:
-telegraf ALL=(ALL) NOPASSWD: /usr/bin/varnishstat
+Cmnd_Alias VARNISHSTAT = /usr/bin/varnishstat
+telegraf  ALL=(ALL) NOPASSWD: VARNISHSTAT
+Defaults!VARNISHSTAT !logfile, !syslog, !pam_session
 ```
 
 Please use the solution you see as most appropriate.