## Required sudo privileges on minion to run cbcluster add-node
Cmnd_Alias HOSTNAME = /bin/hostname
Cmnd_Alias CB_INIT = /usr/share/cb/cbinit
Cmnd_Alias YUM_INSTALL_CB = /usr/bin/yum install cb-enterprise -y
Cmnd_Alias YUM_INSTALL_RSYNC = /usr/bin/yum install rsync -y
Cmnd_Alias MKDIR_ETC_CB = /bin/mkdir /etc/cb --mode=755
Cmnd_Alias MKDIR_ETC_CB_CERTS = /bin/mkdir /etc/cb/certs --mode=755
Cmnd_Alias COPY_ALLIANCE_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.crt /etc/cb/certs/carbonblack-alliance-client.crt
Cmnd_Alias COPY_SERVER_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.crt /etc/cb/certs/cb-server.crt
Cmnd_Alias COPY_CLIENT_CA_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.crt /etc/cb/certs/cb-client-ca.crt
Cmnd_Alias COPY_ALLIANCE_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.key /etc/cb/certs/carbonblack-alliance-client.key
Cmnd_Alias COPY_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.key /etc/cb/certs/cb-server.key
Cmnd_Alias COPY_CLIENT_CA_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.key /etc/cb/certs/cb-client-ca.key
Cmnd_Alias COPY_CB_REPO = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/CarbonBlack.repo /etc/yum.repos.d/CarbonBlack.repo
Cmnd_Alias COPY_CLUSTER_CONF = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cluster.conf /etc/cb/cluster.conf
Cmnd_Alias COPY_ERLANG_COOKIE = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/.erlang.cookie /var/cb/.erlang.cookie
Cmnd_Alias COPY_SERVER_LIC = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.lic /etc/cb/server.lic
Cmnd_Alias COPY_SERVER_TOKEN = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.token /etc/cb/server.token
Cmnd_Alias CBCHECK_FIREWALL = /usr/share/cb/cbcheck firewall --apply
Cmnd_Alias CB_ENTERPRISE = /etc/init.d/cb-enterprise
Cmnd_Alias CAT_VERSION = /bin/cat /usr/share/cb/VERSION
Cmnd_Alias CBUPGRADE = /usr/share/cb/cbupgrade --non-interactive
Cmnd_Alias CBUPGRADE_CHECK = /usr/share/cb/cbupgrade --check
 
my_user        ALL=(ALL)  NOPASSWD: HOSTNAME, CB_INIT, YUM_INSTALL_CB, YUM_INSTALL_RSYNC, MKDIR_ETC_CB, MKDIR_ETC_CB_CERTS, COPY_ALLIANCE_CRT, COPY_SERVER_CRT, COPY_CLIENT_CA_CRT, COPY_ALLIANCE_KEY, COPY_SERVER_KEY, COPY_CLIENT_CA_KEY, COPY_CB_REPO, COPY_CLUSTER_CONF, COPY_ERLANG_COOKIE, COPY_SERVER_LIC, COPY_SERVER_TOKEN, CBCHECK_FIREWALL, CB_ENTERPRISE, CAT_VERSION, CBUPGRADE, CBUPGRADE_CHECK

For Carbon Black EDR versions 7.4+, add the following entries to your sudoers file to use the cbcluster commands with a non-root user:

## Sudoers adjustments for restricted EDR cluster environments.
##
Cmnd_Alias HOSTNAME = /bin/hostname
Cmnd_Alias CB_INIT = /usr/share/cb/cbinit
Cmnd_Alias CB_CLUSTER = /usr/share/cb/cbcluster
Cmnd_Alias CB_UPGRADE = /usr/share/cb/cbupgrade
Cmnd_Alias CB_SERVICE = /usr/share/cb/cbservice
Cmnd_Alias YUM_INSTALL_CB = /usr/bin/yum install cb-enterprise -y
Cmnd_Alias YUM_INSTALL_RSYNC = /usr/bin/yum install rsync -y
Cmnd_Alias MKDIR_ETC_CB = /bin/mkdir /etc/cb --mode=755
Cmnd_Alias MKDIR_ETC_CB_CERTS = /bin/mkdir /etc/cb/certs --mode=755
Cmnd_Alias COPY_ALLIANCE_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.crt /etc/cb/certs/carbonblack-alliance-client.crt
Cmnd_Alias COPY_SERVER_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.crt /etc/cb/certs/cb-server.crt
Cmnd_Alias COPY_CLIENT_CA_CRT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.crt /etc/cb/certs/cb-client-ca.crt
Cmnd_Alias COPY_ALLIANCE_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/carbonblack-alliance-client.key /etc/cb/certs/carbonblack-alliance-client.key
Cmnd_Alias COPY_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-server.key /etc/cb/certs/cb-server.key
Cmnd_Alias COPY_CLIENT_CA_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-client-ca.key /etc/cb/certs/cb-client-ca.key
Cmnd_Alias COPY_CB_REPO = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/CarbonBlack.repo /etc/yum.repos.d/CarbonBlack.repo
Cmnd_Alias COPY_CLUSTER_CONF = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cluster.conf /etc/cb/cluster.conf
Cmnd_Alias COPY_ERLANG_COOKIE = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/.erlang.cookie /var/cb/.erlang.cookie
Cmnd_Alias COPY_SERVER_LIC = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.lic /etc/cb/server.lic
Cmnd_Alias COPY_SERVER_TOKEN = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/server.token /etc/cb/server.token
Cmnd_Alias CBCHECK_IP_TABLES = /usr/share/cb/cbcheck iptables --apply
Cmnd_Alias CB_ENTERPRISE = /etc/init.d/cb-enterprise
Cmnd_Alias CAT_VERSION = /bin/cat /usr/share/cb/VERSION
Cmnd_Alias COPY_REDIS_SERVER_KEY = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-redis-server.key /etc/cb/certs/cb-redis-server.key
Cmnd_Alias COPY_REDIS_SERVER_CERT = /usr/bin/rsync --remove-source-files --verbose /tmp/.cb_tmp/cb-redis-server.crt /etc/cb/certs/cb-redis-server.crt

Cmnd_Alias CLUSTER_OPERATIONS = HOSTNAME, CB_INIT, YUM_INSTALL_CB, YUM_INSTALL_RSYNC, MKDIR_ETC_CB, MKDIR_ETC_CB_CERTS, COPY_ALLIANCE_CRT, COPY_SERVER_CRT, COPY_CLIENT_CA_CRT, COPY_ALLIANCE_KEY, COPY_SERVER_KEY, COPY_CLIENT_CA_KEY, COPY_CB_REPO, COPY_CLUSTER_CONF, COPY_ERLANG_COOKIE, COPY_SERVER_LIC, COPY_SERVER_TOKEN, CBCHECK_IP_TABLES, CB_ENTERPRISE, CAT_VERSION, CB_CLUSTER, CB_UPGRADE, CB_SERVICE

my_user ALL=(ALL) NOPASSWD: CLUSTER_OPERATIONS

See https://community.carbonblack.com/docs/DOC-5692 for a formatted version of these entries that you can copy and paste into your environment.