On Mon, Jul 13, 2015 at 10:21 AM, Jonathan Billings <billings@xxxxxxxxxx>
wrote:
> Are you saying that this is an interactive process on the system? I'd
> suggest you make sure this isn't some sort of email ticket that stores
> a password or emails it.
>
Thanks for the reply. I'm thinking that the password would only be there
to confirm. It would not be stored but would possibly leverage PAM.
> You could probably use 'sudo' to handle the part of authenticating the
> user, and run a very limited service that queried a secure system for
> approval and initiated the shutdown.
>
sudo was a possibility.. However, I want to this specifically for folks
with root access so sudo's checks won't work.
This is for two reasons: Audit requirements and as a second check for the
admin. We've had a couple instances recently where the admin did work on
the wrong server. Though i don't see any way to totally lock it down for
someone with root access, I want to make it at least give some sort of
warning.
The other tool I looked at was selinux. Combined with audit it could
possibly work but not all the systems have selninux enabled.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
