[CentOS] Wrapper script for shutdown, passwd, etc. commands

Mon Jul 13 14:47:47 UTC 2015
Kwan Lowe <kwan.lowe at gmail.com>

On Mon, Jul 13, 2015 at 10:21 AM, Jonathan Billings <billings at negate.org>
wrote:

> Are you saying that this is an interactive process on the system?  I'd
> suggest you make sure this isn't some sort of email ticket that stores
> a password or emails it.
>

Thanks for the reply.  I'm thinking that the password would only be there
to confirm. It would not be stored but would possibly leverage PAM.


> You could probably use 'sudo' to handle the part of authenticating the
> user, and run a very limited service that queried a secure system for
> approval and initiated the shutdown.
>

sudo was a possibility.. However, I want to this specifically for folks
with root access so sudo's checks won't work.

This is for two reasons:  Audit requirements and as a second check for the
admin. We've had a couple instances recently where the admin did work on
the wrong server. Though i don't see any way to totally lock it down for
someone with root access, I want to make it at least give some sort of
warning.

The other tool I looked at was selinux. Combined with audit it could
possibly work but not all the systems have selninux enabled.