On Mon, Jul 13, 2015 at 10:21 AM, Jonathan Billings <billings at negate.org> wrote: > Are you saying that this is an interactive process on the system? I'd > suggest you make sure this isn't some sort of email ticket that stores > a password or emails it. > Thanks for the reply. I'm thinking that the password would only be there to confirm. It would not be stored but would possibly leverage PAM. > You could probably use 'sudo' to handle the part of authenticating the > user, and run a very limited service that queried a secure system for > approval and initiated the shutdown. > sudo was a possibility.. However, I want to this specifically for folks with root access so sudo's checks won't work. This is for two reasons: Audit requirements and as a second check for the admin. We've had a couple instances recently where the admin did work on the wrong server. Though i don't see any way to totally lock it down for someone with root access, I want to make it at least give some sort of warning. The other tool I looked at was selinux. Combined with audit it could possibly work but not all the systems have selninux enabled.