Hi Tom, > 1) Are you aware of a wrapper, unique shell or simiar tool that could provide > root level access at a read only level?
What comes to mind is to put the read-only functionality you want in a specific program, and then give sudo access to certain people *only* to that program. As long as (a big assumption!) that program only does what it's meant to, and doesn't have any ways of braking out into a shell, those people should only be able to have root powers as far as the functionality of the program allows them. > 2) Any recommendations on an open source or commerical enterprise level file > integrity checker similar to Tripwire? Hum... Tripwire? > 3) Is it common for security departments to have root level access to all IP > devices (network, window, unix, etc)? > If your security department has root acces... > what level of agreement do you have between the various groups (unix, > windows, etc) and the security team? Where I work, the security teams are further broken down into specific functionality (antivirus management, access management, network security, etc.). But yes, it's common for people who need it (for example, antivirus management) to have administrative rights on most machines. Best regards, --Diego
_______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
