>> 1) Are you aware of a wrapper, unique shell or simiar tool that could provide >> root level access at a read only level?
I think you could create a non privledged user and with acls provide read access to most if not all things. I think a more interesting question is why you might want to do this. I think it just becomes and issue of trust. >> 2) Any recommendations on an open source or commerical enterprise >> level file integrity checker similar to Tripwire? You can do change detection with CFEngine. I think AIDE is the most popular open source replacement for Tripwire these days. I think its a good idea to question why you would want to use a seperate tool to do this. There is nothing inheriently more secure about a security program than one that is designed with security in mind. >> 3) Is it common for security departments to have root level access to all IP >> devices (network, window, unix, etc)? I think this is common when people have a need for that level of access. The question is do you trust your security department with that level of access. If you don't should you? I think those are questions you have to answer for yourself, but they are valid questions you should be asking. > As long as (a big assumption!) that program only does what it's meant to, > and doesn't have any ways of braking out into a shell, those people should > only be able to have root powers Right, it all boils down to you trusting something will do what it says it will and only what it says it will. You can start getting fancy with SELinux and limit access further but at some point it comes down to trusting one layer of security or another. The machines must cooperate in the end and thats not necissarily something you can enforce, you can only requst that they behave. Sometimes I think about machines like a toddler or a teenager. You cant force a toddler to eat. You can ask them nicely, you can yell at them, you can make them sit at the table for a long period of time, but you cant force them to actually chew the food and swallow it. You can ask your teenager not to drink, or make bad decisions but you cant be there every second puppeting their lives for them. Machines have multiple users and you cant controll everything, you just have to accept they they comply out of their free will. Maybe you can argue that machines dont have free will because they arent sentient, but I'm sure there are plenty of people who would argue that you have no proof that machines aren't sentient. -- Nick Anderson <n...@cmdln.org> _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
