help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: change control via CVS tags

From: Moore, Joe
Subject: RE: change control via CVS tags
Date: Fri, 14 Oct 2005 08:37:28 -0700 
> Jeremy Mates
> * Martin, Jason H <jason.h.martin@cingular.com>
> > Along the same lines, has anyone implemented a system such 
> that there
> > is no one person capable of pushing out changes? I'm talking about a
> > system analogous to the nuclear missile keys that require 2 
> people to
> > agree to launch.
> 
> One approach would be to store all the configuration under 
> CVS, then use
> a taginfo script to restrict who can apply tags to a file[1]. 
> This way,
> anyone with CVS rights could commit files, but only certain 
> people would
> have tag rights. CFEngine would then pull from CVS only files with a
> certain tag set[2].
> 
> Some extra logic in the taginfo script might ensure the same person
> could not both commit and tag the file, though I have not 
> looked at how
> hard this would be. Linking all this to an approval ticket system for
> SOX compliance would be even more fun...
> 

If you've never worked with CVS taginfo scripts, an example (which
implements a simple logic check) is at
http://cfwiki.org/cfwiki/index.php/Using_Cfengine_with_CVS

Ultimately, though, no level of technology will solve the policy problem
of a malicious root user.  At some level, you have to trust your
sysadmins.

--Joe
reply via email to
[Prev in Thread] Current Thread [Next in Thread]