Re: AW: AW: two men rule (sudo/su)

[Russ Allbery <rra@debian.org>]

"Büschel, Uwe" <Uwe.Bueschel@INTER-FORUM.DE> writes:

> I think remote confirmation is not a must.
> Let me explain, a small example:

> you are person A. Your friend is another admin called B. You have
> another friend in your team called Z. Normal changes at firewall system
> are made by you and admin B with four-eye principle. You make a change
> and admin B acknowledge the change.

> Now, admin B is at holiday and a change is made by you and admin Z now
> does the acknowledge.

> The same is when you (admin A) is at holiday, then admin B and admin Z
> now make the change at firewall system.

I would do this via a configuration management infrastructure and code
review.

For example, we use Puppet for our configuration management system.  The
Puppet manifests for all of our systems are stored in a Git repository.
You can put whatever code review process you wish in front of that
repository (personally, I would use Gerrit) and set code review rules
saying that changes can only be merged with two sign-offs.  Then,
requiring that all changes be made through the configuration management
infrastructure (which can be achieved in a few different ways) will get
you this property.

This only works with changes that can be made through the change
management infrastructure, so if you have things that have to be done
through separate UIs, you'll probably have to handle that with policy
rather than technical enforcement.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>