How to protect Jenkins from super users?

bsd-boo

3/3/24, 3:33 PM

Any super user who has access to the Jenkins running on a Linux server can easily disable security authentication from config.xml file; then log in and can also decrypt sensitive passwords from console.

How can an application developer protect Jenkins (or any software) from server administrators where the application is hosted.

Is there any way to monitor changes to a file to protect from super users?

1 + 0

security

linux

unix

encryption

jenkins

Score:0

Server

Mircea Vutcovici

3/3/24, 4:17 PM

Short answer - you can't. They have access to the console, physical disks, etc.

Long answer: You need to limit access for administrators on those machines, more granular policies, auditing. What this means? You give root access only to admins that sign a NDA, you allow some of them only certain operations on the machine via sudo, you log all access to a remote syslog machine. You limit what is installed. You can audit file access with auditd and auditctl. On ext4 you can make the file immutable with chattr +i <filename>

Another alternative is to use an OS that is very lean and has only the application and no SSH or console access.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to protect Jenkins from super users?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.