Any super user who has access to the Jenkins running on a Linux server can easily disable security authentication from config.xml file; then log in and can also decrypt sensitive passwords from console.
How can an application developer protect Jenkins (or any software) from server administrators where the application is hosted.
Is there any way to monitor changes to a file to protect from super users?
Short answer - you can't. They have access to the console, physical disks, etc.
Long answer: You need to limit access for administrators on those machines, more granular policies, auditing. What this means? You give root access only to admins that sign a NDA, you allow some of them only certain operations on the machine via sudo, you log all access to a remote syslog machine. You limit what is installed. You can audit file access with auditd and auditctl.
On ext4 you can make the file immutable with chattr +i <filename>
Another alternative is to use an OS that is very lean and has only the application and no SSH or console access.
