To view a summary of the changes you made to your security policy
- At the command line, run:
# pmpolicy log
** Validate options [ OK ]
** Check out working copy [ OK ]
** Retrieve revision details [ OK ]
version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add helpdesk.shellprofile "
version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add shellProfile to helpdesk "
version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
- To examine the differences between two versions, run:
# pmpolicy diff -r1:2
** Validate options [ OK ]
** Check out working copy (trunk revision) [ OK ]
** Check differences [ OK ]
** Report differences between selected revisions [ OK ]
- Differences were detected between the selected versions
Details:
Index: profiles/helpdesk.profile
===================================================================
--- profiles/helpdesk.profile (revision 1)
+++ profiles/helpdesk.profile (revision 2)
@@ -18,6 +18,7 @@
enableRemoteCmds = false; # Should remote cmds be allowed for privilege cmds ?
# - ie should it allow cmds if: submithost != runhost
#
+shellProfile = "helpdesk";
authUser = "root"; # runuser to use when running the authCommands
# Set to 1 of the following:
The output shows the helpdesk.profile file from line 18. The line that was added in the change between version 1 and version 2 is marked with a preceding “+”.
The pmgit utility is a tool that can mediate version control operations between Subversion (SVN) and Git version control systems.
The pmgit utility uses the internal SVN policy repository to apply policies to the system, but it also uses an intermediate Git-SVN repository to keep the local SVN policy repository up-to-date from an external Git policy repository. You can manage this Git repository from outside the primary policy server.
The pmgit utility uses the git and git svn tools to perform the required version control operations, so you must install these tools on the Privilege Manager for Unix primary policy server. You can install both git and git svn using the system-specific package manager.
pmgit policy management concept
When you enable Git policy management, pmgit creates a backup from the original SVN policy repository which you can later restore if needed.
You can configure the Git policy management interactively by running the pmgit --interactive command.
There are two major advantages of the Git policy management:
- You can make changes in policies from anywhere, where the Git policy repository is available without the need to log into the policy server.
- You can use the "Git-workflow" by separating development and production branches, creating pull requests, having reviews before merge, and so on.
In this mode, you can no longer edit policies on the policy servers (neither primary, nor secondary). The pmpolicy command will reject every request that would make changes in the local SVN policy repository.
Under the hood, Privilege Manager for Unix policy servers still use the original SVN policy repository when updating policies, but the pmgit utility synchronizes the changes from Git to SVN using a local Git clone of the remote Git policy repository. The local copy is created at the following location:
/var/opt/quest/qpm4u/.qpm4u/.repository
Do not edit the local Git clone because it is maintained by the pmgit utility. Any changes made to the local Git clone will be discarded when pmgit synchronizes the changes from the remote Git policy repository.
The Git-SVN synchronization can either be manual or periodic, based on a predefined interval.
Before applying changes to the SVN policy repository, pmgit checks for syntax errors in the updated policy files. If no errors are found, pmgit creates a new SVN commit with the changes on top of the trunk. If a syntax check fails, pmgit logs the error reason via syslog. Optionally, pmgit can run a user-defined script (alert script) to take custom actions.
To enable Git policy management with the default settings, use the following command:
pmgit enable --export --git-url https://github.com/user/example.git
In this example, the Git policy repository at the specified URL must exist and must be an empty bare repository, or Git will reject the operation.
You can optionally configure the following settings:
- Git branch (Default: master)
- Update interval (Default: 5 minutes)
- Alert script (Default: N/A)
Each of the settings are stored in Privilege Manager's main configuration file (pm.settings).
For more information on pmgit subcommands, see pmgit.
Before using Git policy management, do the following:
-
Install the git tool on the primary policy server using the system-specific package manager.
-
Install the git svn tool on the primary policy server using the system-specific package manager.
-
Configure the git tool for passwordless authentication to allow automatic synchronization between the primary policy server and the remote Git repository.
-
Enable Git policy management mode in the pmgit tool.
The Privilege Manager for Unix Security Policy
Privilege Manager for Unix uses a feature full, high-level scripting language as its security policy. This is also known as the pmpolicy or legacy type security policy. As an alternative to learning the policy scripting language and developing a security policy from scratch, the default configuration installs a "ready to use" profile-based security policy and a number of pre-defined profiles.
This section examines the profile-based policy and provides specific examples of how to modify the profiles and add custom code to adapt the policy to your needs.
