サポートと今すぐチャット
サポートとのチャット

Privilege Manager for Unix 7.3 - Administration Guide

Introducing Privilege Manager for Unix Planning Deployment Installation and Configuration Upgrade Privilege Manager for Unix System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager for Unix Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager for Unix Variables
Variable names Variable scope Global input variables Global output variables Global event log variables PM settings variables
Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures
Environment functions Hash table functions Input and output functions LDAP functions LDAP API example List functions Miscellaneous functions Password functions Remote access functions String functions User information functions Authentication Services functions
Privilege Manager for Unix programs Installation Packages

Viewing the security profile changes

To view a summary of the changes you made to your security policy

  1. At the command line, run:

    # pmpolicy log
    ** Validate options            [ OK ] 
    ** Check out working copy  	[ OK ] 
    ** Retrieve revision details   [ OK ] 
    version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add helpdesk.shellprofile " 
    version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add shellProfile to helpdesk " 
    version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
  2. To examine the differences between two versions, run:

    # pmpolicy diff -r1:2
    ** Validate options                                          [ OK ] 
    ** Check out working copy (trunk revision)                   [ OK ] 
    ** Check differences                                         [ OK ] 
    ** Report differences between selected revisions             [ OK ] 
       - Differences were detected between the selected versions 
    Details: 
    Index: profiles/helpdesk.profile 
    =================================================================== 
    --- profiles/helpdesk.profile (revision 1) 
    +++ profiles/helpdesk.profile (revision 2) 
    @@ -18,6 +18,7 @@ 
    enableRemoteCmds = false;   # Should remote cmds be allowed for privilege cmds ? 
                                # - ie should it allow cmds if: submithost != runhost 
                                # 
    +shellProfile = "helpdesk"; 
    authUser = "root";          # runuser to use when running the authCommands 
                                # Set to 1 of the following:

The output shows the helpdesk.profile file from line 18. The line that was added in the change between version 1 and version 2 is marked with a preceding “+”.

Managing policies in Git

The pmgit utility is a tool that can mediate version control operations between Subversion (SVN) and Git version control systems.

The pmgit utility uses the internal SVN policy repository to apply policies to the system, but it also uses an intermediate Git-SVN repository to keep the local SVN policy repository up-to-date from an external Git policy repository. You can manage this Git repository from outside the primary policy server.

The pmgit utility uses the git and git svn tools to perform the required version control operations, so you must install these tools on the Privilege Manager for Unix primary policy server. You can install both git and git svn using the system-specific package manager.

pmgit policy management concept

When you enable Git policy management, pmgit creates a backup from the original SVN policy repository which you can later restore if needed.

You can configure the Git policy management interactively by running the pmgit --interactive command.

There are two major advantages of the Git policy management:

  • You can make changes in policies from anywhere, where the Git policy repository is available without the need to log into the policy server.

  • You can use the "Git-workflow" by separating development and production branches, creating pull requests, having reviews before merge, and so on.

In this mode, you can no longer edit policies on the policy servers (neither primary, nor secondary). The pmpolicy command will reject every request that would make changes in the local SVN policy repository.

Under the hood, Privilege Manager for Unix policy servers still use the original SVN policy repository when updating policies, but the pmgit utility synchronizes the changes from Git to SVN using a local Git clone of the remote Git policy repository. The local copy is created at the following location:

/var/opt/quest/qpm4u/.qpm4u/.repository

Do not edit the local Git clone because it is maintained by the pmgit utility. Any changes made to the local Git clone will be discarded when pmgit synchronizes the changes from the remote Git policy repository.

The Git-SVN synchronization can either be manual or periodic, based on a predefined interval.

Before applying changes to the SVN policy repository, pmgit checks for syntax errors in the updated policy files. If no errors are found, pmgit creates a new SVN commit with the changes on top of the trunk. If a syntax check fails, pmgit logs the error reason via syslog. Optionally, pmgit can run a user-defined script (alert script) to take custom actions.

To enable Git policy management with the default settings, use the following command:

pmgit enable --export --git-url https://github.com/user/example.git

In this example, the Git policy repository at the specified URL must exist and must be an empty bare repository, or Git will reject the operation.

You can optionally configure the following settings:

  • Git branch (Default: master)

  • Update interval (Default: 5 minutes)

  • Alert script (Default: N/A)

Each of the settings are stored in Privilege Manager's main configuration file (pm.settings).

For more information on pmgit subcommands, see pmgit.

Prerequisites for Git policy management

Before using Git policy management, do the following:

  • Install the git tool on the primary policy server using the system-specific package manager.

  • Install the git svn tool on the primary policy server using the system-specific package manager.

  • Configure the git tool for passwordless authentication to allow automatic synchronization between the primary policy server and the remote Git repository.

  • Enable Git policy management mode in the pmgit tool.

Example setup with GitHub

To create a Private repository on GitHub

  1. Log in to Github with a valid account.

  2. Create a new Private repository with a name you want, for example, sas-example:

    You do not need to initialize the repository with a commit (readme/gitignore/license), but feel free to do so if you want.

  3. Check the URL of the repository. Use the repository link for SSH access:

  4. On the primary policy server host, generate a secure enough SSH key that GitHub accepts (it no longer accepts RSA keys):

    root@qpmserver:~> ssh-keygen -t ecdsa
    Generating public/private ecdsa key pair.
    Enter file in which to save the key (/root/.ssh/id_ecdsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /root/.ssh/id_ecdsa.
    Your public key has been saved in /root/.ssh/id_ecdsa.pub.
  5. Optional: This keypair either needs to be at the standard place, or you need to tell SSH or Git which one to use, for example, create a file under ~/.ssh/config:

    Host github.com
        IdentityFile ~/.ssh/id_ecdsa.github
        IdentitiesOnly yes
  6. Add rights for the owner of the key to access your repository. For this, go back to the browser at your repository on GitHub. Open Settings > Security > Deploy keys. Add your public key (/root/.ssh/id_ecdsa.pub). If you want to export your current SVN to this repository, Safeguard for Sudo will need write access, otherwise read only access is enough.

  7. Start pmgit in interactive mode and answer the questions. In this example, we have exported the current policies to our new git repository:

    Select an option
    1) Export the current SVN policy repository to a Git repository.
    2) Import an existing Git policy repository.
    
    Select an option [1-2] (1) 1
    
    > You will export your local SVN policy repository to an empty Git repository.
    
    Git URL is the URL path to your Git project (for example: https://github.com/user/example.git).
    Enter the Git URL (): git@github.com:manner82/s4s-example.git
    
    The name of the Git branch where you store your policies (for example, main).
    Enter the name of the branch (master): main
    
    Local SVN policy repository update interval.
    Enter the update interval in minutes [0-60] (5): 30
    
    You can specify a script that is called automatically if pmgit fails to synchronize your local SVN policy repository.
    This setting is optional, you can leave it empty.
    Enter the script path ():
    
    Are you sure these settings are correct? [Y/n] y
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択