Since policy edits are not locally bound to the policy server when using Git policy management, syntactically incorrect policies can enter the Git repository. To address such cases, set an alert from the policy server to warn you if the policy is incorrect.
As an administrator, you can use your own alert script which pmgit tool can call if the policy syntax checking returns an error message after the synchronization between the Git policy repository and the SVN policy repository.
If an alert script is configured, the pmgit tool calls it with 2 parameters:
Sample script
This is a sample script in bash which sends the error message to the user who initiated the last commit.
#!/bin/bash
email_address="$1"
shift
error_msg="$@"
/usr/sbin/sendmail -F "noreply" "${email_address}" <<EOF
subject:pmgit error
Syntax error occured in one of the policy files:
"${error_msg}"
EOF
To set pmgit tool to send alert messages based on your alert script, see pmgit Set.
Error
After a successful Git policy management configuration and automatic update interval setting, Syslog sends the error message:
pmgit: Failed to fetch <Git:_URL>.: Permission denied, please try again. <user>@<host>: Permission denied (publickey,password)
Cause
You have not configured Git for passwordless authentication.
Effect
Automatic synchronization between Git and SVN is not working because pmgit update cannot run in the background due to a password prompt.
Solution
Configure Git to allow Git operations from the policy server towards the remote repository.
Error
After export pmgit sends the error message:
# pmgit export --git-url <Git_URL>
Creating backup from SVN repository ... [ OK ]
Creating directory for local Git repository ... [ OK ]
Cloning SVN ... [ OK ]
Setting Git remote ... [ OK ]
Push Git repository to remote ... [ ERROR ]
To <Git_URL>
! [rejected] <Git_branch> -> <Git_branch> (fetch first)
error: failed to push some refs to '<Git_URL>'
Cause
You tried to export to a Git repository which is not empty.
Effect
You are unable to export the policies to that Git repository.
Solution
Create an empty bare repository.
Example
This is an example for creating an empty bare Git repository from command line.
git init --bare <repo_name>.git
Safeguard for Sudo might reject a sudo command. For example, let us assume you ran the following command:
$ sudo id
and received output similar to the following:
<user> is not in the sudoers file. This incident will be reported.
Request rejected by Safeguard
There are several things you can do to troubleshoot this issue.
To troubleshoot why a sudo command is rejected
Run the following from the policy server:
-
To ensure the user has permission, run the following as a sudo administrator.
# sudo -U <username> -l
-
To check that the policy is located at /etc/opt/quest/qpm4u/policy/sudoers is the current version, run:
# pmpolicy masterstatus
In the output, ensure that Current Revision and Latest Trunk Revision have the same number and Locally modified is No.
-
To ensure the user has permission to run the command, check the /etc/opt/quest/qpm4u/policy/sudoers file and verify the user’s (or group’s) permissions:
# cat /etc/opt/quest/qpm4u/policy/sudoers
-
To verify that the policy server is working properly, enter:
# pmsrvcheck
This command returns output similar to:
testing policy server [ Pass ]
From the command line, enter:
# pmsrvinfo
This command returns output similar to:
Policy Server Configuration:
----------------------------
Safeguard version : 7.3.0 (0nn)
Listening port for pmmasterd daemon : 12345
Comms failover method : random
Comms timeout(in seconds) : 10
Policy type in use : sudo
Group ownership of logs : pmlog
Group ownership of policy repository : pmpolicy
Policy server type : primary
Primary policy server for this group : Myhost1
Group name for this group : Myhost1.example.com
Location of the repository : file:
////var/opt/quest/qpm4u/.qpm4u/.repository/sudo_repos/trunk
Hosts in the group : Myhost1
Related Topics
pmpolicy
pmsrvcheck
pmsrvinfo