To view a summary of the changes you made to your security policy
- At the command line, run:
# pmpolicy log
** Validate options [ OK ]
** Check out working copy [ OK ]
** Retrieve revision details [ OK ]
version="3",user="pmpolicy",date=2012-07-11,time=15:43:30,msg="add helpdesk.shellprofile "
version="2",user="pmpolicy",date=2012-07-11,time=15:38:21,msg="add shellProfile to helpdesk "
version="1",user="pmpolicy",date=2012-07-11,time=15:35:19,msg="First import"
- To examine the differences between two versions, run:
# pmpolicy diff -r1:2
** Validate options [ OK ]
** Check out working copy (trunk revision) [ OK ]
** Check differences [ OK ]
** Report differences between selected revisions [ OK ]
- Differences were detected between the selected versions
Details:
Index: profiles/helpdesk.profile
===================================================================
--- profiles/helpdesk.profile (revision 1)
+++ profiles/helpdesk.profile (revision 2)
@@ -18,6 +18,7 @@
enableRemoteCmds = false; # Should remote cmds be allowed for privilege cmds ?
# - ie should it allow cmds if: submithost != runhost
#
+shellProfile = "helpdesk";
authUser = "root"; # runuser to use when running the authCommands
# Set to 1 of the following:
The output shows the helpdesk.profile file from line 18. The line that was added in the change between version 1 and version 2 is marked with a preceding “+”.
The pmgit utility is a tool that can mediate version control operations between Subversion (SVN) and Git version control systems.
The pmgit utility uses the internal SVN policy repository to apply policies to the system, but it also uses an intermediate Git-SVN repository to keep the local SVN policy repository up-to-date from an external Git policy repository. You can manage this Git repository from outside the primary policy server.
The pmgit utility uses the git and git svn tools to perform the required version control operations, so you must install these tools on the Privilege Manager for Unix primary policy server. You can install both git and git svn using the system-specific package manager.
pmgit policy management concept
When you enable Git policy management, pmgit creates a backup from the original SVN policy repository which you can later restore if needed.
You can configure the Git policy management interactively by running the pmgit --interactive command.
There are two major advantages of the Git policy management:
- You can make changes in policies from anywhere, where the Git policy repository is available without the need to log into the policy server.
- You can use the "Git-workflow" by separating development and production branches, creating pull requests, having reviews before merge, and so on.
In this mode, you can no longer edit policies on the policy servers (neither primary, nor secondary). The pmpolicy command will reject every request that would make changes in the local SVN policy repository.
Under the hood, Privilege Manager for Unix policy servers still use the original SVN policy repository when updating policies, but the pmgit utility synchronizes the changes from Git to SVN using a local Git clone of the remote Git policy repository. The local copy is created at the following location:
/var/opt/quest/qpm4u/.qpm4u/.repository
Do not edit the local Git clone because it is maintained by the pmgit utility. Any changes made to the local Git clone will be discarded when pmgit synchronizes the changes from the remote Git policy repository.
The Git-SVN synchronization can either be manual or periodic, based on a predefined interval.
Before applying changes to the SVN policy repository, pmgit checks for syntax errors in the updated policy files. If no errors are found, pmgit creates a new SVN commit with the changes on top of the trunk. If a syntax check fails, pmgit logs the error reason via syslog. Optionally, pmgit can run a user-defined script (alert script) to take custom actions.
To enable Git policy management with the default settings, use the following command:
pmgit enable --export --git-url https://github.com/user/example.git
In this example, the Git policy repository at the specified URL must exist and must be an empty bare repository, or Git will reject the operation.
You can optionally configure the following settings:
- Git branch (Default: master)
- Update interval (Default: 5 minutes)
- Alert script (Default: N/A)
Each of the settings are stored in Privilege Manager's main configuration file (pm.settings).
For more information on pmgit subcommands, see pmgit.
Before using Git policy management, do the following:
-
Install the git tool on the primary policy server using the system-specific package manager.
-
Install the git svn tool on the primary policy server using the system-specific package manager.
-
Configure the git tool for passwordless authentication to allow automatic synchronization between the primary policy server and the remote Git repository.
-
Enable Git policy management mode in the pmgit tool.
To create a Private repository on GitHub
-
Log in to Github with a valid account.
-
Create a new "Private" repository with a name you want, for example, sas-example:
You do not need to initialize the repository with a commit (readme/gitignore/license), but feel free to do so if you want.
-
Check the URL of the repository. Use the repository link for SSH access:
-
On the primary policy server host, generate a secure enough SSH key that GitHub accepts (it no longer accepts RSA keys):
root@qpmserver:~> ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
-
Optional: This keypair either needs to be at the standard place, or you need to tell SSH or Git which one to use, for example, create a file under ~/.ssh/config:
Host github.com
IdentityFile ~/.ssh/id_ecdsa.github
IdentitiesOnly yes
-
Add rights for the owner of the key to access your repository. For this, go back to the browser at your repository on GitHub. Open Settings > Security > Deploy keys. Add your public key (/root/.ssh/id_ecdsa.pub). If you want to export your current SVN to this repository, Safeguard for Sudo will need write access, otherwise read only access is enough.
-
Start pmgit in interactive mode and answer the questions. In this example, we have exported the current policies to our new git repository:
Select an option
1) Export the current SVN policy repository to a Git repository.
2) Import an existing Git policy repository.
Select an option [1-2] (1) 1
> You will export your local SVN policy repository to an empty Git repository.
Git URL is the URL path to your Git project (for example: https://github.com/user/example.git).
Enter the Git URL (): git@github.com:manner82/s4s-example.git
The name of the Git branch where you store your policies (for example, main).
Enter the name of the branch (master): main
Local SVN policy repository update interval.
Enter the update interval in minutes [0-60] (5): 30
You can specify a script that is called automatically if pmgit fails to synchronize your local SVN policy repository.
This setting is optional, you can leave it empty.
Enter the script path ():
Are you sure these settings are correct? [Y/n] y
