wandisco security agent administration guide

WANdisco Security Agent Administration Guide

Table of ContentsWANdisco Security Agent Administration Guide...........................................................................................1

1. Introduction.....................................................................................................................................................21.1. Definitions........................................................................................................................................21.2. Pre-requisites.....................................................................................................................................2

2. Understanding the deployment architecture................................................................................................3

3. Installation.......................................................................................................................................................43.1. Requirements....................................................................................................................................43.2. Installing the bits...............................................................................................................................4

4. Setup.................................................................................................................................................................64.1. Silent install option...........................................................................................................................8

5. Running............................................................................................................................................................9

6. Web Administration.....................................................................................................................................10

7. License Management....................................................................................................................................11

8. Setup Secure Access to CVS.........................................................................................................................128.1. Using SSH with WANdisco Security Agent..................................................................................12

9. Direct SSH Method.......................................................................................................................................139.1. Authentication with cvsrelay..........................................................................................................149.2. Configure cvsrelay..........................................................................................................................14

9.2.1. Using setup or install-cvsrelay..............................................................................................159.2.2. Manual configuration............................................................................................................15

9.3. Troubleshooting..............................................................................................................................16

10. SSH Tunneling Method..............................................................................................................................18

11. Access Control, Authorization and Auditing with WANdisco Security Agent.....................................19

12. Group Management....................................................................................................................................2012.1. How to create new Roles or Groups.............................................................................................20

12.1.1. Sub-Group Assignment.......................................................................................................2112.2. How to delete Roles or Groups.....................................................................................................2112.3. Add or Remove Users from a Group............................................................................................2112.4. Group membership........................................................................................................................2212.5. How to find the files and directories accessible by a Group.........................................................22

13. User Management.......................................................................................................................................2413.1. Creating or removing users...........................................................................................................24

13.1.1. Sub-Group Assignment.......................................................................................................2613.2. List and Search Users....................................................................................................................2613.3. Bulk import/export users..............................................................................................................27


i

Table of Contents14. ACL (Access Control List) Management..................................................................................................29

14.1. Privileges required for executing a CVS command......................................................................2914.2. Access Control Rules Setup..........................................................................................................3114.3. ACL Enforcement.........................................................................................................................3214.4. ACL Examples..............................................................................................................................32

14.4.1. List Only Access.................................................................................................................3314.4.2. Deny rule on a file...............................................................................................................3314.4.3. Read Only Access...............................................................................................................3414.4.4. Using Sub-Groups...............................................................................................................35

14.5. Configuring Access Control Properties........................................................................................35

15. External Authentication database Integration.........................................................................................3615.1. CVS properties..............................................................................................................................3615.2. LDAP Properties...........................................................................................................................3615.3. NIS Properties...............................................................................................................................37

16. Audit Trail Management............................................................................................................................3816.1. Configuring Audit properties........................................................................................................3816.2. Importing to a SQL Database.......................................................................................................39

17. Audit Reports..............................................................................................................................................4017.1. Installation....................................................................................................................................4017.2. Running a Report..........................................................................................................................4017.3. Report Types.................................................................................................................................41

17.3.1. Transaction History Report.................................................................................................4117.3.2. User Modification Report....................................................................................................4217.3.3. Group Modification Report.................................................................................................4217.3.4. ACL Modification Report...................................................................................................4317.3.5. File Report...........................................................................................................................4317.3.6. User Report..........................................................................................................................4317.3.7. Access Violation Report......................................................................................................44


ii

WANdisco Security Agent Administration GuideVersion 3.0.1

Nov/2006

WANdisco Security Agent Administration Guide 1

1. IntroductionWANdisco Security Agent provides security services for a Software Configuration Management (SCM)repository such as CVS or Subversion. It allows an SCM user to transparently connect to the SCM repositoryvia a network proxy that acts as a security agent. The SCM user connects to the Security Agent on thestandard SCM port (configurable) such as 2401 for CVS, 3690 for Subversion, 80 for Subversion-HTTP.The Security Agent in turn connects to the underlying SCM repository server.

In this administration guide, you will learn how to easily setup WANdisco Security Agent.

1.1. Definitions

SCM RepositorySoftware Configuration Management repository like CVS or Subversion.

SCM ServerA network server that provides remote access to an SCM Repository

Security AgentThe intermediary that acts as an application proxy or gateway between the SCM client and the SCMserver. Each Security Agent has an associated SCM Repository. This agent is responsible for enforcingsecurity policies, Role based access control (RBAC) setup by the administrator.

Security_Agent_root directoryThe base directory under which WANdisco Security Agent is installed.

GUIDGlobally Unique Identifier. WANdisco Security Agent use 16 byte DCE UUIDs.

1.2. Pre-requisites

This guide is intended for an SCM administrator or a user who is reasonably comfortable with:

Setting up a CVS or Subversion repository• Configuring inetd/xinetd service on Unix, Cygwin or Windows platform• Installing Perl and required Perl modules• Installing Apache 2.0+ server if using Subversion/HTTP protocol• Installing Java• Unix or Windows system administration• Reading the WANdisco Security Agent administration guide cover-to-cover•

If you don't meet the above pre-requisites you may want to contact your SCM administrator.

1. Introduction 2

http://www.wandisco.com/html/products_documentation.html

2. Understanding the deployment architectureThe diagram below illustrates a typical deployment architecture for a CVS backend. Similar deploymentarchitecture applies to Subversion or Subversion-HTTP. As you can see in the diagram below, Security Agentacts as the front-end for the SCM clients.

As show in the above diagram, the WANdisco Security Agent uses a configurable control port (defaults to6444) for web based management. It can listen on a configurable SCM port to allow SCM clients to connecttransparently.

Here is an explanation of various TCP ports used in the above deployment:

Port 2401 (Security Agent Proxy)Used by CVS clients for normal CVS request processing. The Security Agent simply relays databetween the SCM clients and the SCM repository

Port 6444 (Security Agent Http)Http port, used by administrator for Web management.

Port 2402 (CVS Server)CVS server listens on this port for normal CVS requests. The CVS server is configured to allow onlySecurity Agent to connect to this port. This ensure the Security Agent is not bypassed accidentally.

2. Understanding the deployment architecture 3

3. Installation

3.1. Requirements

Before running the WANdisco Security Agent, please ensure:

On Windows, everything is installed on paths with no spaces in the names. For example, on theWindows platforms, the default installation path for java looks like C:/ProgramFiles/java/jdk1.5.0_03. Choose an alternate installation directory, for example C:/javawith no spaces in the path.

•

You have copied a valid license.key file into Security_Agent_root/config. Dependingupon your license,certain features may be disabled. This document will highlight any features thatrequire a Professional Edition license. In particular, audit reporting requires a Professional Editionlicense.

•

A local SCM repository has been initialized• JDK/J2SE 1.5.0_03 or greater is installed, and the JAVA_HOME environment variable is defined.

Please ensure the full JDK is installed, not just the JRE. This can be confirmed by runningjava -server -version. If it generates a not found error, uninstall the JRE Javapackage and reinstall the JDK Java package.

♦ •

On UNIX and Cygwin platforms, Perl version 5.6 or greater is installed and the perl executable ison the system PATH.

The optional logtimefix script requires Perl package Date::Manip. - To install a Perlpackage on UNIX or Cygwin, using CPAN (ensure you are logged into the root accountfirst), for example:

$ perl -MCPAN -eshell cpan> install Term::ReadKey

♦

•

On Windows platform, ActivePerl version 5.8 or greater is installed and the perl executable is onthe system PATH. Please download the MSI installer for ActivePerl from here:[http://activestate.com/Products/Download/Download.plex?id=ActivePerl]

The optional logtimefix script requires Perl package Date::Manip. - To install a Perlpackage on Windows, using ActivePerl package manager, for example:

c:\>ppm ... ppm>install DateManip

♦

•

importauditdb script requires Perl package Perl::DBI.XML::Parser package is required. It should be bundled as a standard module on a perl5.8 installation.

♦ •

Please read the latest deployment checklist in our Knowledgebase on our support web site at[http://support.wandisco.com]

•

3.2. Installing the bits

Untar or unzip (using WinZip for example on Windows) the WANdisco Security Agent package (atar.gz file) into the intended subdirectory. You should see the following directory structure:

$ cd Security_Agent_root $ ls config lib logs bin docs

3. Installation 4

http://activestate.com/Products/Download/Download.plex?id=ActivePerl

http://support.wandisco.com

binContains scripts such as cvssecurityagent and shutdown

configContains the Security_Agent_root/config/prefs.xml file used to configure the WANdisco SecurityAgent.

libContains the jar files and DLLs that are required to run the product.

docsContains the administration guide in various formats: PDF, Html and UNIX man page.

logsContains the pid file, log files and other temporary files. WANdisco Security Agent's log file isnamed ProxyServer-prefs.log.0.


3.2. Installing the bits 5

4. SetupIf the installation requirements as specified in the previous section have been met, the express setup shouldtake 20 minutes or less to get a basic WANdisco Security Agent environment configured.

The express setup option can be used to quickly create the prefs.xml configuration file used by WANdiscoSecurity Agent. This is accomplished by running the bundled program,Security_Agent_root/bin/setup. The text console based UI will guide you through basicconfiguration options.

At the end of the setup program, you would have created a prefs.xml file for the Security Agent.

We will now walk you step by step, through the setup screens for Security Agent.

The setup screen below presume a CVS deployment but they are applicable (with different default ports) toSubversion or Subversion-HTTP deployments as well.

Startup the setup program:

$ Security_Agent_root/bin/setup

1.

Specify the Ethernet MAC address of the machine where WANdisco Security Agent would run.

Setting up CVS Security Agent instance .... ______________________________________

Now you will specify the Ethernet MAC address of the host on which CVS Security Agent would be running. It is required that you specify a unique MAC address for each host on which CVS Security Agent would be running. The MAC address on UNIX can be obtained via "ifconfig" command and on Windows via "ipconfig /all" command. The MAC Address looks like this - 00-02-A5-C1-7A-2F (Windows) or 00:02:A5:C1:7A:2F (UNIX). If you don't have all the MAC addresses handy, now would be a good time to get them before proceeding further.

Enter the MAC Address :

2.

Specify the Security Agent host and port. This is the host and port that would be accessed by the SCM(for instance CVS or Subversion) clients.

Setting up CVS Security Agent instance .... #1 ______________________________________

Now you will specify the host:port used by cvs clients to connect with the CVS Security Agent. Setting the port to 2401, would be the most transparent option from the cvs client perspective. Note you can NOT specify 0.0.0.0 or localhost as the the host on which CVS Security Agent would be running. The hostname needs to be the DNS hostname or the valid IP address to which remote cvs clients as well as remote cvs CVS Security Agents can connect.

For example, let us say on a subnet 192.168.1 in Tokyo, the LAN address of CVS Security Agent machine is 192.168.1.29 and the external WAN address is 203.23.12.129 (DNS hostname is tokyo.cvsrus.org). The CVS Security Agent address

should be specified as 203.23.12.129 or tokyo.cvsrus.org and NOT 192.168.1.29.

3.

4. Setup 6

Enter the hostname or IP address of the CVS Security Agent#1 : pi You specified pi, is this correct?[Y|N] [Y] :

Enter the TCP port for the CVS Security Agent#1 [2401] :

Specify the port used by the WANdisco Security Agent for Web Administration. You can also specifya nice name for the Security Agent node. This will be used in the Web console to denote the SecurityAgent node instead of the default host:port name.


Now you will specify the DConeNet port used by the CVS Security Agent to communicate with other nodes. This is not visible to cvs clients but used for actual data transfer between the nodes and/or Failover-Agents. It also serves as the Http port for web administration.

Enter the TCP port for DConeNet [6444] : You specified 6444, is this correct?[Y|N] [Y] : Enter a nice name for the node, for e.g "Tokyo Site" [pi:6444] :

4.

Specify the cvs pserver host and port used by the WANdisco Security Agent to communicate with thebackend CVS repository. After entering this information, the setup program will generate a GUIDfor the WANdisco Security Agent being configured.


Now you will specify the cvspserver host:port used by cvs repository. This is typically specified in the /etc/services or inetd file on UNIX. For CVSNT on Windows, consult the CVSNT documentation.

It is recommended you change the default cvspserver port to something other than 2401 to avoid operational errors. If cvspserver is allowed to ONLY run on localhost, do NOT specify a remote hostname or IP address then just specify localhost.

The default is localhost which means the CVS Security Agent and cvspserver are running on the same host. If that is not the case, please change it.

Enter the cvspserver hostname [localhost] :

5.

Choose the CVS server type corresponding to the backend CVS repository. If the CVS server is usingthe CVSNT variant, choose 2 for example in the dialog below.

CVS Server Type Selection ------------------------- Backend CVS repository can use either standard CVS distribution or CVSNT distribution. You can use the "cvs version" command to determine the server version and type.

You can select the CVS server type from the list below:

1. CVS 2. CVSNT

Choose a server type [1] : 2

6.


4. Setup 7

Choose a directory to save the newly generated prefs xml files. The setup program will create theprefs.xml configuration file.

Now you will specify the destination directory where prefs xml file for the security agent will be generated.

Enter the directory where prefs xml files will be saved [../config] :

7.

Please copy the generated files to WANdisco Security Agent's config directory on each host andrename them to prefs.xml. Now you are ready to run the WANdisco Security Agent.

8.

4.1. Silent install option

Express setup tool supports a -silent and -record option to allow an admin to perform a silent installwithout being prompted for input on the console.

An admin could start the setup program in the record mode and then latter use the recorded answers file toreplay the answers and perform a silent install. The admin could modify the recorded answers in a text editorand then use -silent to create new configuration files. For example

$ ./cvs-security/bin/setup -record my-answers $ vi my-answers $ ./cvs-security/bin/setup -silent my-answers $ ./cvs-security/bin/setup -silent old-ans -record new-ans

The answers are recorded continuously, so if you restart setup you can also use the recorded file to pick upfrom where you left off, without having to re-enter the answers.

For more information look at the usage of the setup command:

$ ./security/bin/setup -h

setup [-silent recorded-setup-file] [-record file-to-record-to]

-silent recorded-setup-file : Silent install will use the supplied "recorded-setup-file" to automatically answer the setup interview questions. If all the answers are not supplied, it will prompt on the console.

-record file-to-record-to Will record all the valid interview answers to the "file-to-record-to". Can latter be used for silent install.

Both options can also be used at the same time. For example to continue an install from where you last left off you could do:

setup -silent prev-silent-file -record new-silent-file


4.1. Silent install option 8

5. RunningThat's it, now you are ready to run the WANdisco Security Agent.

Using the startup script provided to run WANdisco Security Agent from the command line:

$ Security_Agent_root/bin/cvssecurityagent $ tail -f Security_Agent_root/logs/ProxyServer-prefs.log.0 .... INFO: [main] CVS Proxy listener is now turned ON at port :2401

When you see the last line, you know WANdisco Security Agent has started successfully. Alternatively, youcan go to the web console and check the status.

To shutdown WANdisco Security Agent, just run

$ Security_Agent_root/bin/shutdown

Caution: We recommend taking all possible precautions to avoid direct access to the SCM server, bypassingthe WANdisco Security Agent. For example, you could setup SCM server to only allow connection from theIP address of the host on which Security Agent is running, and limit shell access to the Security Agent and theSCM repository machine.

5. Running 9

6. Web AdministrationThe WANdisco Security Agent has a built-in web-server that can be used for monitoring and dynamicconfiguration of the Security Agent. You can connect to the web-server on Security Agent's administrationport (defaults to 6444). On connecting you will be prompted for a login. The default admin username isroot and the default admin password is wandisco. It is highly recommended that you change the defaultpassword as soon as possible via the web console. Here is a screen-shot of the Security Agent's web console:

6. Web Administration 10

7. License ManagementPlease ensure your license.key file specifies the IP addresses on which the WANdisco Security Agent islicensed to run. If you have an unlimited license, you do not have any restrictions on IP addresses.

7. License Management 11

8. Setup Secure Access to CVSIt is customary to use the CVS_RSH environment variable to specify the remote shell to use in lieu of pserverauthentication. The CVS_RSH environment variable can specify for example SSH as the remote shell and candirectly use the encryption feature of SSH.

WANdisco Security Agent doesn't restrict you in any way when you choose to use a CVS_RSH based remoteshell. Just follow the setup directions below to get SSH, Kerberos etc support going for your CVS clients.

8.1. Using SSH with WANdisco Security Agent

There are two ways do this. You can directly have the CVS client connect with the SSH daemon (Direct SSHMethod) or you can tunnel the CVS pserver protocol over SSH (SSH Tunneling Method).

8. Setup Secure Access to CVS 12

https://www.cvshome.org/

9. Direct SSH MethodWe will walk through an example with SSH as the remote shell.

Set CVS_RSH to point to ssh or ssh.exe depending upon the platform. For Windows, if you use a Puttybased ssh client, set CVS_RSH to the path to plink.exe

Ensure that your ssh credentials are accessible from the machine you will be running CVS client on. Forexample if you have a private key, you may want to use the ssh-agent (pageant for Putty) andssh-add to have ssh pre-register your private key.

Use the bundled cvsrelay executable as the CVS_SERVER. This can be done in two ways:

All client environments should specify an environment variable CVS_SERVER to point to thebundled cvsrelay executable. For example using tcsh :

setenv CVS_SERVER <path-to-WANdisco-install>/bin/cvsrelay

1.

If you don't want the clients to modify their environment, you can create a link or rename cvsrelayto cvs and modify the PATH so that the ssh daemon (sshd) will invoke cvsrelay instead ofcvs when a CVS client connects to it. If sshd is launched via the init.d startup script, you couldmodify the script that starts sshd to set the PATH to point to cvsrelay bin directory before anyother path element. This lets you essentially invoke cvsrelay when a CVS client request comes in.The cvsrelay executable will then be able to relay CVS request/response packets from sshd toWANdisco Security Agent.

> cd Security_Agent_root/bin > pwd Security_Agent_root/bin > ln -s cvsrelay cvs

2.

Due to security concerns, on most UNIXs sshd is typically compiled with a hardwired PATH. Then settingthe PATH in init.d sshd startup script will not work. This can typically be confirmed via:

> strings `which sshd` | grep -i bin ... /usr/bin:/bin:/usr/sbin:/sbin ...

If you see a colon separated string like above, that might be the compiled in PATH. Alternatively you maylook at the first couple of lines in /etc/ssh/sshd_config:

#$OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

If you determine that your sshd has a path hardwired at compilation time you could do one of the following:

Recompile sshd with PATH to cvsrelay ahead of standard cvs executable.1.

9. Direct SSH Method 13

Cleanest approach is to rename cvs to something like cvs.org and change references to cvs inxinet.d/cvspserver to point to cvs.org. Finally link cvsrelay into /usr/bin or anysystem directory that is on sshd compiled in PATH.

2.

9.1. Authentication with cvsrelay

If you use cvsrelay, you must setup the CVS server's password database in $CVSROOT/CVSROOT/passwdfile. The passwords in this file are encrypted using standard UNIX crypt() function so it is possible to cutand paste from /etc/passwd (on some system /etc/shadow)file. Since the authentication is alreadydone via sshd, all we need to do is select a single system password and have all users in theCVSROOT/passwd file share the same password.

In essence the CVSROOT/passwd file would look like:

Bach:1sOp854gDF3DY Mozart:1sOp854gDF3DY Handel:1sOp854gDF3DY

All users, as you can see, share the same password. A default passwd file can be copied fromSecurity_Agent_root/config/passwd-template. The template file already contains the default password used bycvsrelay. If you decide to over-ride the default password, you have to modify the configuration(/etc/prefs.conf) for cvsrelay to tell it the new system password to use.

You can also use the bundled utility Security_Agent_root/bin/cvspasswd to generate crypt()password for CVSROOT/passwd file:

$ cvspasswd Enter CVS password : CVSROOT/passwd : sa0Pk81ulv7qc CVSRelay Password : 117:99:121:32:73:121:60:121

Also the CVSROOT/config file needs to turn off System authentication:

#Set this to "no" if pserver shouldn't check system users/passwords SystemAuth=no

# Put CVS lock files in this directory rather than directly in the repository. #LockDir=/var/lock/cvs

The above scheme is essentially delegating the credentials that were obtained after authenticating with sshd tothe cvs server as shown below.

The CVS user authenticates with the SSH daemon, which then invokes cvsrelay with the user ID of thesecure shell. This is the user ID that the CVS client transparently passes to sshd. The cvsrelay process in turnslooks up the system password at startup time from prefs.conf and passes the user-name and encryptedpassword to CVS. The CVS server in turn verifies the delegated credentials with entries inCVSROOT/passwd file.

9.2. Configure cvsrelay

The cvsrelay process acts as the bridge between sshd and the WANdisco Security Agent. Theprefs.conf file contains the configuration parameters for cvsrelay.


9.1. Authentication with cvsrelay 14

The prefs.conf file is first located in the current working directory (cwd). If it is not found, cvsrelayattempts to locate it in the /etc directory. If it is still not found an error message is logged to UNIX syslog.

The prefs.conf can be automatically generated by the setup tool during the express setup or post-setupusing the bundled install-cvsrelay tool.

9.2.1. Using setup or install-cvsrelay

The following are sample screens depicting how setup or install-cvsrelay can auto-generate theprefs.conf needed by cvsrelay.

Specify Security Agent Host name [localhost] : You specified localhost, is this correct?[Y|N] [Y] :

Specify Security Agent port [2409] : You specified 2409, is this correct?[Y|N] [Y] :

Specify CVS pserver host name [localhost] : tao You specified tao, is this correct?[Y|N] [Y] :

Specify CVS pserver port [2401] : 2409 You specified 2409, is this correct?[Y|N] [Y] :

Specify path to the cvs client binary [/usr/bin/cvs] : You specified /usr/bin/cvs, is this correct?[Y|N] [Y] :

Are CVS Clients using WinCVS or TortoiseCVS? Y/N [N] : Y You specified Y, is this correct?[Y|N] [Y] :

Enter a valid CVS user on tao [admin0] : user1 You specified user1, is this correct?[Y|N] [Y] :

Enter any valid CVS Root directory on tao [/home/cvs] : /cvsd/admin0/cvsroot You specified /cvsd/admin0/cvsroot, is this correct?[Y|N] [Y] :

Enter CVS password :

Creating ../config/prefs-localhost.conf ... [DONE] **I: Please copy ../config/prefs-localhost.conf to localhost:/etc/prefs.conf

In order to complete the SSH configuration, ensure:

1. All cvspserver host:<cvsroot>/CVSROOT/config have the entry "SystemAuth=no". 2. Copy ../config/passwd-template file to cvspserver host:<cvsroot>/CVSROOT/passwd file and ensure all users added to passwd file have the same password. 3. Ensure SSH daemon (sshd) is using cvsrelay instead of cvs. See Security Agent admin guide for more details.

9.2.2. Manual configuration

The prefs.conf syntax is name=value pairs. The following parameters can be specified inprefs.conf to customize its defaults:


9.2. Configure cvsrelay 15

cvs.port . Defaults to 2401 Specifies the port of the CVS Security Agent to which the CVS requestswill be relayed.

1.

cvs.host . Defaults to 127.0.0.1 Specifies the IP address (in IPv4 dot notation, not DNS name) ofthe Security Agent to forward to. Using the cvsrelay one can run sshd and the CVS server on separatehosts. It is not necessary to collocate them.

2.

cvs.password . Defaults to 117:99:121:32:73:121:60:121 Specifies the octet sequencedenoting the system password to pass to the CVS server when delegating the credentials to cvs fromsshd. Use the included Security_Agent_root/bin/cvspasswd program to generate password encoded inWANdisco format for cvsrelay. This is done to encode the pass phrase generated by the CVSscrambling algorithm when transmitting cleartext passwords on the wire.

3.

relay.buffer.size . Defaults to 4 KBytes Specifies the buffer size used by the relay. Used to tune theperformance of the cvsrelay.

Here is a sample /etc/prefs.conf file:

$ cat /etc/prefs.conf cvs.port=2401 cvs.host=192.168.1.20 cvs.password=117:99:121:32:73:121:60:121

4.

9.2.2.1. TortoiseCVS, WinCVS GUI Clients

When using many of the popular GUI clients with cvsrelay, you may need to patch your cvsrelayinstallation to make it work. For example when using Tortoise and WinCVS, you may see the following errormessage:

warning: unrecognized response `Please run install-cvsrelay for this client' from cvs server

If you see the above message, then the administrator needs to run the bundled install-cvsrelay utility.Note this is needed iff you are using cvsrelay.

The install-cvsrelay utility will prompt you for the fully qualified path to the cvs server executable.It will then attempt create a patch specific to the version of cvs server being used. If you install a differentversion of cvs server at a latter date, be sure to re-run install-cvsrelay.

> cd Security_Agent_root/bin > pwd Security_Agent_root/bin > ./install-cvsrelay

Once install-cvsrelay has patched the prefs.conf, you can then start using Tortoise, WinCVSclients.

9.3. Troubleshooting

Configuring SSH access from CVS clients requires getting the SSH credentials setup correctly as well asconfiguring the cvsrelay as outlined above.

Here are common gotchas and their solutions:

WinCVS is prompting me for a pass-phrase1.


9.2.2. Manual configuration 16

Ensure pageant or ssh-agent is running with private keys already loaded, a less secure way is tohave no pass-phrase on the private keys at creation time.How do I know cvsrelay is being invoked?

First check the system log (on Linux /var/log/messages) for any error messages fromcvsrelay, for example:

tao /var/log# pwd /var/log tao /var/log# grep cvsrelay messages Dec 1 21:02:04 tao cvs-security/bin/cvsrelay[15105]: failed to open /etc/pref s.conf Feb 24 22:03:07 tao ./cvsrelay[5348]: cvs: delegated login failure. Check syslog for further info. Server response - "error 0 /tmp/cvstest: no such repository"

2.

You can also setup cvsrelay to run in verbose mode by passing an optional -v parameter:

setenv CVS_SERVER "...../bin/cvsrelay -v"

This will cause the system log (on Linux /var/log/messages) to contain detailed messages fromcvsrelay.


9.3. Troubleshooting 17

10. SSH Tunneling MethodThis method requires first setting up a secure SSH tunnel between the CVS client and the SSH daemon. Oncethe tunnel is set up, ssh will allocate a listen socket on the client-side. All traffic to this port will beautomatically forwarded to the remote host (cvs server) over a secure connection.

Using the usual ssh -L option setup a local listen port on the client side.

>ssh -L 2401:cvs-server-host:2401 cvs-server-host >setenv CVSROOT :pserver:user@cvs-server-host:/a/b/c.../cvsroot >cvs co ..

The local port could be 2401, the standard CVS port, but it does not have to. Make sure the remote host:port isthe normal pserver host:port for CVS server. Setup CVSROOT on the client to point to localhost. In theexample above, all traffic to localhost:2401 will be forwarded via SSH to the CVS server.

Note that even a temporary disruption in connectivity will tear down an SSH tunnel. When this happens, thetunnel will have to be recreated using the above ssh command.

10. SSH Tunneling Method 18

11. Access Control, Authorization and Auditingwith WANdisco Security AgentThe WANdisco Security Agent enables an administrator to implement a comprehensive security model thatprovides features beyond file-system permissions or cvs_acl scripts that are bundled with CVS sources:

Role (or Group) based Access Control Lists (ACL)• Hierarchical Roles/Groups and Privileges• List, Read, Write and Admin privileges allow controlling not only writes but list and read operationsas well

•

Fine grained access control of file, directory, module, CVSROOT• Limit access via network masks or IP address• Full Perl style Regular expression support• Web Console for managing all aspects of security• Audit Trail with incremental updates to a SQL database• Reports like users/groups and the resources they can access.•

11. Access Control, Authorization and Auditing with WANdisco Security Agent 19

12. Group ManagementThe Group Management functions allow an administrator to:

Create new Roles or Groups• Delete existing Roles or Groups• Add or Remove users to Groups• Bulk import/export Groups•

The WANdisco Groups are hierarchical with parent-children associations between sub-groups. Groupsprovide a convenient way of organizing multiple users into a related category for controlling access as well assearching for users. It is recommended that you setup ACLs on a group basis rather than users (both areallowed) for easier management of security policies.

12.1. How to create new Roles or Groups

The first step towards setting up security is to map organization or project structure to WANdisco Groups(also referred to as Roles in security literature). The groups are hierarchical. If a user belongs to a parentgroup, they children groups automatically inherit users in the top-level parent groups. In the same way,Access Rules or ACLs attached to children group are automatically applied to the parent groups. Beforecreating new groups it is important to work out the parent-child hierarchy. For instance an engineering teammay be split up along geographical sites: sanramon-engr, tokyo-engr. These two groups may belong to aparent group: engr. Within sanramon-engr group there may be role based hierarchy:sanramon-project-projectlead, sanramon-qa.

12. Group Management 20

To add a new group, click on the Create Group option in the security menu and specify its name. The namecan contain any character including white-space, there are no restrictions. The group name is the primary keyinto the group database, it can not be changed. If you need to change it just delete the group and add a newone with a different name. Description field can contain any relevant text describing the group. TheWANdisco Security Agent tracks the creation and modification time-stamp on the groups automatically.

Once a group is created, you can start assigning users to it.

Please note that a system group Admin always exist in the WANdisco Security Agent. As mentioned in theACL section below, a user belonging to the Admin group gets Admin privileges which include List,Read,Writeprivileges on all resources.

12.1.1. Sub-Group Assignment

The group is assigned under the checked group as a sub-group. To de-assign, uncheck the checkbox and click'Save Details'. Note by selecting a group, this group is automatically assigned as its sub-group. A sub-groupcan have exactly one parent. Clicking on the icon e will allow you to edit the specific group.

12.2. How to delete Roles or Groups

From the security web console, click on an edit Group icon to go to the Edit Group page. The edit Groupicons are visible from any Group management page. Click on the delete button to remove a group.

When a group is deleted it is also removed from the all users who previously belonged to that group. TheACLs associated with the groups are not deleted, they no longer apply though. You can edit them and assignthem to a different group.

12.3. Add or Remove Users from a Group

On the Web console, the Add or remove function under Group management is context-aware. When youselect a group by clicking on its checkbox, only users that can be added or removed are shown. This ensuresyou don't have to worry about duplicate users when adding them to a group. You can use it to quicklyadd/remove multiple users to/from a given group or sub-group.


12.1. How to create new Roles or Groups 21

If a user has been added to a parent group, they automatically belong to any sub-groups underneath it. Sothere is no need to add them to the sub-groups. The context-aware web UI will show users who are not inparent groups for example when adding them to a sub-group.

For the initial setup you can also use the bulk user import option to quickly import multiple users and theirassociated groups.

12.4. Group membership

To quickly view a list of users who belong directly to a specific group, just click on the "List users only in thisgroup" in the Edit Group page. To view the list of all users including the ones inherited from ancestor groups,click on the "List all users including inherited from parent groups" hyperlink.

12.5. How to find the files and directories accessible by aGroup


12.3. Add or Remove Users from a Group 22

Go to the Edit Group page for the group. Scroll down to the "Resource Details" panel. The resource tablecontains the listing of all the files and directory patterns (regular expressions) and corresponding ACLsapplicable to the specified group. You can click on the ACL hyperlink to edit the associated rule.


12.5. How to find the files and directories accessible by aGroup 23

13. User ManagementThe User Management functions allow an administrator to:

Create or Remove Users• Select Groups a user belongs to• Quickly search Users by several criteria• Bulk import/export Users•

The users must exist in the authentication database (NIS, LDAP, /etc/passwd etc) used by CVS server. TheUser management function allows administrator to specify licensed users who can access CVS repository viathe WANdisco Security Agent. Even if you are not using security features like ACL, you must register thevalid users with the WANdisco Security Agent.

If a CVS user has not been registered and they try to access WANdisco Security Agent configured with anunlimited user license, they will see an error message as below:

cvs acl: Access Denied: The CVS administrator has not granted cvs acl: you sufficient permissions to execute this command. cvs acl: Please contact your local CVS administrator for help. cvs acl: Aborting the cvs operation.

With a limited user license the above error message changes to:

cvs acl: Access Denied: The CVS administrator has not registered cvs acl: you as a user of WANdisco Security Agent. cvs acl: Please contact your CVS administrator for help. cvs acl: Aborting the cvs operation.

13.1. Creating or removing users

13. User Management 24

To add a new user, click on the Create User option in the security menu and specify a login id (cvs username). The last and first name can contain any character including white-space, there are no restrictions. Youcan specify an optional email address for the user. The user id is the primary key into the user database, it cannot be changed. If you need to change it just delete the user and add a new one with a different user id. TheWANdisco Security Agent tracks the creation and modification time-stamp on the users automatically.


13.1. Creating or removing users 25

To remove a user, just click on "Delete" button in the Edit User page. You can also delete multiple users fromthe User List page.

13.1.1. Sub-Group Assignment

The user can be assigned to any number of checked groups. To de-assign, uncheck the checkbox and click'Save Details'. Note by selecting a group, the user is automatically assigned to the group and all its sub-groups.Clicking on the icon e will allow you to edit the specific group.

13.2. List and Search Users


13.1.1. Sub-Group Assignment 26

To get a list of all the registered users, just click on the User List option. The user list page shows all the usersby default. The page size by default is set to show 25 users per page. You can change that by selecting thepage size on the upper right corner. The page control on the left corner allow you to go to next or previouspage.

If you want to locate a user by first or last name quickly, just start typing the name in the User name liketextbox and an incremental search starts automatically. To get the full list back just hit the backspace buttonon the keyboard till you have deleted all the characters you typed in the textbox.

All the columns in the user list are enabled for sorting. By clicking on the column header you can sort the listin ascending or descending order. The sortable columns include: CVS user id, last name, first name, email,last modified date.

To restrict the list by a group or role, just select a group name from the drop down menu. To see users in theselected group as well as all the ancestor groups click the Inherited Users checkbox.

You can click on the user id hyperlink to edit the user. Mass delete action is supported via selecting thecheckbox in the table header (next to User Login id column) and then clicking the delete button.

13.3. Bulk import/export users


13.2. List and Search Users 27

In order to import users from other databases like NIS, etc/passwd you can have a script create a commaseparated import file with all relevant users. The data to be imported must be in a text file with commaseparated fields. The syntax of a user row in the csv file is:

cvsuserid,lastName,firstName[[,email],group1[,group2..groupN]]

Here is an example of a csv file:

> cat userlist.csv ravi,Shastri,Ravi,[email protected],Admin,sc-engr rchen,Chen,Roger,[email protected],engr sony,Richards,Sony,Admin,engr vanu,Xandau,Vanu

Line 1: Will import a cvs user ravi with last name Shastri, first name Ravi, email address [email protected] andassign him groups: Admin and sc-engr.

Line 2: Will import a cvs user rchen with last name Chen, first name Roger, email address [email protected] assign him group: engr.

Line 3: Will import a cvs user sony with last name Richards, first name Sony, no email address and assign himgroups: Admin and engr.

Line 4: Will import a cvs user vanu with last name Xandau, first name Vany, no email address and no groups.

The cvs user id, last and first name are required and can not be empty. The email and group names areoptional. Further if a group name is specified, the group must already exists in the WANdisco Security Agentgroup database, if not the user will not be added. If the 4th field contains the character "@" it is presumed tobe an email address.

The path to the CSV file must be accessible by the WANdisco Security Agent server process. Before doingthe import make sure the csv file is either copied on the WANdisco Security Agent machine or NFS/Sambaaccessible to the WANdisco Security Agent process.


13.3. Bulk import/export users 28

mailto:[email protected]

mailto:[email protected]

14. ACL (Access Control List) ManagementThe Access Control or authorization mechanism in WANdisco Security Agent is based on the concept of a setof valid principals with adequate privileges to access a secured resource. The ACL management featuresallow an administrator to:

Implement Role Based Access Control (RBAC)• Use CVS client's IP address pattern to restrict access• Specify any number of Allow or Deny Rules• Create ACLs with power regular expression patterns to describe user, groups,files/directories/modules and branches.

•

Assign privileges like list, read write, admin to principals.• Setup ACLs across multiple CVSROOTs and modules•

Here are the definitions of the commonly used terms when describing the WANdisco Security Agent's ACLmechanism:

CVS Login idThe actual cvs account name that can be successfully authenticated by CVS or SSH daemon (if usingthe ext SSH protocol). The CVS login id is also the primary key for a user in the WANdisco SecurityAgent's user database.

PrincipalPrincipal can be any valid WANdisco Security Agent user or group. After authentication theWANdisco Security Agent maps a CVS login id to a set of principals that include the actual user andall its associated groups and sub-groups.

ResourceResource is a file, directory, module or the CVSROOT itself. Resource patterns can be specified asPerl-style regular expressions in the ACL. A resource needs to be a fully qualified (with respect to theCVSROOT) path to disambiguate same file/directory names across multiple modules or CVSROOTs.All directory paths, including a CVSROOT should be specified in the slash-terminated form. Forexample, specify /a/b/c/, not /a/b/c.

IP MaskA Perl-style regular expression specifying the CVS client's IP address. It is used in the ACL to restrictaccess to a specific client network, subnet or a machine.

PrivilegePrivileges are needed by a user to execute specific CVS commands. The WANdisco Security Agentsupports four privileges:ListReadWriteAdmin

The Admin privileges are granted by assigning a user into the special system group Admin. ExplicitACLs need not be set on the Admin group.

14.1. Privileges required for executing a CVS command

The privileges are ordered. In other words if a principal has Admin privilege, they also have the other three:List, Read, Write. If a principal has Write privilege, they do not get Admin privilege but have the other two:

14. ACL (Access Control List) Management 29

List, Read. If a principal has Read privilege, they do not get Admin and Write privileges but have the Listprivilege. If a principal has only List privilege, they do not get Admin, Write, Read privileges.

The following is the mapping of actual CVS commands to minimum privilege needed to execute them:

CVS Command Privilege Needed

status List

log List

ls List

list List

diff Read

checkout Read

export Read

update Read

annotate Read

commit Write

tag Write

import Write

add Write

remove Write

admin Admin

watch Admin

init Admin

history Admin

release Admin

edit Admin

rdiff Admin

rtag Admin

rlog Admin

rlist Admin

rls Admin

rannotate Admin


14.1. Privileges required for executing a CVS command 30

14.2. Access Control Rules Setup

The WANdisco Security Agent ships with no rules in the rules database. That implies by default everyone isdenied. This is essential for security - it closes the window of vulnerability that would have allowed everyonefull access between the time the product is first installed and the admin creates access rules. In order to grantaccess, the administrator has to explicitly create allow rules.

Using the ACL editor from the web console, the admin can create allow or deny rules.

Powerful Perl style regular expressions can be used wherever patterns are allowed. Principal (user/group) orIP patterns for instance - engineering.* (note the dot) or 217.[0-9]+ are all valid patterns. By default theHEAD branch is specified but you can enter a regular expression just as well - release9.0_.* forinstance. Note: With the Perl regular expression syntax, if you need to use the '.' (dot) character literally, youneed to escape it with a backslash, otherwise '.' (dot) will match any character. To learn more about regularexpressions look at a tutorial here.


14.2. Access Control Rules Setup 31

http://search.cpan.org/dist/perl/pod/perlre.pod

Multiple rules can be edited atomically using the WANdisco Security Agent. When you submit changes toACLs, the WANdisco Security Agent guarantees either all the rules are updated or none at all. This ensuresconsistent rules database across multiple sites, with any pattern of failures.

14.3. ACL Enforcement

The following steps are followed by the WANdisco Security Agent's ACL engine when making an allow ordeny decision on a CVS command the user is trying to execute:

Check if a user is registered/licensed in the WANdisco Security Agent's user database. If not access isdenied.

1.

Obtain the list of groups a user belongs to as part of their principal set.2. Check if anyone of the principal is allowed access based on several parameters:

Map principal to privileges they have been granted♦ For each resource and branch, the principal is trying to access check if there is a matchingrule

♦

A rule is matched if the principal's name, IP address, branch and file/directory matches withthe patterns specified in the ACL.

♦

If matching ACL rule is found, see if it denies access. If a matching deny rule applies then theprincipal is denied access to that resource.

♦

If no matching rules are found, the principal is denied♦ If no deny rules match and there exists at least one allow rule, the principal is allowed accessto that resource.

♦

3.

If the user is allowed access to ALL of the resources via at least one principal per resource, then useris allowed to execute the CVS command else the command is denied.

4.

14.4. ACL Examples

To illustrate how the ACL enforcement works, lets walk through several examples below:


14.3. ACL Enforcement 32

14.4.1. List Only Access

User doe belongs to group engr. The administrator has setup the following rules:

Rule Privilege Group Pattern IP Pattern File/Dir Pattern Branch Pattern

Allow List engr.* 192.* /data/cvsroot/ecommerce.* HEAD

The user is allowed to execute the following commands that require only list privilege:

$ echo $CVSROOT :pserver:doe@mypc:/data/cvsroot $ cd /home/ecommerce/ $ cvs status $ cvs ls

The user is denied access when executing the following commands that require read or write privilege:

$ cvs update foo cvs acl: Access Denied: The CVS administrator has not granted cvs acl: you sufficient permissions to execute this command. cvs acl: Please contact your local CVS administrator for help. cvs acl: Aborting the cvs operation.

$ cvs commit -m "my changes" cvs acl: Access Denied: The CVS administrator has not granted cvs acl: you sufficient permissions to execute this command. cvs acl: Please contact your local CVS administrator for help. cvs acl: Aborting the cvs operation.

The user is denied access when executing the following list commands from subnet 10.23.1:

$ ifconfig -a eth0 Link encap:Ethernet HWaddr 00:09:5B:19:3E:F8 inet addr:10.23.1.7 Bcast:10.23.1.255 Mask:255.255.255.0 ... $ cvs status cvs acl: Access Denied: The CVS administrator has not granted ...

14.4.2. Deny rule on a file

User jane belongs to group build-engr. The administrator has setup the following rules:


Allow Write build-engr 192.* /data/cvsroot/build.* rel.*

Deny Write build-engr 192.* /data/cvsroot/build/secret.make rel.*

The user is allowed to execute the following command:

$ echo $CVSROOT :ext:jane@mypc:/data/cvsroot $ cd /home/build


14.4.1. List Only Access 33

$ ls foo.c bar.v secret.make $ cvs update secret.make $ cvs ci -m "new" foo.c bar.v

The deny rule above doesn't restrict read access to secret.make, only write access is limited.

The user is denied access when executing the following command:

$ cvs ci -m "new changes" secret.make cvs acl: Access Denied: The CVS administrator has not granted ...

In this example, the deny rule is used to restrict access to the file secret.make. Deny rules can be applied to afile or directory pattern as well.

14.4.3. Read Only Access

User jane belongs to group qa. The administrator has setup the following rules:


Allow Read qa 192.* /data/cvsroot/ecommerce.* HEAD

Allow Read qa 192.* /data/cvsroot/ecommerce.* rel_1_0

The user is allowed to execute the following commands that require only list privilege:

$ echo $CVSROOT :ext:jane@mypc:/data/cvsroot $ cd /home/ecommerce/ $ ls foo.c bar.v $ cvs status foo.c $ cvs ls $ cvs up -r rel_1_0 bar.v $ cvs diff -r rel_1_0 foo.c

The user is denied access when executing the following commands:

$ cvs ci -m "new changes" cvs acl: Access Denied: The CVS administrator has not granted ... $ cvs up -j rel_2_0 cvs acl: Access Denied: The CVS administrator has not granted ... $ cd /home $ cvs co ecommerce cvs acl: Access Denied: The CVS administrator has not granted ...

The last checkout command is denied because to checkout from the CVSROOT requires read privilege notonly on the module ecommerce but also the top level cvsroot /data/cvsroot.

To checkout the module the administrator would setup access rules as:


14.4.2. Deny rule on a file 34


Allow Read qa 192.* /data/cvsroot[/] HEAD

Allow Read qa 192.* /data/cvsroot/ecommerce.* HEAD

14.4.4. Using Sub-Groups

User bigoram belongs to parent group div-engr, while user smalloram belongs to sub-group nyc-engr ofdiv-engr.

The administrator has setup the following rules:


Allow Read div-engr .* /data/cvsroot/dvd/sfo.* .*

Allow Read nyc-engr .* /data/cvsroot/dvd/nyc.* rel.*

The user bigoram belongs to both the groups (div-engr, nyc-engr), therefore is allowed to execute thefollowing commands:

$ echo $CVSROOT :pserver:bigoram@mypc:/data/cvsroot $ cd /home/dvd $ cvs update -P -d sfo $ cvs update -P -d nyc

The user smalloram is belongs to only the group (nyc-engr), therefore is allowed to execute the command:

$ echo $CVSROOT :pserver:smalloram@mypc:/data/cvsroot $ cd /home/dvd $ cvs update -P -d nyc

The user smalloram is denied access when executing the following command:

$ cvs -z6 update -P -d sfo cvs acl: Access Denied: The CVS administrator has not granted ...

14.5. Configuring Access Control Properties

The following properties in the prefs.xml file can be used to control the ACL engine:

<Security> <AccessControl> <Enable>true</Enable> </AccessControl> </Security>

By default, the WANdisco Security Agent has access control enabled. To turn it off set/Security/AccessControl/Enable to false.


14.4.3. Read Only Access 35

15. External Authentication database IntegrationIn order to setup security policies the administrator needs to typically setup the users in the WANdiscoSecurity Agent's internal database. For large organization this can be cumbersome if the user information isalready maintained in an external database like LDAP or NIS. For such a deployment, the WANdisco SecurityAgent for CVS provides integration with LDAP/NIS based authentication databases.

The integration allows the administrator to automatically synchronize the user properties (user id, password)from an LDAP/NIS database. The WANdisco Security Agent for CVS will periodically (default is every 5minutes) connect with the LDAP/NIS database server and pull the user information. Using the WANdiscoweb console, the administrator can go and select the new users that were discovered during thesynchronization with LDAP/NIS. The selected user's are then added to the WANdisco Security Agent'sinternal database. If CVS repository properties are configured correctly, the user and password information isalso updated in the CVSROOT/passwd file. Using the CVSROOT/passwd file is a good idea as it increasesthe availability of CVS if the external authentication database is unavailable.

The following properties can be configured from the WANdisco Security Agent's web console to setup theLDAP/NIS integration:

15.1. CVS properties

The CVS properties section is common to both NIS and LDAP (* indicates mandatory):

Executable*The CVS client executable. It is an obsolute path to the binary. Default is '/usr/bin/cvs'

Host*WANdisco CVS proxy host. It can either be an IP address or a host name. Defaults is 'localhost'

PortWANdisco CVS proxy port. It left blank, it will default to '2401'

Username*The CVS username. This user must have 'Admin' rights to CVSROOT module

Password*The password of the CVS user with 'Admin' rights

Roots*A colon separated list of CVSROOTs.

Default User*It will be used as the third entry in a CVSROOT/passwd file when updating the file with new users.The CVS server will switch to this user when executing the command.

Temp Directory*The directory that will be used as a temporary working directory in order to run the CVS commands.

15.2. LDAP Properties

If setting up integration with LDAP, the following properties need to be setup (* indicates mandatory):

Host*The hostname or the IP address of the LDAP server

PortThe port of the the LDAP server. If none specified, it defaults to 389

15. External Authentication database Integration 36

Root DN*The string to login into LDAP server. It could be a 'username' or ROOTDN. An example of DN is'cn=Manager,dc=example,dc=com'

Password*The password for 'username' or ROOTDN

Context*The context within the LDAP server to perform the search at. An example of the the context is'dc=engineering,dc=example,dc=com'

Search*The search object. If none specified, it defaults to 'person'

Note: The password should be stored in the same format (crypt etc) on LDAP server as the format on the CVSserver machine.

15.3. NIS Properties

If setting up integration with NIS, the following properties need to be setup (* indicates mandatory):

Host*The hostname of the IP address of the NIS Server

PortThe port of the NIS Server.

Domain*The domain that the NIS server is serving. An example of the domain is 'office.example.com'

Note: The password should be stored in the same format (crypt etc) on NIS server as the format on the CVSserver machine.


15.2. LDAP Properties 37

16. Audit Trail ManagementWith the WANdisco Security Agent, any CVS access (allowed or denied) by the user is logged in an audittrail file. The text file has a complete history of all CVS actions in the following format:

# Column syntax - # 0 seq | 1 time | 2 txid | 3 cmd | 4 user | 5 ipaddress | 6 access | # 7 dir | 8 file | 9 rev | 10 branch

The column description is as following:

Column Number Description

0 Record Sequence Number

1 UNIX Timestamp

2 Transaction Id

3 CVS Command Name

4 CVS User id

5 IP Address of User

6 Access Decision (Allow or Deny)

7 CVS Directory being accessed

8 CVS File being accessed

9 User's File Revision

10 Branch Name

16.1. Configuring Audit properties

The audit trail files are created under cvs-security/audit directory. By default they are automatically rotatedupto 10 times when they get to 10MBytes. These defaults can be changed via configuration inconfig/prefs.xml file:

<Audit> <MaxFileSize>10485760</MaxFileSize> <MaxFileCount>10</MaxFileCount> <Disable>false</Disable> </Audit>

The MaxFileSize specifies a size in bytes, MaxFileCount specifies how many files to rotate before recyclingthe files. By default auditing is enabled in WANdisco Security Agent, it can be turned off by setting Disableto true. To ensure no audit records are lost, please schedule a job (using cron for example) to import the auditrecords into a SQL database periodically. Inserting in a SQL database also enables complex SQL queries to bemade against the audit database.

To create audit files in a different directory just create a symbolic link (cvs-security/audit) to another

16. Audit Trail Management 38

directory.

16.2. Importing to a SQL Database

The WANdisco Security Agent bundles a tool importauditdb that allows audit records in audit-trail files to beimported to a SQL database. The usage of the import command is as below:

[admin@smp1 ~/cvs-security]$ bin/importauditdb -h Usage: importauditdb [-host <db-host>] [-port <db-port>] [-user <db user>] [-pass <db user password>] [-db <database to use>] -f file-pattern1 file-pattern2 .. file-pattern-N Defaults:

host : localhost port : Default DB Port user : root password : empty Database : wd_audit_db

The import tool requires Perl::DBI module to be installed. Please runSecurity_Agent_root/bin/checkdbi to check if the module is installed and correct database driveris available on your system.

Note: Before using import you must create a database (default name is wd_audit_db) on the database server.The import tool will automatically create the table schema in that database, the first time it runs. The importtool uses standard SQL syntax, it makes use of a system function FROM_UNIXTIME, please ensure yourdatabase version supports it. MySQL, Microsoft SQLServer support this function.


16.1. Configuring Audit properties 39

17. Audit ReportsPlease note: Audit Reports are only available with the WANdisco Security Agent of the product.

17.1. Installation

Setup the audit database as described in the previous section on Audit trail management.• Extract the reports.tar to the directory you would like the reporting web pages to reside.• Add the following to your apache httpd.conf file. Make sure to replace "/home/wandisco/reports" withyour installation directory. You may also want to rename the '/reports/' alias (e.g. '/wandisco_reports').

Alias /reports/ "/home/wandisco/reports/" <Directory "/home/wandisco/reports"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory>

•

Restart apache. On most machines this can be accomplished by running the following command asroot:

apachectl restart

or

apache2ctl restart

•

Modify the reports/config.php file:update mysql server, username and password♦ set $wdr_scm to cvs or svn♦

•

Point your browser to the alias directory to verify the installation. In the above example the URLwould be: http://server/reports

•

17.2. Running a Report

Select 'File Report' from the main menu•

17. Audit Reports 40

http://server/reports

Enter the criteria for the report. For example, select a user from the dropdown, specify an access levelor a SCM command to filter the results.

note: use % for wildcards

•

Click Run Report•

17.3. Report Types

17.3.1. Transaction History Report

Shows all transactions against the SCM system.


17.2. Running a Report 41

17.3.2. User Modification Report

Shows all user modifications made via the proxy's security administration user interface.

17.3.3. Group Modification Report

Shows all group modifications made via the proxy's security administration user interface.


17.3.1. Transaction History Report 42

17.3.4. ACL Modification Report

Shows a history of all ACL modifications.

17.3.5. File Report

List file access and filter by parameters such as: date, access, command, user, ip address, directory, filename,revision or branch.

17.3.6. User Report

Show SCM allowed / denied access per user.


17.3.4. ACL Modification Report 43

17.3.7. Access Violation Report

Display all denied access to the SCM system.


17.3.6. User Report 44

wandisco security agent administration guide

Documents

group management

group membership

subgroup assignment

web administration

search users

setup secure access

direct ssh method

bulk importexport users