I know that this question seems familiar in a lot of stackoverflow questions. But This is not the same as the other questions.
Basically i've got a PS script that uses the module "AzSK" to run something , I used this command in a loop to add multiple properties to my azure storage. On every step the command keeps asking me to confirm if i want to continue (Y/N).
Because I use a loop for more than 40 iterations I need to confirm every time I perform the command.
Like many Stackoverflow questions and the internet told me i need to try to add -Force , -Confirm to my command to automatically confirm the yes to the read input. But this answer only applies to commands that have this parameter build in. with the get-help command -Detailed I didn't see any of this parameter available. So I was wondering if it was possible to create this auto "Y" reply even if the command does not allow any parameter for it.
The command I use is Get-AzSKAzureServicesSecurityStatus and this adds attestation statuses to control id inside a azure blob storage. the command only allows one attestation status to be added so I wrapped it inside a for loop. Which makes my struggle of constantly confirmation even worse.
Please try to use the format below:
cmd /c echo y | powershell "the command which will propmt"
I did a simple test which to delete a directory, and works.
This may not be an answer to your query "if it was possible to create this auto "Y" reply even if the command does not allow any parameter for it."
But since you are trying it specifically for the attestation feature of the Secure DevOps Kit for Azure(AzSK), this might help:
The reason the confirmation message pops up for each control and does not allow a "Forced" yes is because:
Utmost discretion is to be used when attesting controls using the
Secure DevOps Kit for Azure(AzSK). In particular, when choosing to not
fix a failing control, you are taking accountability that nothing will
go wrong even though security is not correctly/fully configured.
Ideally, the bulk attestation feature is meant to be used in case the same control needs to be attested across multiple resource instances/resource groups and not vice versa. Refer this for scenarios where this feature can be used (although not recommended).
Hope this helps!
Related
I'm trying to find a tool where you can easily monitor cronjobs for the company I work at. Rundeck seems like the perfect tool for this but I can't figure out if it's possible to integrate the existing cronjobs into Rundeck. It's too much work to do this manually because there are hundreds of them.
If you now another tool that can do this feel free to recommend!
I'd rather want it to be open source but if it's paid and it works correct I'm open to it.
Rundeck works as a "very enhanced cron replacement" maybe the best approach in your case is to migrate your cron jobs to Rundeck and use the notification for monitoring. This looks like a good starting point for you, donĀ“t forget to visit the official documentation.
What Mega mentions is correct, rundeck can be used as a replacement for cron.
Even better, there is no need to configure all of those manually: Rundeck allows you to import job definitions via API call.
Steps:
Get rundeck installed
Set up a job to run one of your cron jobs manually
Export that job
Use a script to make many copies of that file, that each contain a different item from cron*
Import all those files via API call
*You'll need to change at least the name and workflow (called sequence commands file - you'll be able to see based on the workflow step you configured)
I figured I'd post here, after posting on SuperUser, since I want to get input from software developers who might have encountered this scenario before!
I would like to initiate a series of validation steps on the client side on files opened within a changelist before allowing the changelist to be submitted.
For example, I wish to ensure that if a file is opened for add, edit, or remove as part of a changelist, that a particular related file will be treated appropriately based on a matrix of conditions for that corresponding file:
Corresponding file being opened for add/edit/remove
Corresponding file existing on disk vs. not existing on disk
Corresponding file existing in depot vs. not existing in depot
Corresponding file having been changed vs. not having been changed relative to depot file
These validation steps must be initiated before the submit is accepted by the Perforce server. Furthermore, the validation must be performed on the client side since I must be able to reconcile offline work with the copies on clients' disks.
Environment:
Perforce 2017.2 server
MacOS and Windows computers submitting to different branches
Investigative Avenues Already Covered
Initial design was a strictly client-side custom tool, but this is not ideal since this would be a change of the flow that users are familiar with, and I would also have to implement a custom GUI.
Among other approaches, I considered creating triggers in 2017.2; however, even if I were to use a change-content trigger with all the changelist files available on the server, I would not be able to properly perform the validation and remediation steps.
Another possibility would be using a change-submit trigger and to use the trigger script variables in 2017.2 to get the client's IP, hostname, client's current working directory, etc. so that you could run a script on the server to try to connect remotely to the client's computer. However, running any script on the client's computer and in particular operating on their local workspace would require credentials that most likely will not be made available.
I would love to use a change-submit trigger on the Perforce server to initiate a script/bundled executable on the client's computer to perform p4 operations on their workspace to complete the validation steps. However, references that I've found (albeit from years ago) indicate that this is not possible:
https://stackoverflow.com/a/16061840
https://perforce-user.perforce.narkive.com/rkYjcQ69/p4-client-side-submit-triggers
Updating files with a Perforce trigger before submit
Thank you for reading and in advance for your help!
running any script on the client's computer and in particular operating on their local workspace would require credentials that most likely will not be made available.
This is the crux of it -- the Perforce server is not allowed to send the client arbitrary code to execute. If you want that type of functionality, you'd have to punch your own security hole in the client (and then come up with your own way of making sure it's not misused), and it sounds like you've already been down that road and decided it's not worth it.
Initial design was a strictly client-side custom tool, but this is not ideal since this would be a change of the flow that users are familiar with, and I would also have to implement a custom GUI.
My recommendation would be to start with that approach and then look for ways to decrease friction. For example, you could use a change-submit trigger to detect whether the user skipped the custom workflow (perhaps by having the custom tool put a token in the change description for the trigger to validate), and then give them an error message that puts them back on track, like "Please run Tools > Change Validator, or contact wanda#yourdomain.com for help"
We have built a project in Enterprise Guide for the purpose of creating a easy understandable and maintainable code. The project contain a set of process flows which run should be done in specific order. This project we need to run on a Linux Server machine, where the SAS Metadata Server is running.
Basic idea is to extract this project into SAS code, which we would be able to run from command line in Linux as a batch job.
Question 1:
Is there any other way to schedule a batch job in Linux-hosted SAS Server? I have read about VBS scripting for scheduling/running batch jobs, but in order this to be done on Linux Server, a installation of WINE is required, which on a production machine which already runs a number of other important applications, is almost completely out of question.
Is there a way to specify a complete project export into SAS code, provided that I give the specific order of running process flows? I have tried out ordered list, which is able to make you a list of tasks to run in order (although there is no way to choose a whole process flow as a single task), but unfortunately, this ordered list itself is later not possible to be exported as a SAS code.
Current solution we do is the following:
We export each single process flow of the SAS EG project into SAS code, and then create another SAS code with %include lines to run all the extracted codes in order that we want. This is of course a possible solution, but definitely not the most elegant one.
Question 2:
Since I don't know how exactly the code is being exported afterwards, are there any dangers I should bear in mind with the solution I chose.
Is there any other, more elegant way?
You have a couple of options from what I'm familiar with, plus I suspect if Dom happens by he'll know more. These answers are based on EG 6.1, which is the current version (ships with 9.4); it's possible some of these things may not be true in earlier versions.
First, if you're running Enterprise Guide from Windows, you can schedule the job locally (on any Windows machine with Enterprise Guide). You're not scheduling the server directly, you schedule Windows to launch an EG process that connects to the server and does its magic. That's how I largely interact with scheduling (because I have a fairly 'light' scheduling need).
Second, from the blog post "Four Ways to Schedule SAS Tasks", options 3 and 4 may be helpful for you. The SAS Platform Suite is designed in part for scheduling, and the options using SAS Management Console to schedule via operating system tools, are both very helpful.
Third, you may want to look into SAS Stored Processes, which should be schedulable. A process flow can be converted into a stored process.
For your specific questions:
Question 1: When you export a process flow or a project, at least in 6.1 you have the option to change the order in which the programs are exported. It's manual, so it's probably not perfect, but it does give you that option. (The code seems to be by default in creation order, which is sub-optimal.) The project export does group process flows together, but you don't have the option of manipulating the order of process flows - you have to move each program around, which would be tedious. It also of course gives you less flexibility if you need to multiply run programs.
Question 2: As Stig Eide points out in comments, make sure your System Option LRECL is > 256 (the default) or you run some risk of code being cut off. In 9.2+ this is modifiable; just place LRECL=32767in your config.sas file.
For testing purposes, I often need to go back and forth between the current date and a past date. I wrote a quick powershell script so that I can just double-click a desktop shortcut to change system time to the desired hard-coded date. It works great, but I have to r-click and run as administrator. I'd like to successfully run without r-clicking.
I've tried editing security settings for the service in Local Security Policy, but the result is I don't see a UAC prompt, but the script does not succeed either. It still says
Set-Date : A required privilege is not held by the client
Any thoughts on how to give this privilege to the client? I want the script to run without being prompted for UAC. Thanks.
There really isn't a good way to actual change the time without a prompt. Changing the system time is a privileged operation and doing that without a prompt is tricky (if possible at all).
You could embed the administrator password in a script, have it create a new process as admin and change the time from there. Embedding an admit password in tests though would be a giant red flag.
It's possible there is a security setting somewhere that you could change to make system time alterable by non-admin accounts. I don't actually know if this can be done. If you did this it would require the change on every single computer you run the tests on. Another red flag.
I think a much smoother approach would be to simply abstract away the idea of time in your code behind an interface. Let's say you were using C# you could define the following
interface ITimeUtil {
DateTime SystemTime { get; }
}
In the actual running program you would implement this interface by querying the system time directly as you do today. For the purpose of testing you would mock this interface to return times in the past.
Maybe you can manipulate the token and grant yourself SeSystemtimePrivilege
http://technet.microsoft.com/en-us/library/cc976700.aspx
There is a script floating around the web for doing so here.
https://superuser.com/questions/693620/how-to-restore-the-ownership-of-a-folder-to-trusted-installer-using-silent-com/693627#693627
Using that script you can run this command to enable the privilege (temporarily) then issue your Set-Date to travel backwards in time.
Enable-Privilege SeSystemtimePrivilege
Set-Date "November 5, 1955"
Write-Host "Are You Telling Me You Built A Time Machine Out Of A Delorean"
One possible option might be to use a scheduled task (set to run with hightest privileges) that reads a datetime from a file location, and use your script to write to that file and then run the task.
I have a UI app (uses GTK) for Linux that requires to be run as root (it reads and writes /dev/sd*).
Instead of requiring the user to open a root shell or use "sudo" manually every time when he launches my app, I wonder if the app can use some OS-provided API to get root permissions. (Note: gtk app's can't use "setuid" mode, so that's not an option here.)
The advantage here would be an easier workflow: The user could, from his default user account, double click my app from the desktop instead of having to open a root terminal and launch it from there.
I ask this because OS X offers exactly this: An app can ask the OS to launch an executable with root permissions - the OS (and not the app) then asks the user to input his credentials, verifies them and then launches the target as desired.
I wonder if there's something similar for Linux (Ubuntu, e.g.)
Clarification:
So, after the hint at PolicyKit I wonder if I can use that to get r/w access to the "/dev/sd..." block devices. I find the documention quite hard to understand, so I thought I'd first ask whether this is possible at all before I spend hours on trying to understand it in vain.
Update:
The app is a remote operated disk repair tool for the unsavvy Linux user, and those Linux noobs won't have much understanding of using sudo or even changing their user's group memberships, especially if their disk just started acting up and they're freaking out. That's why I seek a solution that avoids technicalities like this.
The old way, simple but now being phased out, is GKSu. Here is the discussion on GKSu's future.
The new way is to use PolicyKit. I'm not quite sure how this works but I think you need to launch your app using the pkexec command.
UPDATE:
Looking at the example code on http://hal.freedesktop.org/docs/polkit/polkit-apps.html, it seems that you can use PolicyKit to obtain authorization for certain actions which are described by .policy files in /usr/share/polkit-1/actions. The action for executing a program as another user is org.freedesktop.policykit.exec. I can't seem to find an action for directly accessing block devices, but I have to admit, the PolicyKit documentation breaks my brain too.
So, perhaps the simplest course of action for you is to separate your disk-mangling code that requires privileges into a command-line utility, and run that from your GUI application using g_spawn_[a]sync() with pkexec. That way you wouldn't have to bother with requesting actions and that sort of thing. It's probably bad practice anyway to run your whole GUI application as root.
Another suggestion is to ask the author of PolicyKit (David Zeuthen) directly. Or try posting your question to the gtk-app-devel list.