When there are 40+ admin’s logging into a client’s server, it can become difficult to keep track of who modified what. And more importantly, in the event that a change created an undesired result, being able to find out exactly what was changed so it can be quickly rolled back. This also becomes a critical component of change control if the client requires specific security requirements such as PCI-DSS 2.0.
This system of revision control is much cleaner to track changes rather creating a bunch of apache2.bak, apache2.20120212, apahce2.conf.031212, etc. Instead, you can view all the versions of the file available simply by:
rlog /etc/apache2/apache2.conf
RCS offers the following features in a very easy to use CLI:
- Store and retrieve multiple revisions of text - Maintain a complete history of changes - Maintain a tree of revisions - Automatically identify each revision with name, revision number, creation time, author, etc - And much more
For our specific use case, critical files to check into RCS would be configuration files such as /etc/sysctl.conf, /etc/ssh/sshd_config /etc/vsftpd/vsftpd.conf, /etc/httpd/conf/httpd.conf and stuff of that nature.
If RCS is not already installed, then simply run the following depending on your operating system:
yum install rcs apt-get install rcs
Basic Use Case
The easiest way to learn RCS is to see it in action. So in the use case below, we are going to perform a series of changes to the httpd.conf file. Before making changes to the file, check it into RCS first so we have a starting point:
root@web01:/etc/apache2# ci -l -wjdoe /etc/apache2/apache2.conf /etc/apache2/apache2.conf,v <-- /etc/apache2/apache2.conf enter description, terminated with single '.' or end of file: NOTE: This is NOT the log message! >> Original Apache Configuration File >> . initial revision: 1.1 done
Now we can make our change to the config. As an example, we are going to be making some tuning changes to Apache.
vi /etc/apache2/apache2.conf
Once our changes are made, we check the changes in:
root@web01:/etc/apache2# ci -l -wjdoe /etc/apache2/apache2.conf /etc/apache2/apache2.conf,v <-- /etc/apache2/apache2.conf new revision: 1.2; previous revision: 1.1 enter log message, terminated with single '.' or end of file: >> Tuning changes per ticket #123456 >> . done
Pretend a few days go by and you receive a call from the client reporting issues with Apache. You log into the server and checks to see if anyone recently made changes to Apache:
root@web01:/etc/apache2# rlog /etc/apache2/apache2.conf
RCS file: /etc/apache2/apache2.conf,v
Working file: /etc/apache2/apache2.conf
head: 1.2
branch:
locks: strict
root: 1.2
access list:
symbolic names:
keyword substitution: kv
total revisions: 2; selected revisions: 2
description:
Original Apache Configuration File
----------------------------
revision 1.2 locked by: root;
date: 2012/03/19 15:44:06; author: jdoe; state: Exp; lines: +3 -3
Tuning changes per ticket #123456
----------------------------
revision 1.1
date: 2012/03/19 15:28:38; author: jdoe; state: Exp;
Initial revision
=============================================================================
So this tells us that user jdoe make changes to the apache2.conf on 3/19/2012 per ticket #123456. Lets see what changes he made by comparing version 1.1 to version 1.2:
root@web01:/etc/apache2# rcsdiff -r1.1 -r1.2 /etc/apache2/apache2.conf =================================================================== RCS file: /etc/apache2/apache2.conf,v retrieving revision 1.1 retrieving revision 1.2 diff -r1.1 -r1.2 77c77 < KeepAlive On --- > KeepAlive Off 105,106c105,106 < MaxSpareServers 10 < MaxClients 150 --- > MaxSpareServers 1 > MaxClients 15 root@web01:/etc/apache2#
From the looks of this, it appears he may have typo’ed the MaxClient and MaxSpareServer variable when working that ticket. So lets roll back the configuration file to version 1.1 since that was the last known working version:
root@web01:/etc/apache2# co -r1.1 /etc/apache2/apache2.conf /etc/apache2/apache2.conf,v --> /etc/apache2/apache2.conf revision 1.1 writable /etc/apache2/apache2.conf exists; remove it? [ny](n): y done
Then test Apache to confirm everything is working again. Be sure to commit your changes as a rollback is still a change:
root@web01:/etc/apache2# ci -l -wmsmith /etc/apache2/apache2.conf /etc/apache2/apache2.conf,v <-- /etc/apache2/apache2.conf new revision: 1.3; previous revision: 1.2 enter log message, terminated with single '.' or end of file: >> Rolling back changes made in ticket #123456 due to problems >> . done
When the next person logs in to see what changes have been made to the apache.conf, they will see the following:
root@web01:/etc/apache2# rlog /etc/apache2/apache2.conf
RCS file: /etc/apache2/apache2.conf,v
Working file: /etc/apache2/apache2.conf
head: 1.3
branch:
locks: strict
root: 1.3
access list:
symbolic names:
keyword substitution: kv
total revisions: 3; selected revisions: 3
description:
Original Apache Configuration File
----------------------------
revision 1.3 locked by: root;
date: 2012/03/19 16:00:38; author: msmith; state: Exp; lines: +3 -3
Rolling back changes made in ticket #123456 due to problems
----------------------------
revision 1.2
date: 2012/03/19 15:44:06; author: jdoe; state: Exp; lines: +3 -3
Tuning changes per ticket #123456
----------------------------
revision 1.1
date: 2012/03/19 15:28:38; author: jdoe; state: Exp;
Initial revision
=============================================================================