Some environments require, for auditing reasons, to generate an access control report on the IPA client itself. While it can be argued that generating these reports on the IPA servers instead would provide a nicer experience, the audits requirement sometimes need a tool to be run on the host.
As an owner of an IPA client I need to know which users have access to this client. I want to run a tool on the host and get a report who can access it.
The reports must contain information about HBAC rules. In future, SUDO rules would be nice to have as well.
sssctl command called
access-report. will be added. This command will only be implemented for IPA domains for now, other domain types will just return an error.
In this version, only a human-readable output will be provided.
None, only the new tool will be implemented.
In order to trigger the refresh of rules by
sssd_be process, the Data Provider will be enhanced with a new sbus method
This method will trigger the same async requests that PAM access phase normally calls which fetch and save the IPA HBAC rules. This means that the same rate-limiting with the
ipa_hbac_refresh applies to this request as if it was called via PAM access phase. Additionally, this method will be exposed over the public D-Bus InfoPipe responder via a new
RefreshAccessRules method. As with all methods, only root can call it by default.
Finally, this new D-Bus method will be called from the
sssctl access-report command when it’s ran in order to populate the ldb cache with fresh HBAC rules
For printing the rules, the tool will simply call
ldb_search, retrieve all objects of objectclass
ipaHbacRule and then print the RDN value of
memberUser (for users and user groups),
memberService (for services and service groups) and
category. By default, groups will not be unrolled, because the
getgrnam interface limits the group nesting by default, therefore it is better to just print the group name, not all the group members.
In future, the tool should also print the output in both human-readable and machine-readable formats. For machine readable output, JSON is the best choice, since the KCM responder already depends on
libjansson. This enhancement is tracked in ticket #4605.
Additionally, for HBAC rules which are linked to a group, it might be handy to unroll the group members and print them if the administrator wishes. This enhancement is tracked with ticket #4604
sssctl access-report on an IPA client with different HBAC rules stored in the cache. Make sure all options produce the desired results.
Debug messages will be added to the tool itself. To compare the output with the cache contents, the
ldbsearch tool can be used. The
ipa administration tool can be used to display the server-side HBAC rules.
- Jakub Hrozek <email@example.com>