On Fri, Jan 12, 2018 at 05:30:27PM -0000, Louis Abel via FreeIPA-users wrote:
Hello.
I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as a whole or
if someone has created scripts or the like that perform access rights lookups without
doing the typical hbac rule lookups which requires user -> host -> service (as far
as I know), where those things are required to actually perform the access granted/denied
test. Basically, what I'm trying to figure out is there a way to pick a host for
example, and get a list of who can access the system on a specific service (or any service
for that matter).
The reason I ask is I'm trying to figure out how to properly perform
"audits" at my place of work, ie for PCI and SOX. And as far as I can tell,
there's no easy way to do this when we have for example, two HBAC policies that allow
all hosts (so there's no "member" attributes on the directory objects, just
hostCategory all) and then majority of the policies are using groups rather than specific
individuals, so I'd have to get a list of all of the users, including the ones that
are in AD across the trust.
If there isn't something like this built in, has someone done something like this
before? I'd like to try to avoid rolling my own solution if possible, but if I had to
roll my own solution, I could use some advisement or hints on something like this.
Currently this is only possible on the clients:
https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
and it's only been implemented in the last version (1.16) which will be
available in RHEL-7.5.
There is an RFE about generating a server-side report:
https://bugzilla.redhat.com/show_bug.cgi?id=1492993
but currently it's not implemented.