Hello.
I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as a whole or if
someone has created scripts or the like that perform access rights lookups without doing
the typical hbac rule lookups which requires user -> host -> service (as far as I
know), where those things are required to actually perform the access granted/denied test.
Basically, what I'm trying to figure out is there a way to pick a host for example,
and get a list of who can access the system on a specific service (or any service for that
matter).
The reason I ask is I'm trying to figure out how to properly perform
"audits" at my place of work, ie for PCI and SOX. And as far as I can tell,
there's no easy way to do this when we have for example, two HBAC policies that allow
all hosts (so there's no "member" attributes on the directory objects, just
hostCategory all) and then majority of the policies are using groups rather than specific
individuals, so I'd have to get a list of all of the users, including the ones that
are in AD across the trust.
If there isn't something like this built in, has someone done something like this
before? I'd like to try to avoid rolling my own solution if possible, but if I had to
roll my own solution, I could use some advisement or hints on something like this.
Show replies by thread