Generate an access control report for IPA domains

Related ticket(s):

https://pagure.io/SSSD/sssd/issue/2840

Problem statement

Some environments require, for auditing reasons, to generate an access control report on the IPA client itself. While it can be argued that generating these reports on the IPA servers instead would provide a nicer experience, the audits requirement sometimes need a tool to be run on the host.

Use cases

As an owner of an IPA client I need to know which users have access to this client. I want to run a tool on the host and get a report who can access it.

The reports must contain information about HBAC rules. In future, SUDO rules would be nice to have as well.

Overview of the solution

A new sssctl command called access-report. will be added. This command will only be implemented for IPA domains for now, other domain types will just return an error.

In this version, only a human-readable output will be provided.

Configuration changes

None, only the new tool will be implemented.

Implementation details

In order to trigger the refresh of rules by sssd_be process, the Data Provider will be enhanced with a new sbus method org.freedesktop.sssd.DataProvider.AccessControl.

This method will trigger the same async requests that PAM access phase normally calls which fetch and save the IPA HBAC rules. This means that the same rate-limiting with the ipa_hbac_refresh applies to this request as if it was called via PAM access phase. Additionally, this method will be exposed over the public D-Bus InfoPipe responder via a new RefreshAccessRules method. As with all methods, only root can call it by default.

Finally, this new D-Bus method will be called from the sssctl access-report command when it’s ran in order to populate the ldb cache with fresh HBAC rules

For printing the rules, the tool will simply call ldb_search, retrieve all objects of objectclass ipaHbacRule and then print the RDN value of memberUser (for users and user groups), memberService (for services and service groups) and category. By default, groups will not be unrolled, because the getgrnam interface limits the group nesting by default, therefore it is better to just print the group name, not all the group members.

Future enhancements

In future, the tool should also print the output in both human-readable and machine-readable formats. For machine readable output, JSON is the best choice, since the KCM responder already depends on libjansson. This enhancement is tracked in ticket #3581.

Additionally, for HBAC rules which are linked to a group, it might be handy to unroll the group members and print them if the administrator wishes. This enhancement is tracked with ticket #3580

How To Test

Run sssctl access-report on an IPA client with different HBAC rules stored in the cache. Make sure all options produce the desired results.

How To Debug

Debug messages will be added to the tool itself. To compare the output with the cache contents, the ldbsearch tool can be used. The ipa administration tool can be used to display the server-side HBAC rules.

Authors

• Jakub Hrozek <jhrozek@redhat.com>