On Fri, Jan 12, 2018 at 05:30:27PM -0000, Louis Abel via FreeIPA-users wrote:
> Hello.
> 
> I was curious if there is something built in to FreeIPA (4.5.0 on CentOS) as 
> a whole or if someone has created scripts or the like that perform access 
> rights lookups without doing the typical hbac rule lookups which requires 
> user -> host -> service (as far as I know), where those things are required 
> to actually perform the access granted/denied test. Basically, what I'm 
> trying to figure out is there a way to pick a host for example, and get a 
> list of who can access the system on a specific service (or any service for 
> that matter). 
> 
> The reason I ask is I'm trying to figure out how to properly perform "audits" 
> at my place of work, ie for PCI and SOX. And as far as I can tell, there's no 
> easy way to do this when we have for example, two HBAC policies that allow 
> all hosts (so there's no "member" attributes on the directory objects, just 
> hostCategory all) and then majority of the policies are using groups rather 
> than specific individuals, so I'd have to get a list of all of the users, 
> including the ones that are in AD across the trust.
> 
> If there isn't something like this built in, has someone done something like 
> this before? I'd like to try to avoid rolling my own solution if possible, 
> but if I had to roll my own solution, I could use some advisement or hints on 
> something like this.

Currently this is only possible on the clients:
    https://docs.pagure.org/SSSD.sssd/design_pages/attestation_report.html
and it's only been implemented in the last version (1.16) which will be
available in RHEL-7.5.

There is an RFE about generating a server-side report:
    https://bugzilla.redhat.com/show_bug.cgi?id=1492993
but currently it's not implemented.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to