Hi all. I know that the A part of IPA has been delayed, but that doesn't mean that the auditing requirement has gone away.
Before I write a bunch of stuff for this, I wanted to see if anyone had any thoughts (or code!) regarding how to accomplish some of this stuff that auditors want to see. Here's an email I received from an E&Y auditor: ---cut--- Thanks for the great response! I think at this point its probably best to jump on a call/meet in person and try to figure out where to go from here. What we would like to understand is if IPA will be in scope for our audit this year. From what you have told me below, its 'possible' that user accounts on IPA may have access to our in-scope servers. And if this is the case we would need to obtain evidence of who has access to our in-scope servers through IPA, their level of access and how they authenticate to the server. Here's a couple of thoughts on my mind that I would like to discuss further before we 'formally' request this evidence: • Would we be able to obtain a 'system generated' list or screenshots showing all accounts on IPA that are able to access our in-scope servers? • Additionally, you mentioned that regular user accounts su or sudo to the application account (root). Would we be able to evidence which accounts on IPA are configured to able to su to the application account? • We would like to find a way to evidence the authentication path and the specific password parameters in place for the user accounts on IPA that we determine are in-scope for us this year. • How are accounts setup on IPA? What is the process for setting up new users? • Who has privileged access (the ability to add, delete or modify user accounts) to IPA and would we be able to obtain evidence to show who has these access rights. ---cut--- I know I can dump a list of users, then run that list through a series of HBAC tests to see if a user is allowed access to a particular server, but is there a say to easily ask "what users can log into this server"? Or even "what users are allowed to su to this account on this server?" as is being asked above? Does anyone already have any code they'd be willing to share to this end? Thanks for any thoughts at all, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
