Red Hat Bugzilla – Bug 1272214
[RFE] Create a local per system report about who can access that IDM client (attestation)
Last modified: 2018-04-23 07:24:47 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2840 Use case: As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it. The reports must contain information about HBAC but does a SUDO report would also be beneficial. This would allow me to pass audits and make sure that right people have right access to systems and applications. Idea: Create a utility that would trigger one time enumeration, populate caches and run a report against the cache. That would actually solve do two problems: a. Priming of the cache with the full database b. Actually creating a report based on the cached data We see several inquiries about this capability in recent days.
I agree this is a nice RFE, but I also think we should implement the critical enhancements first.
Hello Team, Do we have any update on this RFE ? Regards Mayur Gupta
(In reply to Mayur from comment #6) > Hello Team, > > Do we have any update on this RFE ? > > Regards > > Mayur Gupta Not at this point, it's still a stretch goal for 7.4
Note that the topic of IdM attestation report was split to 3 RFEs: * Bug 1272214: [RFE] Create a local per system report about who can access that system (attestation) (included SSSD) * Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation) (included in IdM Server) * Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation) (included in IdM Server)
Proposed user story for this client part: As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it via which means and services.
(In reply to Martin Kosek from comment #22) > Proposed user story for this client part: > > As an owner of a system I need to know which users have access to a host. I > want to run something on the host and get a report who can access it via > which means and services. At the same time, I think it makes much more sense to concentrate on the server-side report at least for 7.5 (if we can still make it..), I think the client-side report has much less value in a centralized environment.
The correct hashes are ... - master: * be804178d5e5fee64be2b080e73f4ce7b0074f76 * c6cf752337f5977ce3753b7113dc1a2342c86319 * 2754a8dcfa937d45b024a2e57419248bfd4c4919 * e737cdfa225e0d455c0e574bcb82c2cc16a17d9d * 6211a202301e6f61d46cdb2bf0be332a70c7fdea * 3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8
Verified against sssd-1.16.0-11.el7.x86_64. [root@vm-idm-013 db]# sssctl access-report Missing option: Specify domain name. Usage: sssctl access-report DOMAIN [OPTIONS...] Command options: Help options: -?, --help Show this help message --usage Display brief usage message [root@vm-idm-013 db]# sssctl access-report testrelm.test 1 rules cached Rule name: allow_all User category: all Service category: all
(In reply to Dan Lavu from comment #38) > Verified against sssd-1.16.0-11.el7.x86_64. > > > [root@vm-idm-013 db]# sssctl access-report > Missing option: Specify domain name. > > Usage: sssctl access-report DOMAIN [OPTIONS...] > > Command options: > > Help options: > -?, --help Show this help message > --usage Display brief usage message > > [root@vm-idm-013 db]# sssctl access-report testrelm.test > 1 rules cached > > Rule name: allow_all > User category: all > Service category: all I hope there will be more cases covered in integration test :-)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929