[RFE] Produce access control attestation report for IPA domains #3881

sssd-bot · 2020-05-02T13:20:23Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2840

Created at 2015-10-15 14:46:47 by dpal
Closed at 2017-11-21 20:29:09 as Fixed
Assigned to jhrozek
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1272214

Use case:

As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it.
The reports must contain information about HBAC but does a SUDO report would also be beneficial. This would allow me to pass audits and make sure that right people have right access to systems and applications.

Idea:
Create a utility that would trigger one time enumeration, populate caches and run a report against the cache. That would actually solve do two problems:
a. Priming of the cache with the full database
b. Actually creating a report based on the cached data

We see several inquiries about this capability in recent days.

Comments

Comment from jhrozek at 2015-10-15 21:09:20

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1272214

rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=1272214 1272214]

Comment from jhrozek at 2015-10-22 17:34:15

For now, I'll file the ticket into 1.15, since it hasn't been requested for the next release.

If it is requested, we will move it back up.

milestone: NEEDS_TRIAGE => SSSD 1.15 beta

Comment from dpal at 2017-02-24 14:34:14

Metadata Update from @dpal:

Issue set to the milestone: SSSD Future releases (no date set yet)

Comment from jhrozek at 2017-05-18 12:31:40

Some more details based on a discussion in a RHBZ (private, sorry)

it was suggested to output the result in CSV along the lines of name:object_type:service
machine-parseable output would make it easy to consume the data with an ansible module
an ansible module should be developed to gather the data from the output. Where to track this module is not clear, we need to find who would be working on the IDM/AD ansible integration
same as above applies to sudo

Comment from jhrozek at 2017-05-18 12:31:43

Metadata Update from @jhrozek:

Custom field design_review reset (from 0)
Custom field mark reset (from 0)
Custom field patch reset (from 0)
Custom field review reset (from 0)
Custom field sensitive reset (from 0)
Custom field testsupdated reset (from 0)
Issue close_status updated to: None

Comment from jhrozek at 2017-08-10 13:30:15

Metadata Update from @jhrozek:

Custom field design_review reset (from false)
Custom field mark reset (from false)
Custom field patch reset (from false)
Custom field review reset (from false)
Custom field sensitive reset (from false)
Custom field testsupdated reset (from false)
Issue set to the milestone: SSSD 1.16.0 (was: SSSD Future releases (no date set yet))

Comment from jhrozek at 2017-08-18 18:22:49

Metadata Update from @jhrozek:

Custom field design_review reset (from false)
Custom field mark reset (from false)
Custom field patch reset (from false)
Custom field review reset (from false)
Custom field sensitive reset (from false)
Custom field testsupdated reset (from false)
Issue tagged with: RFE

Comment from jhrozek at 2017-10-19 17:51:53

Since we are required to release a new upstream tarball no later than Friday Oct-20, I'm moving tickets that will not be closed by that date to the next milestone, 1.16.1

Comment from jhrozek at 2017-10-19 17:51:54

Metadata Update from @jhrozek: