Red Hat SummitChapter 8. Reporting on user access on hosts using SSSD
The Security System Services Daemon (SSSD) tracks user access rights across network clients. Use the sssctl command-line tool to generate detailed access control reports and audit user data for security compliance.
8.1. Prerequisites
- SSSD packages are installed in your network environment
8.2. The sssctl command
The sssctl utility provides a unified interface for monitoring the Security System Services Daemon (SSSD) status. Use this tool to manage caches, review logs, and audit domain states or user authentication access.
You can use the sssctl utility to gather information about:
- Domain state
- Client user authentication
- User access on clients of a particular domain
- Information about cached content
With the sssctl tool, you can:
- Manage the SSSD cache
- Manage logs
- Check configuration files
The sssctl tool replaces sss_cache and sss_debuglevel tools.
8.3. Generating access control reports using sssctl
The Security System Services Daemon (SSSD) enforces login permissions on the local machine. Generating an access control report lists the specific rules currently applied to the host, helping you to verify active security policies.
The access report is not accurate because the tool does not track users locked out by the Key Distribution Center (KDC).
Prerequisites
- You must be logged in with administrator privileges.
Procedure
To generate an access control report, run the following command, replacing
<domain_name>:[root@client1 ~]# sssctl access-report <domain_name>1 rule cached Rule name: example.user Member users: example.user Member services: sshd
8.4. Displaying user authorization details using sssctl
The sssctl user-checks command validates specific user permissions against PAM services. Run this diagnostic tool to troubleshoot login failures and view data from the Name Service Switch (NSS) or InfoPipe responder.
Run sssctl user-checks <user_name> to display user data available from Name Service Switch (NSS) and the InfoPipe responder for the D-Bus interface. The output shows whether the user is authorized to log in using the system-auth Pluggable Authentication Module (PAM) service.
The command has two options:
-
-afor a PAM action -
-sfor a PAM service
If you do not specify -a and -s options, the sssctl tool uses default options: -a acct -s system-auth.
Prerequisites
- You must be logged in with administrator privileges.
Procedure
To display user data for a particular user, enter:
[root@client1 ~]# sssctl user-checks -a acct -s sshd <user_name>user: example.user action: acct service: sshd ...
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}