Search

Chapter 56. Configuring host-based access control rules

download PDF

You can use host-based access control (HBAC) rules to manage access control in your Identity Management (IdM) domain. HBAC rules define which users or user groups can access specified hosts or host groups by using which services or services in a service group. For example, you can use HBAC rules to achieve the following goals:

  • Limit access to a specified system in your domain to members of a specific user group.
  • Allow only a specific service to be used to access the systems in your domain.

By default, IdM is configured with a default HBAC rule named allow_all, which allows universal access to every host for every user via every relevant service in the entire IdM domain.

You can fine-tune access to different hosts by replacing the default allow_all rule with your own set of HBAC rules. For centralized and simplified access control management, you can apply HBAC rules to user groups, host groups, or service groups instead of individual users, hosts, or services.

56.1. Configuring HBAC rules in an IdM domain using the WebUI

To configure your domain for host-based access control, complete the following steps:

Note

Do not disable the allow_all rule before creating your custom HBAC rules as if you do so, no users will be able to access any hosts.

56.1.1. Creating HBAC rules in the IdM WebUI

To configure your domain for host-based access control using the IdM WebUI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin access to all systems in the domain using any service.

Note

IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.

Prerequisites

  • User sysadmin exists in IdM.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Rules.
  2. Click Add to start adding a new rule.
  3. Enter a name for the rule, and click Add and Edit to open the HBAC rule configuration page.
  4. In the Who area, select Specified Users and Groups. Then click Add to add the users or groups.
  5. Select the sysadmin user from the list of the Available users and click > to move to the list of Prospective users and click Add.
  6. In the Accessing area, select Any Host to apply the HBAC rule to all hosts.
  7. In the Via Service area, select Any Service to apply the HBAC rule to all services.

    Note

    Only the most common services and service groups are configured for HBAC rules by default.

    • To display the list of services that are currently available, select Policy>Host-Based Access Control>HBAC Services.
    • To display the list of service groups that are currently available, select Policy>Host-Based Access Control>HBAC Service Groups.

    To add more services and service groups, see Adding HBAC Service Entries for Custom HBAC Services and Adding HBAC Service Groups.

  8. To save any changes you make on the HBAC rule configuration page, click Save at the top of the page.

56.1.2. Testing HBAC rules in the IdM WebUI

IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.

Important

Always test custom HBAC rules before you start using them in production.

Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Test.
  2. On the Who window, specify the user under whose identity you want to perform the test, and click Next.
  3. On the Accessing window, specify the host that the user will attempt to access, and click Next.
  4. On the Via Service window, specify the service that the user will attempt to use, and click Next.
  5. On the Rules window, select the HBAC rules you want to test, and click Next. If you do not select any rule, all rules are tested.

    Select Include Enabled to run the test on all rules whose status is Enabled. Select Include Disabled to run the test on all rules whose status is Disabled. To view and change the status of HBAC rules, select Policy>Host-Based Access Control>HBAC Rules.

    Important

    If the test runs on multiple rules, it passes successfully if at least one of the selected rules allows access.

  6. On the Run Test window, click Run Test.
  7. Review the test results:

    • If you see ACCESS DENIED, the user is not granted access in the test.
    • If you see ACCESS GRANTED, the user is able to access the host successfully.

    By default, IdM lists all the tested HBAC rules when displaying the test results.

    • Select Matched to display the rules that allowed successful access.
    • Select Unmatched to display the rules that prevented access.

56.1.3. Disabling HBAC rules in the IdM WebUI

You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.

Note

Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Rules.
  2. Select the HBAC rule you want to disable.
  3. Click Disable.
  4. Click OK to confirm you want to disable the selected HBAC rule.

56.2. Configuring HBAC rules in an IdM domain using the CLI

To configure your domain for host-based access control, complete the following steps:

Note

Do not disable the allow_all rule before creating your custom HBAC rules. If you disable it before creating your custom rules, access to all hosts for all users will be denied.

56.2.1. Creating HBAC rules in the IdM CLI

To configure your domain for host-based access control using the IdM CLI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin, access to all systems in the domain using any service.

Note

IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.

Prerequisites

  • User sysadmin exists in IdM.

Procedure

  1. Use the ipa hbacrule-add command to add the rule.

    $ ipa hbacrule-add
    Rule name: rule_name
    ---------------------------
    Added HBAC rule "rule_name"
    ---------------------------
      Rule name: rule_name
      Enabled: TRUE
  2. To apply the HBAC rule to the sysadmin user only, use the ipa hbacrule-add-user command.

    $ ipa hbacrule-add-user --users=sysadmin
    Rule name: rule_name
      Rule name: rule_name
      Enabled: True
      Users: sysadmin
    -------------------------
    Number of members added 1
    -------------------------
    Note

    To apply a HBAC rule to all users, use the ipa hbacrule-mod command and specify the all user category --usercat=all. Note that if the HBAC rule is associated with individual users or groups, ipa hbacrule-mod --usercat=all fails. In this situation, remove the users and groups using the ipa hbacrule-remove-user command.

  3. Specify the target hosts. To apply the HBAC rule to all hosts, use the ipa hbacrule-mod command and specify the all host category:

    $ ipa hbacrule-mod rule_name --hostcat=all
    ------------------------------
    Modified HBAC rule "rule_name"
    ------------------------------
      Rule name: rule_name
      Host category: all
      Enabled: TRUE
      Users: sysadmin
    Note

    If the HBAC rule is associated with individual hosts or groups, ipa hbacrule-mod --hostcat=all fails. In this situation, remove the hosts and groups using the ipa hbacrule-remove-host command.

  4. Specify the target HBAC services. To apply the HBAC rule to all services, use the ipa hbacrule-mod command and specify the all service category:

    $ ipa hbacrule-mod rule_name --servicecat=all
    ------------------------------
    Modified HBAC rule "rule_name"
    ------------------------------
      Rule name: rule_name
      Host category: all
      Service category: all
      Enabled: True
      Users: sysadmin
Note

If the HBAC rule is associated with individual services or groups, ipa hbacrule-mod --servicecat=all fails. In this situation, remove the services and groups using the ipa hbacrule-remove-service command.

Verification

  • Verify that the HBAC rule has been added correctly.

    1. Use the ipa hbacrule-find command to verify that the HBAC rule exists in IdM.
    2. Use the ipa hbacrule-show command to verify the properties of the HBAC rule.

Additional resources

56.2.2. Testing HBAC rules in the IdM CLI

IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.

Always test custom HBAC rules before you start using them in production.

Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.

Procedure

  1. Use the ipa hbactest command to test your HBAC rule. You have the option to test a single HBAC rule or multiple HBAC rules.

    • To test a single HBAC rule:

      $ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name
      ---------------------
      Access granted: True
      ---------------------
        Matched rules: rule_name
    • To test multiple HBAC rules:

      1. Add a second rule only allowing the sysadmin to use ssh on all hosts:

        $ ipa hbacrule-add --hostcat=all rule2_name
        $ ipa hbacrule-add-user --users sysadmin rule2_name
        $ ipa hbacrule-add-service --hbacsvcs=sshd rule2_name
          Rule name: rule2_name
          Host category: all
          Enabled: True
          Users: admin
          HBAC Services: sshd
        -------------------------
        Number of members added 1
        -------------------------
      2. Test multiple HBAC rules by running the following command:

        $ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --rules=rule2_name
        --------------------
        Access granted: True
        --------------------
          Matched rules: rule_name
          Not matched rules: rule2_name

In the output, Matched rules list the rules that allowed successful access while Not matched rules list the rules that prevented access. Note that if you do not specify the --rules option, all rules are applied. Using --rules is useful to independently test each rule.

Additional resources

  • See ipa hbactest --help for more information.

56.2.3. Disabling HBAC rules in the IdM CLI

You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.

Note

Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.

Procedure

  • Use the ipa hbacrule-disable command. For example, to disable the allow_all rule:

    $ ipa hbacrule-disable allow_all
    ------------------------------
    Disabled HBAC rule "allow_all"
    ------------------------------

Additional resources

  • See ipa hbacrule-disable --help for more details.

56.3. Adding HBAC service entries for custom HBAC services

The most common services and service groups are configured for HBAC rules by default, but you can also configure any other pluggable authentication module (PAM) service as an HBAC service. This allows you to define custom PAM services in an HBAC rule. These PAM services files are in the etc/pam.d directory on RHEL systems.

Note

Adding a service as an HBAC service is not the same as adding a service to the domain. Adding a service to the domain makes it available to other resources in the domain, but it does not allow you to use the service in HBAC rules.

56.3.1. Adding HBAC service entries for custom HBAC services in the IdM WebUI

To add a custom HBAC service entry, follow the steps described below.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Services.
  2. Click Add to add an HBAC service entry.
  3. Enter a name for the service, and click Add.

56.3.2. Adding HBAC service entries for custom HBAC services in the IdM CLI

To add a custom HBAC service entry, follow the steps described below.

Procedure

  • Use the ipa hbacsvc-add command. For example, to add an entry for the tftp service:

    $ ipa hbacsvc-add tftp
    -------------------------
    Added HBAC service "tftp"
    -------------------------
      Service name: tftp

Additional resources

  • See ipa hbacsvc-add --help for more details.

56.4. Adding HBAC service groups

HBAC service groups can simplify HBAC rules management. For example, instead of adding individual services to an HBAC rule, you can add a whole service group.

56.4.1. Adding HBAC service groups in the IdM WebUI

To add an HBAC service group in the IdM WebUI, follow the steps outlined below.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Service Groups.
  2. Click Add to add an HBAC service group.
  3. Enter a name for the service group, and click Edit.
  4. On the service group configuration page, click Add to add an HBAC service as a member of the group.

56.4.2. Adding HBAC service groups in the IdM CLI

To add an HBAC service group in the IdM CLI, follow the steps outlined below.

Procedure

  1. Use the ipa hbacsvcgroup-add command in your terminal to add an HBAC service group. For example, to add a group named login:

    $ ipa hbacsvcgroup-add
    Service group name: login
    --------------------------------
    Added HBAC service group "login"
    --------------------------------
      Service group name: login
  2. Use the ipa hbacsvcgroup-add-member command to add an HBAC service as a member of the group. For example, to add the sshd service to the login group:

    $ ipa hbacsvcgroup-add-member
    Service group name: login
    [member HBAC service]: sshd
      Service group name: login
      Member HBAC service: sshd
    -------------------------
    Number of members added 1
    -------------------------

Additional resources

  • See ipa hbacsvcgroup-add --help for more details.
  • See ipa hbacsvcgroup-add-member --help for more details.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.