Chapter 56. Configuring host-based access control rules
You can use host-based access control (HBAC) rules to manage access control in your Identity Management (IdM) domain. HBAC rules define which users or user groups can access specified hosts or host groups by using which services or services in a service group. For example, you can use HBAC rules to achieve the following goals:
- Limit access to a specified system in your domain to members of a specific user group.
- Allow only a specific service to be used to access the systems in your domain.
By default, IdM is configured with a default HBAC rule named allow_all
, which allows universal access to every host for every user via every relevant service in the entire IdM domain.
You can fine-tune access to different hosts by replacing the default allow_all
rule with your own set of HBAC rules. For centralized and simplified access control management, you can apply HBAC rules to user groups, host groups, or service groups instead of individual users, hosts, or services.
56.1. Configuring HBAC rules in an IdM domain using the WebUI
To configure your domain for host-based access control, complete the following steps:
Do not disable the allow_all
rule before creating your custom HBAC rules as if you do so, no users will be able to access any hosts.
56.1.1. Creating HBAC rules in the IdM WebUI
To configure your domain for host-based access control using the IdM WebUI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin access to all systems in the domain using any service.
IdM stores the primary group of a user as a numerical value of the gidNumber
attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.
Prerequisites
- User sysadmin exists in IdM.
Procedure
- Select Policy>Host-Based Access Control>HBAC Rules.
- Click to start adding a new rule.
- Enter a name for the rule, and click to open the HBAC rule configuration page.
- In the Who area, select Specified Users and Groups. Then click to add the users or groups.
- Select the sysadmin user from the list of the Available users and click to move to the list of Prospective users and click .
- In the Accessing area, select Any Host to apply the HBAC rule to all hosts.
In the Via Service area, select Any Service to apply the HBAC rule to all services.
NoteOnly the most common services and service groups are configured for HBAC rules by default.
- To display the list of services that are currently available, select Policy>Host-Based Access Control>HBAC Services.
- To display the list of service groups that are currently available, select Policy>Host-Based Access Control>HBAC Service Groups.
To add more services and service groups, see Adding HBAC Service Entries for Custom HBAC Services and Adding HBAC Service Groups.
- To save any changes you make on the HBAC rule configuration page, click at the top of the page.
56.1.2. Testing HBAC rules in the IdM WebUI
IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.
Always test custom HBAC rules before you start using them in production.
Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.
Procedure
- Select Policy>Host-Based Access Control>HBAC Test.
- On the Who window, specify the user under whose identity you want to perform the test, and click .
- On the Accessing window, specify the host that the user will attempt to access, and click .
- On the Via Service window, specify the service that the user will attempt to use, and click .
On the Rules window, select the HBAC rules you want to test, and click . If you do not select any rule, all rules are tested.
Select Include Enabled to run the test on all rules whose status is Enabled. Select Include Disabled to run the test on all rules whose status is Disabled. To view and change the status of HBAC rules, select Policy>Host-Based Access Control>HBAC Rules.
ImportantIf the test runs on multiple rules, it passes successfully if at least one of the selected rules allows access.
- On the Run Test window, click .
Review the test results:
- If you see ACCESS DENIED, the user is not granted access in the test.
- If you see ACCESS GRANTED, the user is able to access the host successfully.
By default, IdM lists all the tested HBAC rules when displaying the test results.
- Select Matched to display the rules that allowed successful access.
- Select Unmatched to display the rules that prevented access.
56.1.3. Disabling HBAC rules in the IdM WebUI
You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.
Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all
HBAC rule, you must disable allow_all
.
Procedure
- Select Policy>Host-Based Access Control>HBAC Rules.
- Select the HBAC rule you want to disable.
- Click .
- Click to confirm you want to disable the selected HBAC rule.
56.2. Configuring HBAC rules in an IdM domain using the CLI
To configure your domain for host-based access control, complete the following steps:
Do not disable the allow_all
rule before creating your custom HBAC rules. If you disable it before creating your custom rules, access to all hosts for all users will be denied.
56.2.1. Creating HBAC rules in the IdM CLI
To configure your domain for host-based access control using the IdM CLI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin, access to all systems in the domain using any service.
IdM stores the primary group of a user as a numerical value of the gidNumber
attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.
Prerequisites
- User sysadmin exists in IdM.
Procedure
Use the
ipa hbacrule-add
command to add the rule.$ ipa hbacrule-add Rule name: rule_name --------------------------- Added HBAC rule "rule_name" --------------------------- Rule name: rule_name Enabled: TRUE
To apply the HBAC rule to the sysadmin user only, use the
ipa hbacrule-add-user
command.$ ipa hbacrule-add-user --users=sysadmin Rule name: rule_name Rule name: rule_name Enabled: True Users: sysadmin ------------------------- Number of members added 1 -------------------------
NoteTo apply a HBAC rule to all users, use the
ipa hbacrule-mod
command and specify the all user category--usercat=all
. Note that if the HBAC rule is associated with individual users or groups,ipa hbacrule-mod --usercat=all
fails. In this situation, remove the users and groups using theipa hbacrule-remove-user
command.Specify the target hosts. To apply the HBAC rule to all hosts, use the
ipa hbacrule-mod
command and specify the all host category:$ ipa hbacrule-mod rule_name --hostcat=all ------------------------------ Modified HBAC rule "rule_name" ------------------------------ Rule name: rule_name Host category: all Enabled: TRUE Users: sysadmin
NoteIf the HBAC rule is associated with individual hosts or groups,
ipa hbacrule-mod --hostcat=all
fails. In this situation, remove the hosts and groups using theipa hbacrule-remove-host
command.Specify the target HBAC services. To apply the HBAC rule to all services, use the
ipa hbacrule-mod
command and specify the all service category:$ ipa hbacrule-mod rule_name --servicecat=all ------------------------------ Modified HBAC rule "rule_name" ------------------------------ Rule name: rule_name Host category: all Service category: all Enabled: True Users: sysadmin
If the HBAC rule is associated with individual services or groups, ipa hbacrule-mod --servicecat=all
fails. In this situation, remove the services and groups using the ipa hbacrule-remove-service
command.
Verification
Verify that the HBAC rule has been added correctly.
-
Use the
ipa hbacrule-find
command to verify that the HBAC rule exists in IdM. -
Use the
ipa hbacrule-show
command to verify the properties of the HBAC rule.
-
Use the
Additional resources
- See ipa hbacrule-add --help for more details.
- See Adding HBAC service entries for custom HBAC services.
- See Adding HBAC service groups.
56.2.2. Testing HBAC rules in the IdM CLI
IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.
Always test custom HBAC rules before you start using them in production.
Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.
Procedure
Use the
ipa hbactest
command to test your HBAC rule. You have the option to test a single HBAC rule or multiple HBAC rules.To test a single HBAC rule:
$ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --------------------- Access granted: True --------------------- Matched rules: rule_name
To test multiple HBAC rules:
Add a second rule only allowing the sysadmin to use
ssh
on all hosts:$ ipa hbacrule-add --hostcat=all rule2_name $ ipa hbacrule-add-user --users sysadmin rule2_name $ ipa hbacrule-add-service --hbacsvcs=sshd rule2_name Rule name: rule2_name Host category: all Enabled: True Users: admin HBAC Services: sshd ------------------------- Number of members added 1 -------------------------
Test multiple HBAC rules by running the following command:
$ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --rules=rule2_name -------------------- Access granted: True -------------------- Matched rules: rule_name Not matched rules: rule2_name
In the output, Matched rules list the rules that allowed successful access while Not matched rules list the rules that prevented access. Note that if you do not specify the --rules
option, all rules are applied. Using --rules
is useful to independently test each rule.
Additional resources
-
See
ipa hbactest --help
for more information.
56.2.3. Disabling HBAC rules in the IdM CLI
You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.
Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all
HBAC rule, you must disable allow_all
.
Procedure
Use the
ipa hbacrule-disable
command. For example, to disable theallow_all
rule:$ ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------
Additional resources
-
See
ipa hbacrule-disable --help
for more details.
56.3. Adding HBAC service entries for custom HBAC services
The most common services and service groups are configured for HBAC rules by default, but you can also configure any other pluggable authentication module (PAM) service as an HBAC service. This allows you to define custom PAM services in an HBAC rule. These PAM services files are in the etc/pam.d
directory on RHEL systems.
Adding a service as an HBAC service is not the same as adding a service to the domain. Adding a service to the domain makes it available to other resources in the domain, but it does not allow you to use the service in HBAC rules.
56.3.1. Adding HBAC service entries for custom HBAC services in the IdM WebUI
To add a custom HBAC service entry, follow the steps described below.
Procedure
- Select Policy>Host-Based Access Control>HBAC Services.
- Click to add an HBAC service entry.
- Enter a name for the service, and click .
56.3.2. Adding HBAC service entries for custom HBAC services in the IdM CLI
To add a custom HBAC service entry, follow the steps described below.
Procedure
Use the
ipa hbacsvc-add
command. For example, to add an entry for thetftp
service:$ ipa hbacsvc-add tftp ------------------------- Added HBAC service "tftp" ------------------------- Service name: tftp
Additional resources
-
See
ipa hbacsvc-add --help
for more details.
56.4. Adding HBAC service groups
HBAC service groups can simplify HBAC rules management. For example, instead of adding individual services to an HBAC rule, you can add a whole service group.
56.4.1. Adding HBAC service groups in the IdM WebUI
To add an HBAC service group in the IdM WebUI, follow the steps outlined below.
Procedure
- Select Policy>Host-Based Access Control>HBAC Service Groups.
- Click to add an HBAC service group.
- Enter a name for the service group, and click .
- On the service group configuration page, click to add an HBAC service as a member of the group.
56.4.2. Adding HBAC service groups in the IdM CLI
To add an HBAC service group in the IdM CLI, follow the steps outlined below.
Procedure
Use the
ipa hbacsvcgroup-add
command in your terminal to add an HBAC service group. For example, to add a group named login:$ ipa hbacsvcgroup-add Service group name: login -------------------------------- Added HBAC service group "login" -------------------------------- Service group name: login
Use the
ipa hbacsvcgroup-add-member
command to add an HBAC service as a member of the group. For example, to add thesshd
service to the login group:$ ipa hbacsvcgroup-add-member Service group name: login [member HBAC service]: sshd Service group name: login Member HBAC service: sshd ------------------------- Number of members added 1 -------------------------
Additional resources
-
See
ipa hbacsvcgroup-add --help
for more details. -
See
ipa hbacsvcgroup-add-member --help
for more details.