Red Hat Summit46.2. Configuring HBAC rules in an IdM domain using the CLI
To configure your domain for host-based access control, complete the following steps:
- Create HBAC rules in the IdM CLI.
- Test the new HBAC rules.
-
Disable the default
allow_allHBAC rule.
Do not disable the allow_all rule before creating your custom HBAC rules. If you disable it before creating your custom rules, access to all hosts for all users will be denied.
46.2.1. Creating HBAC rules in the IdM CLI
To configure your domain for host-based access control using the IdM CLI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin, access to all systems in the domain using any service.
IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.
Prerequisites
- User sysadmin exists in IdM.
Procedure
Use the
ipa hbacrule-addcommand to add the rule.$ ipa hbacrule-add Rule name: rule_name --------------------------- Added HBAC rule "rule_name" --------------------------- Rule name: rule_name Enabled: TRUETo apply the HBAC rule to the sysadmin user only, use the
ipa hbacrule-add-usercommand.$ ipa hbacrule-add-user --users=sysadmin Rule name: rule_name Rule name: rule_name Enabled: True Users: sysadmin ------------------------- Number of members added 1 -------------------------注記To apply a HBAC rule to all users, use the
ipa hbacrule-modcommand and specify the all user category--usercat=all. Note that if the HBAC rule is associated with individual users or groups,ipa hbacrule-mod --usercat=allfails. In this situation, remove the users and groups using theipa hbacrule-remove-usercommand.Specify the target hosts. To apply the HBAC rule to all hosts, use the
ipa hbacrule-modcommand and specify the all host category:$ ipa hbacrule-mod rule_name --hostcat=all ------------------------------ Modified HBAC rule "rule_name" ------------------------------ Rule name: rule_name Host category: all Enabled: TRUE Users: sysadmin注記If the HBAC rule is associated with individual hosts or groups,
ipa hbacrule-mod --hostcat=allfails. In this situation, remove the hosts and groups using theipa hbacrule-remove-hostcommand.Specify the target HBAC services. To apply the HBAC rule to all services, use the
ipa hbacrule-modcommand and specify the all service category:$ ipa hbacrule-mod rule_name --servicecat=all ------------------------------ Modified HBAC rule "rule_name" ------------------------------ Rule name: rule_name Host category: all Service category: all Enabled: True Users: sysadmin注記If the HBAC rule is associated with individual services or groups,
ipa hbacrule-mod --servicecat=allfails. In this situation, remove the services and groups using theipa hbacrule-remove-servicecommand.
Verification
Verify that the HBAC rule has been added correctly.
-
Use the
ipa hbacrule-findcommand to verify that the HBAC rule exists in IdM. -
Use the
ipa hbacrule-showcommand to verify the properties of the HBAC rule.
-
Use the
46.2.2. Testing HBAC rules in the IdM CLI
IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.
Always test custom HBAC rules before you start using them in production.
Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.
Procedure
Use the
ipa hbactestcommand to test your HBAC rule. You have the option to test a single HBAC rule or multiple HBAC rules.To test a single HBAC rule:
$ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --------------------- Access granted: True --------------------- Matched rules: rule_nameTo test multiple HBAC rules:
Add a second rule only allowing the sysadmin to use
sshon all hosts:$ ipa hbacrule-add --hostcat=all rule2_name $ ipa hbacrule-add-user --users sysadmin rule2_name $ ipa hbacrule-add-service --hbacsvcs=sshd rule2_name Rule name: rule2_name Host category: all Enabled: True Users: admin HBAC Services: sshd ------------------------- Number of members added 1 -------------------------Test multiple HBAC rules by running the following command:
$ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --rules=rule2_name -------------------- Access granted: True -------------------- Matched rules: rule_name Not matched rules: rule2_nameIn the output, Matched rules list the rules that allowed successful access while Not matched rules list the rules that prevented access. Note that if you do not specify the
--rulesoption, all rules are applied. Using--rulesis useful to independently test each rule.
46.2.3. Disabling HBAC rules in the IdM CLI
You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.
Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.
Procedure
Use the
ipa hbacrule-disablecommand. For example, to disable theallow_allrule:$ ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}