[Freeipa-users] Revisiting auditing and avoiding reinvention of round rolling things

KodaK sakodak at gmail.com
Wed Mar 13 15:49:06 UTC 2013 

Hi all.

I know that the A part of IPA has been delayed, but that doesn't mean
that the auditing requirement has gone away.

Before I write a bunch of stuff for this, I wanted to see if anyone
had any thoughts (or code!) regarding how to accomplish some of this
stuff that auditors want to see.

Here's an email I received from an E&Y auditor:

---cut---
Thanks for the great response! I think at this point its probably best
to jump on a call/meet in person and try to figure out where to go
from here. What we would like to understand is if IPA will be in scope
for our audit this year. From what you have told me below, its
'possible' that user accounts on IPA may have access to our in-scope
servers.  And if this is the case we would need to obtain evidence of
who has access to our in-scope servers through IPA, their level of
access and how they authenticate to the server.

Here's a couple of thoughts on my mind that I would like to discuss
further before we 'formally' request this evidence:
•	Would we be able to obtain a 'system generated' list or screenshots
showing all accounts on IPA that are able to access our in-scope
servers?
•	Additionally, you mentioned that regular user accounts su or sudo to
the application account (root). Would we be able to evidence which
accounts on IPA are configured to able to su to the application
account?
•	We would like to find a way to evidence the authentication path and
the specific password parameters in place for the user accounts on IPA
that we determine are in-scope for us this year.
•	How are accounts setup on IPA? What is the process for setting up new users?
•	Who has privileged access (the ability to add, delete or modify user
accounts) to IPA and would we be able to obtain evidence to show who
has these access rights.
---cut---

I know I can dump a list of users, then run that list through a series
of HBAC tests to see if a user is allowed access to a particular
server, but is there a say to easily ask "what users can log into this
server"?  Or even "what users are allowed to su to this account on
this server?" as is being asked above?

Does anyone already have any code they'd be willing to share to this end?

Thanks for any thoughts at all,

--Jason



-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

More information about the Freeipa-users mailing list