[Freeipa-users] Revisiting auditing and avoiding reinvention of round rolling things

Dmitri Pal dpal at redhat.com
Sat Mar 16 01:54:43 UTC 2013 

On 03/13/2013 11:49 AM, KodaK wrote:
> Hi all.
>
> I know that the A part of IPA has been delayed, but that doesn't mean
> that the auditing requirement has gone away.
>
> Before I write a bunch of stuff for this, I wanted to see if anyone
> had any thoughts (or code!) regarding how to accomplish some of this
> stuff that auditors want to see.
>
> Here's an email I received from an E&Y auditor:
>
> ---cut---
> Thanks for the great response! I think at this point its probably best
> to jump on a call/meet in person and try to figure out where to go
> from here. What we would like to understand is if IPA will be in scope
> for our audit this year. From what you have told me below, its
> 'possible' that user accounts on IPA may have access to our in-scope
> servers.  And if this is the case we would need to obtain evidence of
> who has access to our in-scope servers through IPA, their level of
> access and how they authenticate to the server.
>
> Here's a couple of thoughts on my mind that I would like to discuss
> further before we 'formally' request this evidence:
> •	Would we be able to obtain a 'system generated' list or screenshots
> showing all accounts on IPA that are able to access our in-scope
> servers?
> •	Additionally, you mentioned that regular user accounts su or sudo to
> the application account (root). Would we be able to evidence which
> accounts on IPA are configured to able to su to the application
> account?
> •	We would like to find a way to evidence the authentication path and
> the specific password parameters in place for the user accounts on IPA
> that we determine are in-scope for us this year.
> •	How are accounts setup on IPA? What is the process for setting up new users?
> •	Who has privileged access (the ability to add, delete or modify user
> accounts) to IPA and would we be able to obtain evidence to show who
> has these access rights.
> ---cut---
>
> I know I can dump a list of users, then run that list through a series
> of HBAC tests to see if a user is allowed access to a particular
> server, but is there a say to easily ask "what users can log into this
> server"?

This is what HBAC test is about

>   Or even "what users are allowed to su to this account on
> this server?" as is being asked above?
I do not think we have a sudo simulator.
But you can file a ticket.

You can lookup password policies via ldap or capture the screens, that
should be enough.
For the setup of new user you can point to the documentation.
For the privileges you can also point to the documentation that
describes our access control and delegation model.

>
> Does anyone already have any code they'd be willing to share to this end?




>
> Thanks for any thoughts at all,
>
> --Jason
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list