31.2. Configuring Host-based Access Control in an IdM Domain

To configure your domain for host-based access control:
  1. Important

    Do not disable the allow_all rule before creating custom HBAC rules. If you do this, no users will be able to access any hosts.

31.2.1. Creating HBAC Rules

To create an HBAC rule, you can use:

Note

IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user's supplementary groups and not its primary group.

Web UI: Creating an HBAC Rule

  1. Select PolicyHost-Based Access ControlHBAC Rules.
  2. Click Add to start adding a new rule.
  3. Enter a name for the rule, and click Add and Edit to go directly to the HBAC rule configuration page.
  4. In the Who area, specify the target users.
    • To apply the HBAC rule to specified users or groups only, select Specified Users and Groups. Then click Add to add the users or groups.
    • To apply the HBAC rule to all users, select Anyone.
    Specifying a Target User for an HBAC Rule

    Figure 31.2. Specifying a Target User for an HBAC Rule

  5. In the Accessing area, specify the target hosts:
    • To apply the HBAC rule to specified hosts or groups only, select Specified Hosts and Groups. Then click Add to add the hosts or groups.
    • To apply the HBAC rule to all hosts, select Any Host.
  6. In the Via Service area, specify the target HBAC services:
    • To apply the HBAC rule to specified services or groups only, select Specified Services and Groups. Then click Add to add the services or groups.
    • To apply the HBAC rule to all services, select Any Service.

    Note

    Only the most common services and service groups are configured for HBAC rules by default.
    • To display the list of services that are currently available, select PolicyHost-Based Access ControlHBAC Services.
    • To display the list of service groups that are currently available, select PolicyHost-Based Access ControlHBAC Service Groups.
  7. Changing certain settings on the HBAC rule configuration page highlights the Save button at the top of the page. If this happens, click the button to confirm the changes.

Command Line: Creating HBAC Rules

  1. Use the ipa hbacrule-add command to add the rule.
    $ ipa hbacrule-add
    Rule name: rule_name
    ---------------------------
    Added HBAC rule "rule_name"
    ---------------------------
      Rule name: rule_name
      Enabled: TRUE
  2. Specify the target users.
    • To apply the HBAC rule to specified users or groups only, use the ipa hbacrule-add-user command.
      For example, to add a group:
      $ ipa hbacrule-add-user
      Rule name: rule_name
      [member user]:
      [member group]: group_name
        Rule name: rule_name
        Enabled: TRUE
        User Groups: group_name
      -------------------------
      Number of members added 1
      -------------------------
      To add multiple users or groups, use the --users and --groups options:
      $ ipa hbacrule-add-user rule_name --users=user1 --users=user2 --users=user3
        Rule name: rule_name
        Enabled: TRUE
        Users: user1, user2, user3
      -------------------------
      Number of members added 3
      -------------------------
    • To apply the HBAC rule to all users, use the ipa hbacrule-mod command and specify the all user category:
      $ ipa hbacrule-mod rule_name --usercat=all
      ------------------------------
      Modified HBAC rule "rule_name"
      ------------------------------
        Rule name: rule_name
        User category: all
        Enabled: TRUE

      Note

      If the HBAC rule is associated with individual users or groups, ipa hbacrule-mod --usercat=all fails. In this situation, remove the users and groups using the ipa hbacrule-remove-user command.
      For details, run ipa hbacrule-remove-user with the --help option.
  3. Specify the target hosts.
    • To apply the HBAC rule to specified hosts or groups only, use the ipa hbacrule-add-host command.
      For example, to add a single host:
      $ ipa hbacrule-add-host
      Rule name: rule_name
      [member host]: host.example.com
      [member host group]:
        Rule name: rule_name
        Enabled: TRUE
        Hosts: host.example.com
      -------------------------
      Number of members added 1
      -------------------------
      To add multiple hosts or groups, use the --hosts and --hostgroups options:
      $ ipa hbacrule-add-host rule_name --hosts=host1 --hosts=host2 --hosts=host3
        Rule name: rule_name
        Enabled: TRUE
        Hosts: host1, host2, host3
      -------------------------
      Number of members added 3
      -------------------------
    • To apply the HBAC rule to all hosts, use the ipa hbacrule-mod command and specify the all host category:
      $ ipa hbacrule-mod rule_name --hostcat=all
      ------------------------------
      Modified HBAC rule "rule_name"
      ------------------------------
        Rule name: rule_name
        Host category: all
        Enabled: TRUE

      Note

      If the HBAC rule is associated with individual hosts or groups, ipa hbacrule-mod --hostcat=all fails. In this situation, remove the hosts and groups using the ipa hbacrule-remove-host command.
      For details, run ipa hbacrule-remove-host with the --help option.
  4. Specify the target HBAC services.
    • To apply the HBAC rule to specified services or groups only, use the ipa hbacrule-add-service command.
      For example, to add a single service:
      $ ipa hbacrule-add-service
      Rule name: rule_name
      [member HBAC service]: ftp
      [member HBAC service group]:
      Rule name: rule_name
      Enabled: TRUE
      Services: ftp
      -------------------------
      Number of members added 1
      -------------------------
      To add multiple services or groups, you can use the --hbacsvcs and --hbacsvcgroups options:
      $ ipa hbacrule-add-service rule_name --hbacsvcs=su --hbacsvcs=sudo
        Rule name: rule_name
        Enabled: TRUE
        Services: su, sudo
      -------------------------
      Number of members added 2
      -------------------------

      Note

      Only the most common services and service groups are configured for HBAC rules. To add more, see Section 31.3, “Adding HBAC Service Entries for Custom HBAC Services” and Section 31.4, “Adding HBAC Service Groups”.
    • To apply the HBAC rule to all services, use the ipa hbacrule-mod command and specify the all service category:
      $ ipa hbacrule-mod rule_name --servicecat=all
      ------------------------------
      Modified HBAC rule "rule_name"
      ------------------------------
        Rule name: rule_name
        Service category: all
        Enabled: TRUE

      Note

      If the HBAC rule is associated with individual services or groups, ipa hbacrule-mod --servicecat=all fails. In this situation, remove the services and groups using the ipa hbacrule-remove-service command.
      For details, run ipa hbacrule-remove-service with the --help option.
  5. Optional. Verify that the HBAC rule has been added correctly.
    1. Use the ipa hbacrule-find command to verify that the HBAC rule has been added to IdM.
    2. Use the ipa hbacrule-show command to verify the properties of the HBAC rule.
    For details, run the commands with the --help option.

Examples of HBAC Rules

Example 31.1. Granting a Single User Access to All Hosts Using Any Service

To allow the admin user to access all systems in the domain using any service, create a new HBAC rule and set:
  • the user to admin
  • the host to Any host (in the web UI), or use --hostcat=all with ipa hbacrule-add (when adding the rule) or ipa hbacrule-mod
  • the service to Any service (in the web UI), or use --servicecat=all with ipa hbacrule-add (when adding the rule) or ipa hbacrule-mod

Example 31.2. Ensuring That Only Specific Services Can Be Used to Access a Host

To make sure that all users must use sudo-related services to access the host named host.example.com, create a new HBAC rule and set:
  • the user to Anyone (in the web UI), or use --usercat=all with ipa hbacrule-add (when adding the rule) or ipa hbacrule-mod
  • the host to host.example.com
  • the HBAC service group to Sudo, which is a default group for sudo and related services

31.2.2. Testing HBAC Rules

IdM enables you to test your HBAC configuration in various situations using simulated scenarios. By performing these simulated test runs, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.

Important

Always test custom HBAC rules before you start using them in production.
Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because AD data is not stored in the IdM LDAP directory, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.
To test an HBAC rule, you can use:

Web UI: Testing an HBAC Rule

  1. Select PolicyHost-Based Access ControlHBAC Test.
  2. On the Who screen: Specify the user under whose identity you want to perform the test, and click Next.
    Specifying the Target User for an HBAC Test

    Figure 31.3. Specifying the Target User for an HBAC Test

  3. On the Accessing screen: Specify the host that the user will attempt to access, and click Next.
  4. On the Via Service screen: Specify the service that the user will attempt to use, and click Next.
  5. On the Rules screen: Select the HBAC rules you want to test, and click Next. If you do not select any rule, all rules will be tested.
    Select Include Enabled to run the test on all rules whose status is Enabled. Select Include Disabled to run the test on all rules whose status is Disabled. To view and change the status of HBAC rules, select PolicyHost-Based Access ControlHBAC Rules.

    Important

    If the test runs on multiple rules, it will pass successfully if at least one of the selected rules allows access.
  6. On the Run Test screen: Click Run Test.
    Running an HBAC Test

    Figure 31.4. Running an HBAC Test

  7. Review the test results:
    • If you see ACCESS DENIED, the user was not granted access in the test.
    • If you see ACCESS GRANTED, the user was able to access the host successfully.
    Reviewing HBAC Test Results

    Figure 31.5. Reviewing HBAC Test Results

    By default, IdM lists all the tested HBAC rules when displaying the test results.
    • Select Matched to display the rules that allowed successful access.
    • Select Unmatched to display the rules that prevented access.

Command Line: Testing an HBAC Rule

Use the ipa hbactest command and specify at least:
  • the user under whose identity you want to perform the test
  • the host that the user will attempt to access
  • the service that the user will attempt to use
For example, when specifying these values interactively:
$ ipa hbactest
User name: user1
Target host: example.com
Service: sudo
---------------------
Access granted: False
---------------------
Not matched rules: rule1
By default, IdM runs the test on all HBAC rules whose status is enabled. To specify different HBAC rules:
  • Use the --rules option to define one or more HBAC rules.
  • Use the --disabled option to test all HBAC rules whose status is disabled.
To see the current status of HBAC rules, run the ipa hbacrule-find command.

Example 31.3. Testing an HBAC Rule from the Command Line

In the following test, an HBAC rule named rule2 prevented user1 from accessing example.com using the sudo service:
$ ipa hbactest --user=user1 --host=example.com --service=sudo --rules=rule1
---------------------
Access granted: False
---------------------
  Not matched rules: rule1

Example 31.4. Testing Multiple HBAC Rules from the Command Line

When testing multiple HBAC rules, the test passes if at least one rule allows the user successful access.
$ ipa hbactest --user=user1 --host=example.com --service=sudo --rules=rule1 --rules=rule2
--------------------
Access granted: True
--------------------
  Matched rules: rule2
  Not matched rules: rule1
In the output:
  • Matched rules list the rules that allowed successful access.
  • Not matched rules list the rules that prevented access.

31.2.3. Disabling HBAC Rules

Disabling an HBAC rule deactivates the rule, but does not delete it. If you disable an HBAC rule, you can re-enable it later.

Note

For example, disabling HBAC rules is useful after you configure custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.
To disable an HBAC rule, you can use:

Web UI: Disabling an HBAC Rule

  1. Select PolicyHost-Based Access ControlHBAC Rules.
  2. Select the HBAC rule you want to disable, and click Disable.
Disabling the allow_all HBAC Rule

Figure 31.6. Disabling the allow_all HBAC Rule

Command Line: Disabling an HBAC Rule

Use the ipa hbacrule-disable command. For example, to disable the allow_all rule:
$ ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------