IPA/IDM - Thoughts on implementing sudo
I'll start off by mentioning that IPA/IDM in general is freeware/OpenSource Linux based Identity Management software. One of many very powerful features of IPA/IDM is that it allows for a very high degree of granularity.
What is granularity? Granularity refers to the degree of access control; ranging from coarse grain control to fine grain control. Let's take a look at an example:
Coarse Grain Control: Employees can access/login to a workstation at any time and access any storage shares.
Medium Grain Control: Employee can access/login to a workstation during business hours, but access any storage shares.
Fine Grain Control: Employees can only login during business hours and only access shares that relate to the projects they are working on.
Finer Grain Control: Employees can only login into certain workstations, only during business hours and can only access shares that relate to a project they are working on.
So what is sudo anyway? sudo is a utility that allows a user to run a command as root or as another user.
All Linux systems have a sudo command-line utility; however in IPA/IDM the sudo utility is managed and stored in LDAP as part of the Identity Management Realm.
This is important because it means sudo can be centrally managed for all users and resources in the Realm from a central location. In the case of sudo, IPA/IDM is a one-to-many solution; meaning NO sudo configuration files (ie. /etc/sudoers) are "pushed" to Realm clients.
It is also worth noting that the LDAP sudo implementation with IPA/IDM has a specialized schema (the LDAP database design) for sudo that greatly expands the capabilities of sudo within IPA/IDM; as compared to the command-line implementation of sudo.
As an example, the IPA/IDM sudo utility allows for host groups as well as nested groups, the standard command-line sudo utility does not.
Further, all sudo functionality can be managed via a web interface:
Now let's walk through the process of setting up sudo for a user and what options are available.
In this example, Babs Jenkins has contacted you - a system administrator - and has asked for root privileges on a Configuration Management server. Babs Jenkins needs to run a /bin/build command on this particular server daily.
Next you login to the IPA Web interface and see that Babs Jenkins does indeed have an account in the domain (or Realm) and that the build server is a client in the domain.
1. The next step is to create a sudo rule called: build
(Note this and the following steps are performed under the web based sudo menu)
2. Next you specify who this rule is applied to, and in this step you select: Babs Jenkins
3. Now you select the host on which this rule applies to, which in this case is the Configuration Management Server.
4. Now specify the commands that sudo user is permitted to run on the specified host, which in this case will be:
/bin/ls
/bin/more
/bin/build
5. Finally you can optionally specify any additional command groups (pre-specified commands) and also as Whom. That's right, you don't have to run the build command as root, a different user could also be specified!
After you have completed the above steps, Identity Management also provides an easy-to-use utility that allows the system administrator (SA) to test the rule. Wow!
In the above example we have defined the following:
1. Who has access
2. The Commands the user has access to
3. What can be accessed (the specifi host)
4. Who the user will be running the command as
Finally, all sudo activity is logged under /var/log or within the audit facility.
No comments:
Post a Comment