RH362 - ch06s04

Bookmark this page

Guided Exercise: Managing IdM User Access Control

Configure role-based, host-based, and sudo access control rules and assign accounts to use the rules.

Outcomes

Configure host-based access control.
Configure Sudo access rules.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available:

[student@workstation ~]$ lab start users-access

Instructions

Define a host-based access rule (HBAC) rule to allow access to a set of users to the vsftpd, SSH, and FTP services.
1. On workstation, navigate to the IdM console at https://idm.lab.example.com. Log in as the admin user with RedHat123^ as the password.
Create and customize the allow_remote_access rule. Disable the allow_all rule after you create the allow_remote_access rule.
1. Navigate to Policy → Host Based Access Control → HBAC Rules and then click Add. When prompted, set allow_remote_access as the name of the rule and click Add and Edit.
2. In the Who section, verify that Specified Users and Groups is selected, and then click Add. Select the idmuser01, idmuser04, and idmuser05 users, and then click > to move the selected users to the Prospective column. Click Add.
3. In the Accessing section, verify that Specified Hosts and Groups is selected, and then click Add. Select the client.lab.example.com machine and click > to move the host to the Prospective column. Click Add.
4. In the Via Service section, verify that Specified Services and Groups is selected, and then click Add. Select the ftp, sshd, and vsftpd services from the Available column and click > to move the services to the Prospective column. Click Add.
5. Return to the HBAC rules list by clicking HBAC Rules at the top of the window.
6. Verify that the allow_all and allow_remote_access rules are listed. Select the allow_all rule, click Disable, and then click OK.
Add the httpd HBAC service.
1. Navigate to Policy → Host Based Access Control → HBAC Services and then click Add.
2. Enter httpd in the Service name and Description fields, and then click Add.
Create and customize the Web Access service group.
1. Navigate to Policy → Host Based Access Control → HBAC Service Groups and then click Add.
2. Enter Web Access in the Service group name and the Description fields, and then click Add and Edit.
3. Click Add to list all available services. Select the httpd service, click > to move the service to the Prospective column, and then click Add.
Create an HBAC rule that allows a set of specified users to access the client machine via the Web Access service group.
1. Navigate to Policy → Host Based Access Control → HBAC Rules and then click Add.
2. Enter allow_web as the rule name and then click Add and Edit.
3. In the Who section, verify that Specified Users and Groups is selected, and then click Add. Select the idmuser01 user, click > to move the user to the Prospective column, and then click Add.
4. In the Accessing section, verify that Any Host is selected.
5. In the Via Service section, verify that Specified Services and Groups is selected. Click Add in the HBAC Service Groups. Select the Web Access service group, click > to add the service group to the list of prospective service groups, and then click Add.
6. Click Save.
Test the HBAC rules.
1. Navigate to Policy → Host Based Access Control → HBAC Test. Select the parameters of the test according to the following table.
  List Select
  WHO idmuser03
  ACCESSING client.lab.example.com
  VIA SERVICE sshd
  RULES allow_remote_access
2. On the Run Test tab, click Run Test to run the simulation.
  On the right side of the Run Test tab, the console shows an ACCESS DENIED message because the idmuser03 user is not a member of the HBAC rule.
3. Open a terminal and log in to the client machine as the idmuser03 user. The connection fails because the user is not a member of the rule:
```
[student@workstation ~]$ ssh idmuser03@client
Connection closed by 172.25.250.11 port 22
```
4. Try to log in to the client machine as the idmuser04 user. The connection is successful because the user is a member of the rule:
```
[student@workstation ~]$ ssh idmuser04@client
...output omitted...
[idmuser04@client /]$
```
  Return to the workstation machine as the student user:
```
[idmuser04@client /]$ exit
logout
[student@workstation ~]$
```
5. Test the HBAC rule that limits access to the httpd service.
  In the IdM console, navigate to Policy → Host Based Access Control → HBAC Test. Select the test parameters according to the following table:
  List Select
  WHO idmuser01
  ACCESSING client.lab.example.com
  VIA SERVICE httpd
  RULES allow_web
6. On the Run Test tab, click Run Test to run the simulation.
  On the right side of the Run Test tab, the console shows an ACCESS GRANTED message because the idmuser01 user is a member of the HBAC rule.
7. Navigate to Policy → Host Based Access Control → HBAC Rules, select the allow_all rule, and click Enable. Select the allow_ssh-copy-id_scp rule and click Disable.

List	Select
WHO	`idmuser03`
ACCESSING	`client.lab.example.com`
VIA SERVICE	`sshd`
RULES	`allow_remote_access`

List	Select
WHO	`idmuser01`
ACCESSING	`client.lab.example.com`
VIA SERVICE	`httpd`
RULES	`allow_web`

Add the group administrator role to a group.

Navigate to Identity → Users → Active users and click the idmuser03 user. Scroll down to the Employee Information fields. Click the Manager list and assign idmuser02 as the manager. Scroll up to the top of the page and click Save.

In a terminal, log in to the idm machine as the student user and become the root user. Authenticate to IdM as the admin user, using RedHat123^ as the password:

[student@workstation ~]$ ssh idm
[student@idm ~]$ sudo -i
[sudo] password for student: student
[root@idm ~]# kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Create the groupadmin role:

[root@idm ~]# ipa role-add --desc="Group Administrator" \
  groupadmin
-----------------------
Added role "groupadmin"
-----------------------
  Role name: groupadmin
  Description: Group Administrator

Add the Group Administrators privilege to the groupadmin role:

[root@idm ~]# ipa role-add-privilege --privileges="Group Administrators" \
  groupadmin
  Role name: groupadmin
  Description: Group Administrator
  Privileges: Group Administrators
----------------------------
Number of privileges added 1
----------------------------

Add the idmgroup02 group to the groupadmin role and exit the idm machine:

[root@idm ~]# ipa role-add-member --groups=idmgroup02 groupadmin
  Role name: groupadmin
  Description: Group Administrator
  Member groups: idmgroup02
  Privileges: Group Administrators
-------------------------
Number of members added 1
-------------------------
[root@idm ~]# exit
logout
[student@idm ~]$ exit
logout
Connection to idm closed.

In the IdM console, navigate to Identity → Groups → User Groups. Click idmgroup02, and then click Roles.
Verify that idmgroup02 is assigned to the groupadmin role.

Add a Sudo rule to allow the idmuser01 user to restart the client machine.
1. Navigate to Policy → Sudo → Sudo Commands and then click Add to create a command for the rule. Enter /sbin/reboot as the Sudo Command and then click Add.
2. Navigate to Policy → Sudo → Sudo Rules and then click Add to create a rule. Enter reboot_client as the rule name and then click Add and Edit.
3. Create the rule according to the following information. Leave all other fields untouched.
  Section Value
  Who idmuser01
  Access this host client.lab.example.com
  Run Commands /sbin/reboot
4. On the client machine as the idmuser01 user, verify the Sudo rules. Verify the output of the sudo -l command. When prompted, use RedHat123^ as the password:
  Note
  The Sudo rule might take some time to propagate to the client machine. You can clear the SSSD cache by using the sss_cache -E command as the root user to fetch the most recent rules.
```
[student@workstation ~]$ ssh idmuser01@client
[idmuser01@client /]$ sudo -l
[sudo] password for idmuser01: RedHat123^
...output omitted...

User idmuser01 may run the following commands on client:
    (root) /sbin/reboot
```
5. Reboot the client machine using the sudo reboot command. Use RedHat123^ as the password:
```
[idmuser01@client /]$ sudo reboot
Connection to client closed by remote host.
Connection to client closed.
[student@workstation ~]$
```
6. Log in to the client machine as the idmuser01 user and verify that it was rebooted:
```
[student@workstation ~]$ ssh idmuser01@client
[idmuser01@client /]$ uptime
 23:03:09 up 0 min,  1 user,  load average: 0.13, 0.04, 0.01
```
7. Return to the workstation machine as the student user:
```
[idmuser01@client /]$ logout
logout
[student@workstation ~]$
```

Section	Value
Who	`idmuser01`
Access this host	`client.lab.example.com`
Run Commands	`/sbin/reboot`

Finish

From the workstation machine, run the lab finish users-access command to clean the resources created in the exercise.

[student@workstation ~]$ lab finish users-access

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8

Red Hat Security: Identity Management and Authentication

Guided Exercise: Managing IdM User Access Control

Note