Check for missing HBAC rules for sudo services when sudorules are defined

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation

GNU General Public License v3.0

50 stars 28 forks source link

Check for missing HBAC rules for sudo services when sudorules are defined #344

Open abbra opened 3 weeks ago

abbra commented 3 weeks ago

can we do a healthcheck for a case when people have sudo rules but no corresponding hbac rule allowing sudo access? Or this would be too much of a data crunching?

rcritten commented 3 weeks ago

It would involve a couple of searches, or one jumbo one. It depends on the indexing. I can run a test with a lot of sudo and hbac rules to see what the etimes are.

I think what we're looking for is:

one or more sudo rules
HBAC rules with sudo or sudo-l as a service OR servicecat=all

abbra commented 3 weeks ago

right. One complicating thing is the case where sudo rules are targeting hosts that HBAC rules with sudo or sudo-l are not targeting.