HBAC Services
Manage HBAC service definitions for use in host-based access control rules. Services represent specific system services (SSH, su, sudo, etc.) that can be controlled via HBAC policies. Features include service creation with descriptions, service grouping for policy management, and integration with HBAC rules for granular service-level access control.
The PAM services that HBAC can control access to. The name used here must match the service name that PAM is evaluating.
EXAMPLES
Add a new HBAC service:
ipa hbacsvc-add tftpModify an existing HBAC service:
ipa hbacsvc-mod --desc="TFTP service" tftpSearch for HBAC services. This example will return two results, the FTP
service and the newly-added tftp service:
ipa hbacsvc-find ftpDelete an HBAC service:
ipa hbacsvc-del tftp
Commands
Command Description
hbacsvc-add Add a new HBAC service.
hbacsvc-del Delete an existing HBAC service.
hbacsvc-find Search for HBAC services.
hbacsvc-mod Modify an HBAC service.
hbacsvc-show Display information about an HBAC service.
hbacsvc-add
Usage: ipa [global-options] hbacsvc-add SERVICE [options]
Add a new HBAC service.
Arguments
Argument Required Description
SERVICE yes HBAC service
Options
Option Description
--desc DESC HBAC service description
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
hbacsvc-del
Usage: ipa [global-options] hbacsvc-del SERVICE [options]
Delete an existing HBAC service.
Arguments
Argument Required Description
SERVICE yes HBAC service
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
hbacsvc-find
Usage: ipa [global-options] hbacsvc-find [CRITERIA] [options]
Search for HBAC services.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--service SERVICE HBAC service
--desc DESC HBAC service description
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“service”)
hbacsvc-mod
Usage: ipa [global-options] hbacsvc-mod SERVICE [options]
Modify an HBAC service.
Arguments
Argument Required Description
SERVICE yes HBAC service
Options
Option Description
--desc DESC HBAC service description
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
hbacsvc-show
Usage: ipa [global-options] hbacsvc-show SERVICE [options]
Display information about an HBAC service.
Arguments
Argument Required Description
SERVICE yes HBAC service
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.