Fedora 9, released last month, included the first release of FreeIPA, a new free/open source project that comes out of Red Hat with the goal of becoming a complete and integrated security information management solution. In this article we take a look at exactly what FreeIPA is, both what it can do now and what its developers hope it will be capable of in the future. It seems destined to become a key feature of Red Hat Enterprise Linux 6, and with Fedora 9 released and FreeIPA tightly integrated, now seems to be the perfect time to explore this new technology.
The project has been running for a year and has recently made its 1.0 release. While the "IPA" part of the name stands for Identity, Policy and Auditing, the current focus is solely on providing the tools to make the identity part of the solution work, with the others being targeted for future releases. This includes the ability to centrally authenticate and administer user identities, functionality which is available in the 1.0 release through the unification of the Fedora Directory Server and MIT Kerberos, with plans to provide similar functionality for machines and services over the coming year.
Beyond the core functionality, the 1.0 release targeted simplifying the installation and configuration of the IPA environment, along with interfaces that will allow systems administrators to interact with the tool in an efficient manner. Both a command line and a web GUI are available in the 1.0 release, along with installation scripts that walk the administrator through the initial configuration.
Once the identity functionality is in place with regard to machines and services as well as users, the plan is to use the information generated to allow systems administrators to build security policies. Perhaps the two most important features planned for this side of FreeIPA are the ability to centrally manage Fedora servers and their accompanying SELinux policies. The technology has not been developed solely with Fedora in mind either, but is designed to be compatible with all of the major UNIX OSs. Not all UNIX versions, of course are capable of all of the features and so these would be restricted to certain platforms. SELinux, for example, is Linux-only. Most significant, however, is the planned ability to be capable of applying policies to individual boxes depending on which group they belong to, including the ability to target virtual machines separate from their physical hosts.
Microsoft Windows support is on the road map, but not available yet.
Following this, the final piece of the IPA puzzle to be implemented will be auditing, which will allow systems administrators to easily review a number of important security logs so that they can be aware if an incident occurs, and also discover important information such as which user used which machine and when. The major benefit of this particular feature will be to allow organisations to easily comply with a number of new regulations that require detailed information such as user access histories.