Why are the KBL Audits only collecting local account data ?

book

Article ID: 106162

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction



We've been seeing an issue in our environment where KBL audits have only been collecting local account login data, even though there are plenty of AD users logging in and out of the system during the period of the observation.

Doing seaudit -kbl -a -sd <date> one can observe local users logging in and starting cmdlog, and logging out as well, but there is no trace about the Active Directory users logging into the system.

What is the reason for this behaviour and how can this be solved ?

Environment

UNAB 12.8X, 12.9X and 14.X

Resolution

This is due to the actual shell binary used by the Active Directory accounts not being listed in the /etc/shells file. If it is not listed there it is not tracked by the seos kernel module resulting in events not being posted in the audit log.

In fact, not only Active Directory users, but ANY users configured to use the shell binary not listed in /etc/shells would not get cmdlog started for them. For instance, assuming the users are using /bin/ksh, if instead of it /etc/shells contains a symbolic link to the actual file (e.g. /bin/ksh ->  /bin/alternative/ksh), the users logging in and having  ksh as shell will experience this issue.