PAM SC(EP) : appears SURROGATE log non-root to another user and non-root to root by only one su command

Article Id: 108051

Status: Published

Updated On: 27-07-2018 03:35

Products:

CA Privileged Access Manager - Cloakware Password Authority (PA) , PAM SAFENET LUNA HSM , CA Privileged Access Manager (PAM) , CA Privileged Access Manager (PAM)

Issue/Introduction:

Customer add following rule to find switch user.
editres SURROGATE ('USER._default') audit(SUCCESS FAILURE) defaccess(READ) owner('nobody')
When non-root user switch to another user, it appears both surrogate log as non-root user to another user and non-root to root user.

Environment:

OS: RHEL
Prod: CA Privilege Access Manager Server Control r14.0 for Endpoint.
It may occur on Privileged Identity Manager r12.8 SP1 or so.

Resolution:

Customer found the problem is occurred when SELinux is 'permissive'.
So, it works as expected after disable SELinux.