Why is KBL audit not capturing my KBL events ?

book

Article ID: 128022

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

One of the ways to monitor a group of enterprise (OS) users with PAM is to define an enterprise group for the OS group they belong to. For instance, if I have users abc, def and xyj belonging to OS group staff, in selang it would be possible to create an enterprise group staff with audit flags

nxg staff owner(root) audit(all, interactive)

When one of this users logs in, PAM will recognize it as an OS user and since it belongs to XGROUP staff, it will be monitored with KBL, since interactive is specified.

Sometimes, tough, this does not work. The user logs in, but nothing is actually recorded in the KBL audit

Why can't I see any recorded KBL sessions for my user even if it belongs to a group for which KBL audit is enabled in PAM SC ?

Environment

PIM and PAM SC all versions
The present document explains this use case for UNIX/Linux, but likewise a Windows PAM SC/PIM environment will have the same behaviour and the settings will have to be modified in the Windows registry under the PAM SC keys.

Resolution

A likely cause for this may be that your PAM SC installation is configured not to recognize OS users. There is a setting in seos.ini, osuser_enabled, whereby if set to no the OS users will not be recognized by PAM SC 

If this is so, when you log in into the system as one of the users that should be monitored by being member of the corresponding group (e.g ssh [email protected]) and you run sewhoami -a as that user, you will see that the user is listed as _undefined, and the User type as logical

KBL cannot audit the _undefined user as well as the logical user type.

You need to
  1. Stop PAM SC (secons -sk)
  2. Edit seos.ini (usually under /opt/CA/PAMSC), look for the osuser_enabled setting and set it to yes
  3. Restart PAM SC (seload)