PIM/PAMSC All:PROGRAM class does not work on Windows 2016
book
Article ID: 129665
calendar_today
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
Issue/Introduction
User tried to test for PROGRAM class rule. But it does not work on it. And also, audit log is not recorded access event. Rules: setoptions class+(PROGRAM) er PROGRAM ('C:\Windows\System32\notepad.exe') owner(nobody) defacc(none) blockrun- audit(a) authorize PROGRAM ('C:\Windows\System32\notepad.exe') access(EXECUTE) uid('hostname\\Administrator') The rule is affected on another server which is running on 2012 R2.
Cause
I compared setting on normal and problematic server. Then I found FILE class is disabled at the problematic server. When I check behavior with tracer's log, PROGRAM class check is triggered by FILE access. It is not caused by difference between OS and PIM/PAMSC version.
Environment
OS: Windows Server 2016 Prod: CA Privileged Access Manager r14.0 CR1 for Endpoint