HOST class * for WINDOWS SERVER 2016

book

Article ID: 129695

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

In UNIX defining a HOST class record with * allows to see records for all hosts. The same is required for Windows.

In windows, the following example, meant to audit all hosts, does not work

so class+(host)
nr host * audit(all)
auth host * service(*) access(all)

seaudit -a | findstr HOST produces no entry for the host class

However defining a specific terminal with the host class

nr host machine.domain.com audit(all)
auth host machine.domain.com service(*) access(all)
seaudit -a | findstr HOST

produces some output for the host defined previously:

11 Jan 2019 13:58:08 P HOST ms-wbt-server 153 3 machine.domains

In Linux/UNIX both examples work

Is it possible to use in windows the same host record definition as  in unix  (namely specifying a * entry) to see all audit records for all hosts ?
 

Environment

PIM 14
Windows all supported versions

Resolution

No you cannot use the same command in unix and in windows.

In UNIX,  *  will work for the HOST class, but not in windows.

On Windows endpoint '*' char is used when creating GENERIC system resources (FILE, REGKEY, REGVAL). The rule creates protection in folder/registry and it's sub folders/registry values.

There is no logic in Windows endpoint to handle the use case when you create/update a rule using the '*' char in the RESOURCE name.  It is interpreted as intending to change the existing rules on this class and hence it does not work as intended.

This is not a bug, but an implementation limitation of the Windows Endpoint.