HOST class * for WINDOWS SERVER 2016
Article ID: 129695
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Issue/Introduction
In UNIX defining a HOST class record with * allows to see records for all hosts. The same is required for Windows.
In windows, the following example, meant to audit all hosts, does not work
so class+(host)
nr host * audit(all)
auth host * service(*) access(all)
seaudit -a | findstr HOST produces no entry for the host class
However defining a specific terminal with the host class
nr host machine.domain.com audit(all)
auth host machine.domain.com service(*) access(all)
seaudit -a | findstr HOST
produces some output for the host defined previously:
11 Jan 2019 13:58:08 P HOST ms-wbt-server 153 3 machine.domains
In Linux/UNIX both examples work
Is it possible to use in windows the same host record definition as in unix (namely specifying a * entry) to see all audit records for all hosts ?
In windows, the following example, meant to audit all hosts, does not work
so class+(host)
nr host * audit(all)
auth host * service(*) access(all)
seaudit -a | findstr HOST produces no entry for the host class
However defining a specific terminal with the host class
nr host machine.domain.com audit(all)
auth host machine.domain.com service(*) access(all)
seaudit -a | findstr HOST
produces some output for the host defined previously:
11 Jan 2019 13:58:08 P HOST ms-wbt-server 153 3 machine.domains
In Linux/UNIX both examples work
Is it possible to use in windows the same host record definition as in unix (namely specifying a * entry) to see all audit records for all hosts ?
Environment
PIM 14
Windows all supported versions
Windows all supported versions
Resolution
No you cannot use the same command in unix and in windows.
In UNIX, * will work for the HOST class, but not in windows.
On Windows endpoint '*' char is used when creating GENERIC system resources (FILE, REGKEY, REGVAL). The rule creates protection in folder/registry and it's sub folders/registry values.
There is no logic in Windows endpoint to handle the use case when you create/update a rule using the '*' char in the RESOURCE name. It is interpreted as intending to change the existing rules on this class and hence it does not work as intended.
This is not a bug, but an implementation limitation of the Windows Endpoint.
In UNIX, * will work for the HOST class, but not in windows.
On Windows endpoint '*' char is used when creating GENERIC system resources (FILE, REGKEY, REGVAL). The rule creates protection in folder/registry and it's sub folders/registry values.
There is no logic in Windows endpoint to handle the use case when you create/update a rule using the '*' char in the RESOURCE name. It is interpreted as intending to change the existing rules on this class and hence it does not work as intended.
This is not a bug, but an implementation limitation of the Windows Endpoint.
Feedback
Yes
No
Powered by
