PAMSC(EP) r14.1: "Enhanced PROCESS Class" does not work
Article ID: 130085
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1. He checked behavior with following guide with strace comand.
https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/reference/selang-reference-guide/classes-in-the-ac-environment/process-class https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/administrating/endpoint-administration-for-unix/protect-process-being-attached-by-other-processes For example, he tried following steps:
1. define rule for top command. nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a) auth PROCESS /usr/bin/top uid(root) access(attach) 2. start /usr/bin/top 3. login as root on another terminal. 4. find process ID for the top 5. strace -rfT -p "PID for top"
But he cannot control process and there is no audit log.
OS: RHEL 7.5 Prod: CA Privileged Access Manager r14.1 for Endpoint
strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ). So, PAMSC cannot intercept attached process event and control it.