PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1. He checked behavior with following guide with strace comand.
https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/reference/selang-reference-guide/classes-in-the-ac-environment/process-class https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/administrating/endpoint-administration-for-unix/protect-process-being-attached-by-other-processes For example, he tried following steps:
1. define rule for top command. nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a) auth PROCESS /usr/bin/top uid(root) access(attach) 2. start /usr/bin/top 3. login as root on another terminal. 4. find process ID for the top 5. strace -rfT -p "PID for top"
But he cannot control process and there is no audit log.
Environment
OS: RHEL 7.5 Prod: CA Privileged Access Manager r14.1 for Endpoint
Resolution
strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ). So, PAMSC cannot intercept attached process event and control it.