PAMSC(EP) r14.1: "Enhanced PROCESS Class" does not work
Article ID: 130085
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager (PAM)
Issue/Introduction
PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1.
He checked behavior with following guide with strace comand.
https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/reference/selang-reference-guide/classes-in-the-ac-environment/process-class https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/administrating/endpoint-administration-for-unix/protect-process-being-attached-by-other-processes
For example, he tried following steps:
1. define rule for top command.
nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a)
auth PROCESS /usr/bin/top uid(root) access(attach)
2. start /usr/bin/top
3. login as root on another terminal.
4. find process ID for the top
5. strace -rfT -p "PID for top"
But he cannot control process and there is no audit log.
Environment
OS: RHEL 7.5
Prod: CA Privileged Access Manager r14.1 for Endpoint
Prod: CA Privileged Access Manager r14.1 for Endpoint
Resolution
strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ).
So, PAMSC cannot intercept attached process event and control it.
Please use check with gdb -p PID.
So, PAMSC cannot intercept attached process event and control it.
Please use check with gdb -p PID.
Feedback
Yes
No
Powered by
