PAMSC(EP) r14.1: "Enhanced PROCESS Class" does not work
search cancel

PAMSC(EP) r14.1: "Enhanced PROCESS Class" does not work


Article ID: 130085


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)


PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1.
He checked behavior with following guide with strace comand.
For example, he tried following steps:

1.  define rule for top command.
  nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a) 
  auth PROCESS /usr/bin/top uid(root) access(attach) 
2. start /usr/bin/top
3. login as root on another terminal.
4. find process ID for the top
5. strace -rfT -p "PID for top"

But he cannot control process and there is no audit log.


OS: RHEL 7.5 
Prod: CA Privileged Access Manager r14.1 for Endpoint 


strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ).
So, PAMSC cannot intercept attached process event and control it.

Please use check with gdb -p PID.