About the delete of seos.audit.bak file

book

Article ID: 142691

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

There is a seos.audit.bak file in $SEOSDIR/log directory.

*SEOSDIR is PIM/PAMSC installation directory.


The file is a backup file of seos.audit file.


When PIM/PAMSC services are running, the file cannot be removed using rm command.

 

#rm seos.audit.bak

rm: remove regular file 'seos.audit.bak'? y

rm: cannot remove 'seos.audit.bak': Permission denied

Environment

Release : All versions

Component : PIM/PAMSC

Resolution

Yes, it is correct design.

#seaudit -a -sd today
<Date&Time> D FILE         root       Erase     995 10 /opt/CA/AccessControl/log/seos.audit.bak /usr/bin/rm          <IP address>                  root

#seaudit -t | grep 995
995     Unauthorized access to internal resource

The file will not be able to be removed because the file is protected internally(not in seosdb).
So please add the following rule like this.

AC> nr file /opt/CA/AccessControl/log/seos.audit.bak* owner(nobody) defacc(a) audit(a)

We should be able to remove the file.

Additional Information

When add this rule, suggest to add following rule at same time.

AC> nr file /opt/CA/AccessControl/log/seos.audit owner(nobody) defacc(r) audit(a)
or specific ACL rule.

Because, it may failed to remove when seos.audit is rotate first time while running. 
And trace shows following message:
  FILE    > Results: 'D' Privileged Access Manager Server Control File Only '/opt/CA/AccessControl/log/seos.audit'