How can I make PROGRAM resources not be untrusted every time I do a modification to them ?


Article ID: 15887


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


Sometimes it is required to create many PROGRAM resources so that large numbers of programs can be patched as part of the regular operation. Such is the case when database servers must be patched.

PROGRAM records may have the trust flag to prevent tampering, and that will cause programs to be inoperative every time a modification is made until they are not retrusted. In circumstances like the one described, this implies in fact a lot of overhead each time as many programs will require retrusting.







Is there a way for me to remove the "untrust" part from the program rule? So that we don't have to retrust a bunch of servers manually each time they do a patching?


Release: ACP1M005900-12.8-Privileged Identity Manager


You can disable the trusted program flags totally or partially.

The commands to enable or disable trusted flags are the following

chres PROGRAM(<path to program>) flags(All|None), to enable all flags or disable all of them

chres PROGRAM(<path to program>) flags+(trusted-program-flags), to enable a specific set of flags

chres PROGRAM(<path to program>) flags-(trusted-program-flags), to disasble a specific set of flags

Here the flags to enable or disable may be

{[Mtime] [Mode] [Size] [Device] [Inode] [Crc] [Owner] [Group]}

For instance

chres PROGRAM ("/u01/app/oracle/product/12.1.0/grid/bin/clscfg.bin") flags(none)

Would disable all trusted flags for program /u01/app/oracle/product/12.1.0/grid/bin/clscfg.bin, so that if any of the values change (inode, size, mode… ), such it would be the case when patching of an Oracle server is done,  this would not cause the program to be untrusted.