search cancel

sesu policy "ruleset missing" errors in seos.audit

book

Article ID: 214133

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

I see the following message repeating every 5 seconds in Splunk/seos.audit log on an AIX pamsc endpoint:

Apr 26 14:32:51 Policy daemon:debug selogrd[2425556]: 26 Apr 2021 14:32:49 F DEVCALC _dms 60866458:000001f1 Modify 0 0 Policy "Cannot find RULESET associated with deployed POLICY 'PRD_Policy#01'", "" Policy
host = Policy


I have checked for the for the existence of the ruleset, and it is there, so I am not sure sy this message appears - please advise.  Policy perfomance appears to be OK, nobody has complained about sesu not working:

PAMSC> sr ruleset PRD_Policy#01
(localhost)
Data for RULESET 'PRD_Policy#01'
 -----------------------------------------------------------
Defaccess         : None
Audit mode        : Failure
Owner             : +policyfetcher(USER   )
Create time       : 16-Aug-2020 05:40
Update time       : 16-Aug-2020 05:40
Updated by        : root          (USER   )
Rule Set Commands :
    (1) ### Test Policy for eacws Issue ###
    (2) er file /opt/CA/AccessControl/bin/seuidpgm owner(nobody) defaccess(r)
    (3) auth file /opt/CA/AccessControl/bin/seuidpgm uid(root) gid(root) access(a
Rule Set Undo Commands :
    (1) # test
Finalized         : Yes

 

Cause

The Policy resource is not associated with the ruleset.

It should look something like this with a policy resource defined

Rule Set Commands :
    (1) ### Test Policy for eacws Issue ###
    (2) er file /opt/CA/AccessControl/bin/seuidpgm owner(nobody) defaccess(r)
    (3) auth file /opt/CA/AccessControl/bin/seuidpgm uid(root) gid(root) access(a)
Rule Set Undo Commands :
    (1) # test
Policies          :
    eacws Test#01
Finalized         : Yes
Effective UID     : ENTM

Environment

Release : 14.1

Component : SEOS Policies

Resolution


There are 2 ways to clean this up.

1st - undeploy and redeploy the policy ... this should ensure the policy is clean

2nd - update the resource with the missing value

er policy ("PRD_Policy#01") ruleset+(" PRD_Policy#01") noexit

This command should be all that is needed to update and stop the deviation check from failing