I see the following message repeating every 5 seconds in Splunk/seos.audit log on an AIX pamsc endpoint:
Apr 26 14:32:51 Policy daemon:debug selogrd[2425556]: 26 Apr 2021 14:32:49 F DEVCALC _dms 60866458:000001f1 Modify 0 0 Policy "Cannot find RULESET associated with deployed POLICY 'PRD_Policy#01'", "" Policy
host = Policy
I have checked for the for the existence of the ruleset, and it is there, so I am not sure sy this message appears - please advise. Policy perfomance appears to be OK, nobody has complained about sesu not working:
PAMSC> sr ruleset PRD_Policy#01
(localhost)
Data for RULESET 'PRD_Policy#01'
-----------------------------------------------------------
Defaccess : None
Audit mode : Failure
Owner : +policyfetcher(USER )
Create time : 16-Aug-2020 05:40
Update time : 16-Aug-2020 05:40
Updated by : root (USER )
Rule Set Commands :
(1) ### Test Policy for eacws Issue ###
(2) er file /opt/CA/AccessControl/bin/seuidpgm owner(nobody) defaccess(r)
(3) auth file /opt/CA/AccessControl/bin/seuidpgm uid(root) gid(root) access(a
Rule Set Undo Commands :
(1) # test
Finalized : Yes
Release : 14.1
Component : SEOS Policies
The Policy resource is not associated with the ruleset.
It should look something like this with a policy resource defined
Rule Set Commands :
(1) ### Test Policy for eacws Issue ###
(2) er file /opt/CA/AccessControl/bin/seuidpgm owner(nobody) defaccess(r)
(3) auth file /opt/CA/AccessControl/bin/seuidpgm uid(root) gid(root) access(a)
Rule Set Undo Commands :
(1) # test
Policies :
eacws Test#01
Finalized : Yes
Effective UID : ENTM
There are 2 ways to clean this up.
1st - undeploy and redeploy the policy ... this should ensure the policy is clean
2nd - update the resource with the missing value
er policy ("PRD_Policy#01") ruleset+(" PRD_Policy#01") noexit
This command should be all that is needed to update and stop the deviation check from failing