CA PAM- Session recordings right are written to the NFS share as root user.
Article ID: 216666
Updated On: 03-27-2025
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
We recently converted our external storage to Linux servers with an NFS local mount point. It seems PAM writes the file as root to the NFS share. This causes us issues with RSYNC since our application ID owns the mount point and files. Can a setting be made by via SSH to appliances to write data as our pamsvc account? This also caused issues with Vormetric encryption since PAM writes the files as root. Having data written by root on an NFS share is in violation to our security policies.
Cause
The root user writes session recordings. The cspmsrv user, which is the user that runs the Credential Management service, writes archived metric and auditlog data.
Resolution
For a standard NFS share on a Linux host this would be accomplished by exporting the drive using the anonuid and anongid options
E.g.:
/YYYYYY ##.##.##.##(rw,all_squash,anonuid=####,anongid=####,sync)
E.g.:
/YYYYYY ##.##.##.##(rw,all_squash,anonuid=####,anongid=####,sync)
/YYYYYY - the path to export
##.##.##.## - the IP address of the PAM Appliance
anonuid,anongid - UID and GID of the user on the NFS server that should own the files on the share
Note: "all_squash" accommodates different users on the PAM appliance writing and reading files on the share.
Feedback
Was this article helpful?
Yes
No
Powered by
