PAMSC: not reflect the propagated rule from PMDB
Article ID: 218841
Updated On:
Products
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
Creating PACL with wildcard path failed on subscriber without error.
This happens when the commend is propagated from PMDB with specific order.
This happens when the commend is propagated from PMDB with specific order.
If the wildcard program rule is created before creating PACL with same wildcard path, the creation of PACL failed on subscriber without error.
e.g.
editres file ('/tmp/aaa') audit(FAILURE) defaccess(READ) owner('nobody')
editres PROGRAM ('/tmp/test/*') owner('nobody')
authorize file ('/tmp/aaa') access(a) uid('root') via(pgm('/tmp/test/*'))
editres PROGRAM ('/tmp/test/*') owner('nobody')
authorize file ('/tmp/aaa') access(a) uid('root') via(pgm('/tmp/test/*'))
No error happens on PMDB with above commands.
However, the second command failed with error on subscriber, this is expected as creating new program rule with wildcard path is not allowed.
sepmd -e shows following error:
-----
# sepmd -e PMDB
08 Jun 21 11:09:24 (PMDB): server editres PROGRAM ('/tmp/test/*') owner('nobody') 4824 Cont
08 Jun 21 11:09:24 (PMDB): server editres PROGRAM ('/tmp/test/*') owner('nobody') 4824 Cont
ERROR: Failed updating run-time tables.
(10027)
ERROR: /tmp/test/* not found in file system
(10024)
(10027)
ERROR: /tmp/test/* not found in file system
(10024)
-----
And PACL should be added by the third command but it fails on subscriber but no error in sepmd -e.
-----
# seaudit -a -sd today
08 Jun 2021 11:09:24 S UPDATE FILE root 305 0 /tmp/aaa PMDB@server editres file ('/tmp/aaa') audit(FAILURE) defaccess(READ) owner('nobody')
08 Jun 2021 11:09:24 F UPDATE PROGRAM root 305 0 /tmp/test/* PMDB@server editres PROGRAM ('/tmp/test/*') owner('nobody')
08 Jun 2021 11:09:24 F UPDATE FILE root 305 0 /tmp/aaa PMDB@server authorize file ('/tmp/aaa') access(a) uid('root') via(pgm('/tmp/test/*'))
08 Jun 2021 11:09:24 S UPDATE FILE root 305 0 /tmp/aaa PMDB@server editres file ('/tmp/aaa') audit(FAILURE) defaccess(READ) owner('nobody')
08 Jun 2021 11:09:24 F UPDATE PROGRAM root 305 0 /tmp/test/* PMDB@server editres PROGRAM ('/tmp/test/*') owner('nobody')
08 Jun 2021 11:09:24 F UPDATE FILE root 305 0 /tmp/aaa PMDB@server authorize file ('/tmp/aaa') access(a) uid('root') via(pgm('/tmp/test/*'))
-----
This doesn't happen if the second and third command are replaced.
There is no error as the wildcard path program rule is created at the second command via PACL.
There is no error as the wildcard path program rule is created at the second command via PACL.
Environment
Release : 14.1
Component : PAM SERVER CONTROL ENDPOINT UNIX/LINUX
Cause
product defect
Resolution
provided testfix:
Linux:
acpatch-DE505442-14.10.0.1661-_LINUX_X64.zip
Solaris:
acpatch-DE505442-14.10.0.1661-_SOLARIS.zip
AIX:
acpatch-DE505442-14.10.0.1661-_AIX.zip
Additional Information
By this fix, creating new program rule with widcard path is allowed.
Please contact Broadcom support for testfix
Feedback
Yes
No
Powered by
