How to Determine Why a Program Became Untrusted

book

Article ID: 225558

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

A program was being blocked from executed while PIM/PAMSC was running. Using the seretrust command showed it had become untrusted. What seaudit records relate to the program becoming untrusted?

Environment

Privileged Identity Manager 12.8
PAM Server Control 14.0, 14.1

Resolution

When a program has been altered, PIM/PAMSC will untrust it and prevent it from being run. To determine why this has happened, use the seaudit utility to list the event and look up the watchdog code. In the seaudit output, untrust events contain "U PROGRAM" in the line.

EXAMPLE:
# seaudit -a | grep 'U PROGRAM'
30 Jun 2015 11:24:56 U PROGRAM      seoswd                 1 8704 /bin/su                
30 Jun 2015 11:25:36 U PROGRAM      seoswd                 1 8192 /opt/CA/AccessControl/bin/sebuildla

The audit code for any untrust event will be 1 and the seoswd code will be next to it. In the examples above, the seoswd codes are 8704 and 8192. To look up the meaning of the seoswd codes, use seaudit with the -St or -Stat option.

EXAMPLE:
# seaudit -St 8192
The INODE of the file was changed
# seaudit -St 8704
The INODE of the file was changed
The MTIME of the file was changed

In this example, the INODE of each file was changed. In addition, the MTIME of /bin/su was changed.