ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CAPIM: The result of keyboard logger log on RHEL8

book

Article ID: 227739

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

The user becomes root in kbl log on GUI (gnome) login.
This happens on RHEL 8 but not on RHEL 7.
 
To record kbl log for GUI login, define following loginappl rule:
AC> editres LOGINAPPL ('GNOME_KBL') audit(ALL) defaccess(EXECUTE) owner('nobody') loginflags(KBLTRIGGE) loginmethod(NORMAL) loginseq(N3GRP N3GID N3UID N3EID FGRP FGID FUID FEID SGRP SGID SUID SEID) loginpath(/usr/libexec/gnome-terminal-server)
 
However, after logging into the sever via GUI by normal user, sewhoami command shows the user as root and kbl log also shows the user as root (login/logout log shows correct user).
And login terminal is not shown in logs.
 
# sewhoami -a
root
...
# seaudit -kbl
18 Oct 2021 21:34:34 P LOGIN        user01              11903 12                      cmdlog
18 Oct 2021 21:34:45 O LOGOUT       user01              11903 13                      cmdlog
# seaudit -kbl -sid 11903 -cmd
18 Oct 2021 21:34:41 P TRACE        root         616e1c13:00000100 user01       root         KBL input                 11903  INFO    : SessionCmd:  sewhoami -a
 

Environment

Release : 12.8
Component : CA ControlMinder - Unix
 

Resolution

adding following loginappl rule resolved the problem:
AC> er LOGINAPPL SYSTEMD loginpath(/usr/lib/systemd/systemd) loginflags(PAM) audit(all) defaccess(X)