ISSUE: Most of surrogate account definitions do now show up even if policy is deployed and I was able to display ruleset.
I already tried to redeploy the policy and rebuild the capim database but no good.
[root@Server1 ~]# selang -s -c "list policy" | grep -i sesu
GI_XXXXXXXX_QA_multiacctSESU-2109086596#01
[root@Server1 ~]#
[root@Server1 ~]# selang -s -c "list surrogate"
(localhost)
GROUP._default
USER.41386
USER._default
USER.root
_default
From user's end.
$ /opt/CA/AccessControl/bin/sewhoami -a
User1
ACEE Contents
User's Name : User1
ACEE's Handle : 13
Group Connections Table:
Group Name Connection Mode
==================== =================================
Group1 OS_group
Categories : <None>
Profile Group : <None>
Security Label : <None>
User's Audit Mode : Failure LoginSuccess LoginFailure
User's Security Level : 0
Source Terminal : 10.10.50.184
Process Count for ACEE : 4
User's Mode : OS_user
ACEE's Creation Time : Mon Mar 28 05:23:59 2022
$ /opt/CA/AccessControl/bin/sesu - PrivUser1
You are not allowed to su to PrivUser1
Further review of the seaudit table showed
It seems that error is
28 Mar 2022 10:27:50 D SURROGATE User1 Read 1063 2 USER.PrivUser1 /opt/CA/AccessControl/bin/sesu 10.10.50.184 (OS user) root
1063 Default record program conditional access
I found the policy that tried to deploy has the expected lines
28 Mar 2022 07:10:37 F UPDATE SURROGATE +policyfetcher 337 0 USER.PrivUser1 (POLICY: GI_Policy_QA_multiacctSESU-2109086596#01) er surrogate USER.PrivUser1 audit(loginsuccess loginfailure interactive) User1 1648463566#8521e3aa-d9f0-4053-9c26-1a53d2da4566
28 Mar 2022 07:10:38 F UPDATE SURROGATE +policyfetcher 305 0 USER.PrivUser1 (POLICY: GI_Policy_QA_multiacctSESU-2109086596#01) auth surrogate USER.PrivUser1 xgid(Group1) via(pgm(/opt/CA/AccessControl/bin/sesu)) acc(r) User1 1648463566#8521e3aa-d9f0-4053-9c26-1a53d2da4566
305 Command allowed for ADMIN user.
337 Failed to reconcile command with database information
Release : 14.0
Component : PAM SERVER CONTROL ENDPOINT UNIX/LINUX
When we tried manually adding the rule outside the policy we found this error
PAMSC> er surrogate USER.PrivUser1 audit(loginsuccess loginfailure interactive)
(localhost)
ERROR: loginsuccess is an invalid audit value for resources
Please try submitting the rule again with with with just audit(failure success)')
er surrogate USER.PrivUser1 owner(nobody) audit(failure success)')
auth surrogate USER.PrivUser1 xgid(Group1) via(pgm(/opt/CA/AccessControl/bin/sesu)) acc(r)