search cancel

Surrogate Account definitions do not show ( 305   Command allowed for ADMIN user)

book

Article ID: 238713

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction


ISSUE: Most of surrogate account definitions do now show up even if policy is deployed and I was able to display ruleset.

I already tried to redeploy the policy and rebuild the capim database but no good.

[[email protected] ~]# selang -s -c "list policy" | grep -i sesu
GI_XXXXXXXX_QA_multiacctSESU-2109086596#01
[[email protected] ~]# 

[[email protected] ~]# selang -s -c "list surrogate"
(localhost)
GROUP._default
USER.41386
USER._default
USER.root
_default


From user's end.

$ /opt/CA/AccessControl/bin/sewhoami -a
User1
ACEE Contents
User's Name : User1
ACEE's Handle : 13
Group Connections Table:
Group Name Connection Mode
==================== =================================
Group1 OS_group
Categories : <None>
Profile Group : <None>
Security Label : <None>
User's Audit Mode : Failure LoginSuccess LoginFailure
User's Security Level : 0
Source Terminal : 10.10.50.184
Process Count for ACEE : 4
User's Mode : OS_user
ACEE's Creation Time : Mon Mar 28 05:23:59 2022

$ /opt/CA/AccessControl/bin/sesu - PrivUser1
You are not allowed to su to PrivUser1

 


Further review of the seaudit table showed

It seems that error is

28 Mar 2022 10:27:50 D SURROGATE    User1    Read     1063  2 USER.PrivUser1         /opt/CA/AccessControl/bin/sesu 10.10.50.184 (OS user)        root 

1063    Default record program conditional access

 


I found the policy that tried to deploy has the expected lines

28 Mar 2022 07:10:37 F UPDATE       SURROGATE  +policyfetcher  337  0 USER.PrivUser1         (POLICY: GI_Policy_QA_multiacctSESU-2109086596#01) er surrogate USER.PrivUser1 audit(loginsuccess loginfailure interactive)                  User1         1648463566#8521e3aa-d9f0-4053-9c26-1a53d2da4566

28 Mar 2022 07:10:38 F UPDATE       SURROGATE  +policyfetcher  305  0 USER.PrivUser1         (POLICY: GI_Policy_QA_multiacctSESU-2109086596#01) auth surrogate USER.PrivUser1 xgid(Group1) via(pgm(/opt/CA/AccessControl/bin/sesu)) acc(r)                  User1          1648463566#8521e3aa-d9f0-4053-9c26-1a53d2da4566


305     Command allowed for ADMIN user.
337     Failed to reconcile command with database information

Environment

Release : 14.0

Component : PAM SERVER CONTROL ENDPOINT UNIX/LINUX

Resolution

When we tried manually adding the rule outside the policy we found this error

PAMSC> er surrogate USER.PrivUser1 audit(loginsuccess loginfailure interactive) 
(localhost)
ERROR: loginsuccess is an invalid audit value for resources

 


Please try submitting the rule again with  with  with just audit(failure success)')

er surrogate USER.PrivUser1  owner(nobody)  audit(failure success)')

auth surrogate USER.PrivUser1 xgid(Group1) via(pgm(/opt/CA/AccessControl/bin/sesu)) acc(r)