Users are granted access once Warning mode is set for HOST class
search cancel

Users are granted access once Warning mode is set for HOST class

book

Article ID: 259076

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

HOSTNET rule is setup to block access to 192.168.0.0
But once HOST class is set with WARNING mode then the users can access the resource.

Is this an expected behavior?

Use case:

PIM version: 12.81.0.4287
OS Version RHEL 7.9.2009

============Rule================
AC> so cw
(localhost)
Data for CA ControlMinder options
-----------------------------------------------------------
HOST              : Yes

AC> sr hostnet *
(localhost)
Data for HOSTNET '192.168.0.0'
-----------------------------------------------------------
Inet ACLs         :
    Service                          Access
    *                                None
Mask/Match        :   255.255.255.0/192.168.0.0
Audit mode        : All
Owner             : nobody        (USER   )
Create time       : 01-Jan-2023 11:02
Update time       : 01-Jan-2023 11:07
Updated by        : root          (USER   )

AC>
AC> sr host *
(localhost)
Data for HOST '192.168.0.0'
-----------------------------------------------------------
Warning           : Yes
Inet ACLs         :
    Service                          Access
    *                                None
Audit mode        : Failure
Owner             : nobody        (USER   )
Create time       : 01-Jan-2023 11:09
Update time       : 01-Jan-2023 11:12
Updated by        : root          (USER   )

Data for HOST 'localhost'
-----------------------------------------------------------
Audit mode        : Failure
Owner             : nobody        (USER   )
Create time       : 12-Dec-2022 11:09
Update time       : 12-Dec-2022 11:09
Updated by        : root          (USER   )

Data for HOST 'test01'
-----------------------------------------------------------
Audit mode        : Failure
Owner             : nobody        (USER   )
Create time       : 12-Dec-2022 11:09
Update time       : 12-Dec-2022 11:09
Updated by        : root          (USER   )

===========Audit LOG================

01 Jan 2023 11:27:59 D HOST         ssh                  169  3 192.168.0.123         /usr/sbin/sshd

==================================

As above, access to 192.168.0.123 is blocked.

But once the following is run then users get access.

so class(HOST) flags+(W)

Environment

Release : 12.8

Resolution

When you set the WARNING mode, the access will be granted. When the rule is violated, you get the message in the LOG.

This is how the WARNING mode works so please turn off the warning mode if you want the access to be blocked.

 

Additional Information

HOST Class Documentation

Powered by Wolken Software