PAMSC 14.1 CP05: the command inside shell script does not inherit PACL rule from the shell script after applied CP05
search cancel

PAMSC 14.1 CP05: the command inside shell script does not inherit PACL rule from the shell script after applied CP05

book

Article ID: 266439

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

After Privileged Access Manager Server Control ( a.k.a PAMSC ) CP05 is applied, the behavior of the PACL for the shell script is changed.
The protected FILE resouce is allowed access via shell script at PACL.
But it denies access via the command inside the shell script. 
It seems to be not working at PACL rule.


Example:

/root/test.sh
---
#! /bin/sh
 
## some command start in shell script
chmod 544  /PAMSCProtected/testfiles.txt
cat /PAMSCProtected/testfiles.txt
echo a >> /PAMSCProtected/testfiles.txt
---

FILE Class Rule:

editres FILE ('/PAMSCProtected/testfiles.txt') audit(ALL) defaccess(NONE) owner('nobody')
authorize FILE ('/PAMSCProtected/testfiles.txt') access(READ WRITE DELETE RENAME CREATE EXECUTE CHOWN CHMOD UTIME SEC CHDIR) uid('root') via(pgm('/root/test.sh'))

Audit log on CP05:

DD MM YYYY hh:mm:ss D FILE         root       Chmod      69  2 /PAMSCProtected/testfiles.txt /usr/bin/chmod                         root
DD MM YYYY hh:mm:ss D FILE         root       Read       69  2 /PAMSCProtected/testfiles.txt /usr/bin/cat                           root
DD MM YYYY hh:mm:ss P FILE         root       Write      63  3 /PAMSCProtected/testfiles.txt /root/test.sh                          root

reference: Audit log on CP04 or previous

DD MM YYYY hh:mm:ss P FILE         root       Chmod      69  2 /PAMSCProtected/testfiles.txt /root/test.sh                         root
DD MM YYYY hh:mm:ss P FILE         root       Read       69  2 /PAMSCProtected/testfiles.txt /root/test.sh                           root
DD MM YYYY hh:mm:ss P FILE         root       Write      63  3 /PAMSCProtected/testfiles.txt /root/test.sh                          root

 

Environment

OS: Linux
Product: Privileged Access Manager Server Control 14.1 CP05

Cause

This behavior is controlled by use_trusted_script in seos.ini.
If it sets as default or yes, the command inside the shell script should inherit the rule at shell script.
  * Please refer to this page, seosd,  about "use_trusted_script" 

In the past, when shell script is running, it occurs a deadlock situation. And then it was fixed in CP05.

But it may no enough for the version, CP05.  So, this problem occurred since PAMSC does not recognize the correct command inside the shell script. 
This problem only occurs in Linux environment since the previous problem occurred only on Linux.

Resolution

test fix, acpatch-DE571191-14.10.50.103-_LINUX_X64, is provided.
If you want to get the testfix, please create a new case and contact our support team.

Then please apply the following rule if you apply testfix immediately.

This rule bypasses to check the rule at the shell script. 

Selang Command Example:
editres SPECIALPGM ('/root/test.sh') owner('nobody') pgmtype(PROPAGATE FULLBYPASS) unixuid(*)

Additional Information


PAMSC recognizes the shell is trusted or not by shelbang, #!/bin/sh at first line in the shell script.
Please check all shell script at PACL. 

Powered by Wolken Software