SEOS_load Cannot Unload Syscall to Upgrade PAMSC
search cancel

SEOS_load Cannot Unload Syscall to Upgrade PAMSC

book

Article ID: 267616

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

As part of the steps to upgrade a PAMSC endpoint on Linux, `secons -sk` and `SEOS_load -u` were run, but the `SEOS_load -u` did not successfully unload the system call. What can be done to continue with the upgrade?

Environment

PAM Server Control, 14.x

Cause

If there is a third-party application on the server that interrupts system calls the same way that PAMSC does, it could prevent the PAMSC system call to unload. Should that happen, the other software would need to be stopped and its system call unloaded before PAMSC can be stopped and unloaded. However, this is not always possible in a production environment.

Resolution

Rather than unloading the PAMSC system call, it is possible to disable it. This will allow the upgrade to continue and PAMSC will run with both system calls loaded, but only the newer system call will be enabled. During the next reboot of the server, the inactive system call will then be unloaded.

Use the command `secons -ik` to list what system call is loaded and enabled. The system call with <-- next to it indicates that it is enabled.

# secons -ik
CA Privileged Access Manager Server Control secons v14.10.40.182 - Console utility
Copyright (c) 2018 CA. All rights reserved.

seos_1410_40_182 <--

Then use the command `secons -dk` to disable the system call. Should the `secons -ik` output list two kernels, specify the kernel that needs to be disabled in the `secons -dk` command. In this example, it would be `secons -dk seos_1410_40_182`. 

# secons -dk
CA Privileged Access Manager Server Control secons v14.10.40.182 - Console utility
Copyright (c) 2018 CA. All rights reserved.

successfully disabled module seos_1410_40_182.

Finally, use the command `secons -ik` again to verify the system call is now disabled. 

# secons -ik
CA Privileged Access Manager Server Control secons v14.10.40.182 - Console utility
Copyright (c) 2018 CA. All rights reserved.

seos_1410_40_182

Since the <-- is now gone, it is confirmed to be disabled and the upgrade can continue.

Additional Information

Should the `secons -dk` fail to disable the kernel, then the third-party application that is intercepting system calls must be stopped and unloaded so PAMSC can continue. Before this can be done, PAMSC must be started again so the third-party application may correctly unload.

# seload
((stop and unload the third-party application))
# secons -sk
# SEOS_load

Powered by Wolken Software