We found out that CPAIM agent is starting even if we successfully disable it on startup.
[root@ServerName development: /tmp] ./controlminder.sh disable
+ exec
+ 2> /tmp/controlminder.dbx
***** disablestartup capim *****
Thu Jul 13 11:55:55 EDT 2023 MESSAGE: Started
/opt/softpkg/Linux/common/x86_64/ControlMinder/2023-02/LINUX/kickStartInstallCM.sh
Kickstart Disable Start Script completed
Thu Jul 13 11:56:01 EDT 2023 MESSAGE: Successful
[root@ServerName development: /tmp] systemctl status seos
● seos.service - CA Privileged Access Manager Server Control
Loaded: loaded (/etc/systemd/system/seos.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Jul 13 11:55:56 ServerName seosd[3271]: CA Privileged Access Manager Server Control daemon going down.
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> WAKE_UP : Server going up
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO : Filter mask: 'WATCHDOG*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO : Filter mask: 'INFO : Setting PV*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO : Filter mask: 'INFO : DB*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO : Filter mask: '*seosd.trace*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Jul 13 11:56:00 ServerName secons[16659]: CA Privileged Access Manager Server Control is now DOWN !
Jul 13 11:56:00 ServerName AgentManager[4978]: In catch - signal 15
Jul 13 11:56:01 ServerName systemd[1]: Stopped CA Privileged Access Manager Server Control.
[root@ServerName development: /tmp] ps -ef | grep -i seos
AFTER REBOOT
[root@ServerName development: /root] /opt/CA/AccessControl/bin/issec | grep "is running,.*pid=" | wc -l
9
[root@ServerName development: /root] ps -ef | grep -i seos
root 4840 1 0 12:00 ? 00:00:00 /opt/CA/AccessControl/bin/seosd
root 4845 1 0 12:00 ? 00:00:00 /opt/CA/AccessControl/bin/seagent SEOSD
root 4904 1 0 12:00 ? 00:00:00 /opt/CA/AccessControl/bin/seoswd AGENT
root 4906 4845 0 12:00 ? 00:00:00 /opt/CA/AccessControl/bin/seagent SEOSD
root 5726 4845 0 12:00 ? 00:00:00 /opt/CA/AccessControl/bin/seagent SEOSD
root 10825 2657 0 12:01 pts/0 00:00:00 grep --color=auto -i seos
[root@ServerName development: /root] systemctl status seos
● seos.service - CA Privileged Access Manager Server Control
Loaded: loaded (/etc/systemd/system/seos.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2023-07-13 12:00:36 EDT; 1min 0s ago
Process: 3967 ExecStart=/opt/CA/AccessControl/bin/seload (code=exited, status=0/SUCCESS)
Memory: 186.0M
CGroup: /system.slice/seos.service
├─4840 /opt/CA/AccessControl/bin/seosd
├─4845 /opt/CA/AccessControl/bin/seagent SEOSD
├─4904 /opt/CA/AccessControl/bin/seoswd AGENT
├─4906 /opt/CA/AccessControl/bin/seagent SEOSD
├─4909 /opt/CA/AccessControl/bin/selogrd
├─5591 /opt/CA/PAMSCShared/bin/ReportAgent
├─5661 /opt/CA/AccessControl/bin/policyfetcher -watchdog
├─5726 /opt/CA/AccessControl/bin/seagent SEOSD
├─5811 /opt/CA/PAMSCShared/bin/AgentManager start
└─5829 /opt/CA/PAMSCShared/bin/AgentManager -watchdog -plugin PupmAgent
Jul 13 12:00:53 ServerName AgentManager[5811]: Successfully connected to the Distribution Server s ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:53 ServerName selogrd[4909]: 13 Jul 2023 12:00:50 M START devcalc
Jul 13 12:00:53 ServerName selogrd[4909]: 13 Jul 2023 12:00:50 M SHUTDOWN 64b01f97:00000137 0 devcalc
Jul 13 12:00:53 ServerName selogrd[4909]: 13 Jul 2023 12:00:53 M START AgentManager
Jul 13 12:00:55 ServerName AgentManager[5811]: Starting plugin PupmAgent
Jul 13 12:00:55 ServerName AgentManager[5811]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server mock://127.0.0.1:61616?wireFormat=openwire
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Hint: Some lines were ellipsized, use -l to show in full.
[root@ServerName development: /root]
Release : any
After a detailed audit it was found that a remote automation service was launching the service