PAMSC agent started even if it is disable on startup
search cancel

PAMSC agent started even if it is disable on startup

book

Article ID: 269804

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We found out that CPAIM agent is starting even if we successfully disable it on startup.

[root@ServerName development: /tmp] ./controlminder.sh disable
+ exec
+ 2> /tmp/controlminder.dbx
***** disablestartup capim *****
Thu Jul 13 11:55:55 EDT 2023 MESSAGE: Started
/opt/softpkg/Linux/common/x86_64/ControlMinder/2023-02/LINUX/kickStartInstallCM.sh
Kickstart Disable Start Script completed
Thu Jul 13 11:56:01 EDT 2023 MESSAGE: Successful
[root@ServerName development: /tmp] systemctl status seos
● seos.service - CA Privileged Access Manager Server Control
   Loaded: loaded (/etc/systemd/system/seos.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Jul 13 11:55:56 ServerName seosd[3271]: CA Privileged Access Manager Server Control daemon going down.
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> WAKE_UP : Server going up
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO    : Filter mask: 'WATCHDOG*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO    : Filter mask: 'INFO    : Setting PV*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO    : Filter mask: 'INFO    : DB*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO    : Filter mask: '*seosd.trace*' is registered
Jul 13 11:55:57 ServerName seload[2843]: 13 Jul 2023 08:55:09> INFO    : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Jul 13 11:56:00 ServerName secons[16659]: CA Privileged Access Manager Server Control is now DOWN !
Jul 13 11:56:00 ServerName AgentManager[4978]: In catch - signal 15
Jul 13 11:56:01 ServerName systemd[1]: Stopped CA Privileged Access Manager Server Control.
[root@ServerName development: /tmp] ps -ef | grep -i seos

 

AFTER REBOOT

[root@ServerName development: /root] /opt/CA/AccessControl/bin/issec  | grep "is running,.*pid=" | wc -l
9
[root@ServerName development: /root] ps -ef | grep -i seos
root      4840     1  0 12:00 ?        00:00:00 /opt/CA/AccessControl/bin/seosd
root      4845     1  0 12:00 ?        00:00:00 /opt/CA/AccessControl/bin/seagent SEOSD
root      4904     1  0 12:00 ?        00:00:00 /opt/CA/AccessControl/bin/seoswd AGENT
root      4906  4845  0 12:00 ?        00:00:00 /opt/CA/AccessControl/bin/seagent SEOSD
root      5726  4845  0 12:00 ?        00:00:00 /opt/CA/AccessControl/bin/seagent SEOSD
root     10825  2657  0 12:01 pts/0    00:00:00 grep --color=auto -i seos
[root@ServerName development: /root] systemctl status seos
● seos.service - CA Privileged Access Manager Server Control
   Loaded: loaded (/etc/systemd/system/seos.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2023-07-13 12:00:36 EDT; 1min 0s ago
  Process: 3967 ExecStart=/opt/CA/AccessControl/bin/seload (code=exited, status=0/SUCCESS)
   Memory: 186.0M
   CGroup: /system.slice/seos.service
           ├─4840 /opt/CA/AccessControl/bin/seosd
           ├─4845 /opt/CA/AccessControl/bin/seagent SEOSD
           ├─4904 /opt/CA/AccessControl/bin/seoswd AGENT
           ├─4906 /opt/CA/AccessControl/bin/seagent SEOSD
           ├─4909 /opt/CA/AccessControl/bin/selogrd
           ├─5591 /opt/CA/PAMSCShared/bin/ReportAgent
           ├─5661 /opt/CA/AccessControl/bin/policyfetcher -watchdog
           ├─5726 /opt/CA/AccessControl/bin/seagent SEOSD
           ├─5811 /opt/CA/PAMSCShared/bin/AgentManager start
           └─5829 /opt/CA/PAMSCShared/bin/AgentManager -watchdog -plugin PupmAgent

Jul 13 12:00:53 ServerName AgentManager[5811]: Successfully connected to the Distribution Server s ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:53 ServerName selogrd[4909]: 13 Jul 2023 12:00:50 M START                                    devcalc
Jul 13 12:00:53 ServerName selogrd[4909]: 13 Jul 2023 12:00:50 M SHUTDOWN                64b01f97:00000137                 0 devcalc
Jul 13 12:00:53 ServerName selogrd[4909]: 13 Jul 2023 12:00:53 M START                                    AgentManager
Jul 13 12:00:55 ServerName AgentManager[5811]: Starting plugin PupmAgent
Jul 13 12:00:55 ServerName AgentManager[5811]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server mock://127.0.0.1:61616?wireFormat=openwire
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Jul 13 12:00:55 ServerName AgentManager[5829]: Successfully connected to the Distribution Server ssl://DH_Server1:61616,ssl://DH_Server2:61616,ssl://DH_Server3:61616,ssl...dh1np:61616
Hint: Some lines were ellipsized, use -l to show in full.
[root@ServerName development: /root] 

Environment

Release : any

Resolution

After a detailed audit it was found that a remote automation service was launching the service

Powered by Wolken Software