PAMSC - Intermittently the sewhoami -a incorrectly shows the user as root instead of the logged in user.
search cancel

PAMSC - Intermittently the sewhoami -a incorrectly shows the user as root instead of the logged in user.

book

Article ID: 278396

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

After upgrading from RHEL 7 to RHEL 8 users were being denied the ability to sesu - to root. 

The error in seaudit  did not show the correct username for the denial

23 Jan 2024 08:19:19 D SURROGATE    root       Read       63  3 USER.root            /opt/CA/AccessControl/bin/sesu                   root   

                   63      Program Conditional Access

Running "sewhoami -a " validated that the seos service saw this user as root

[user1@server /]$ sewhoami -a
root
ACEE Contents
  User's Name             : root
  ACEE's Handle           : 9
  Group Connections Table:
<Empty>
Categories              : <None>
Profile Group           : <None>
Security Label          : <None>
User's Audit Mode       : Failure LoginSuccess LoginFailure
User's Security Level   : 0
Source Terminal         : <Unknown>
Process Count for ACEE  : 4
User's Mode             : Admin Auditor
ACEE's Creation Time    : Thu Jan 25 13:36:46 2024

 

The LOGINAPPL was set properly for PAMLOGIN

editres LOGINAPPL ('SSH') audit(FAILURE) comment('Predefined rule for Login application.') defaccess(EXECUTE) loginflags(PAMLOGIN) loginmethod(NORMAL) loginseq(SGRP SUID) loginpath(/usr/sbin/sshd)

 

Environment

PAMSC 14.1

Cause

There are several reasons why the seos service might not properly identify a user. If a user cannot be identified then the default user is always defined as root to avoid applying any seos rules inappropriately. In this case, the reason was found in the $SEOSDIR/log/seosd.trace  (secons -tc / secons -t+ / login / secons -t-)

The lack of this type of message in the trace file validated that the PAMLOGIN process was not being utilized from the /etc/pam.d/password-auth file

01 Apr 2022 00:24:37> PAMLOGIN:  P=194255 User=XXXXX Terminal=XXXXXXXX  U=0 G=0 O= 

Checking the password-auth file we found that pam_seos.so was not enabled after the upgrade

[user1@server /]$ ls -l /etc/pam.d/ |grep password-
lrwxrwxrwx  1 root root  29 Sep 26 21:40 password-auth -> /etc/authselect/password-auth


[user1@server /]$ grep seos /etc/pam.d/password-auth

Resolution

The resolve was to simply re-add the proper pam_seos.so loadable modules to the password-auth file as seen below

lrwxrwxrwx  1 root root  29 Sep 26 21:40 password-auth -> /etc/authselect/password-auth
[user1@server /]$ grep seos /etc/pam.d/password-auth
account    optional     pam_seos.so
auth       optional     pam_seos.so
password  sufficient  pam_seos.so
session    optional     pam_seos.so

Powered by Wolken Software