Socket Filter Agent 2.7 on AIX 6.1 and AIX 7.1 are not blocking SSH access to the blacklisted hosts

book

Article ID: 6333

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

Socket Filter Agent 2.7 installed on AIX 6.1 and AIX 7.1 are not blocking SSH access to the blacklisted hosts specified in the socket filter list. Whitelist is working accordingly.

Cause

SFA is marking the hosts in the filter list as invalid filter IP and ignores them:

<6>gksfd: 2017-04-06 19:33:43 >>> device information:
<6>gksfd: 2017-04-06 19:33:43 device: ip(xxx.xxx.xx.xx) port(22) policy(b)
<4>gksfd: 2017-04-06 19:33:43 make_struct: ignore invalid filter ip (10.xxx.xx.xxx/23 22)
<4>gksfd: 2017-04-06 19:33:43 make_struct: ignore invalid filter ip (10.xxx.xxx.xxx/23 22)
<6>gksfd: 2017-04-06 19:33:43 >>> filter information: 0 filters.


Working use case, the filters should be recognized:

<6>gksfd: 2017-04-06 19:54:19 >>> device information:
<6>gksfd: 2017-04-06 19:54:19 device: ip(xxx.xx.xx.xx) port(22) policy(b)
<6>gksfd: 2017-04-06 19:54:19 >>> filter information: 2 filters.

Environment

CA Privileged Access Manager: 2.7Socket Filter Agent: 2.7Target Servers: AIX 6.1, AIX 7.1

Resolution

SFA blocks the blacklist hosts as we remove the netmask associated with the host IP address.


SFA 2.7 installers for AIX 6.1 and AIX 7.1 are revised to address the issue.

Additional Information

Troubleshooting SFA issues:

  •     SFA is installed with Windows default Administrator account or UNIX root account
  •     SFA is installed on supported Operating System (https://support.ca.com/phpdocs/7/9526/9526-PAM-platformsupportmatrix.pdf)
  •     Communication between target host and SFA on target host over port 8550 (default port for SFA) and 443 are not blocked
  •     Ensure that SFA daemon is running (/etc/rc.d/init.d/gksfd start)
  •     Check the gksfd.log (/var/tmp/gksfd.log)
  •     Associate the socket filter to the user-device policy
  •     On UNIX and Linux targets, SFA only filters non-root users. Ensure that you login to the target UNIX host with non-root user to test the access control according to the filter list and the non-root user is not specified with SECURE_USER in gksfd.cfg file