Sewhoami Incorrectly Displaying All Users As "root"
search cancel

Sewhoami Incorrectly Displaying All Users As "root"

book

Article ID: 70146

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

When any user logs into a server with a PIM or PAMSC running, sewhoami shows them as root.

# sewhoami -a
root
ACEE Contents
  User's Name             : root
  ACEE's Handle           : 14
  Group Connections Table:
<Empty>
Categories              : <None>
Profile Group           : <None>
Security Label          : <None>
User's Audit Mode       : Failure LoginSuccess LoginFailure 
User's Security Level   : 0
Source Terminal         : <Unknown>
Process Count for ACEE  : 5
User's Mode             : Admin Auditor 
ACEE's Creation Time    : Fri Feb  3 17:54:24 2023

Environment

Privileged Identity Manager or PAM Server Control, all versions

Cause

The endpoint uses the PAM stack to identify users during logins, so if either the endpoint or the PAM stack are not configured correctly, the users will not be properly identified.

Resolution

First, review the LOGINAPPL rule is properly configured in selang. The loginflag should say PAMLOGIN and the loginpath must match the path to the ssh daemon (/usr/sbin/sshd in most cases). The rule should look similar to the one below.

PAMSC> sr loginappl SSH
Data for LOGINAPPL 'SSH'
 -----------------------------------------------------------
Defaccess         : X
Audit mode        : Failure
Comment           : Predefined rule for Login application.
Login flags       : PAM login
Login method      : Normal
Login path        : /usr/sbin/sshd
Login sequence    : SGRP, SUID

If the rule does not match or is missing, use the following selang command to create or fix the rule.

editres LOGINAPPL SSH audit(FAILURE) defaccess(EXECUTE) owner(nobody) loginflags(PAMLOGIN) loginmethod(NORMAL) loginseq(SGRP SUID) loginpath(/usr/sbin/sshd)

If the LOGINAPPL is present and correct, but the users still show as root in sewhoami -a, the issue is likely with the PAM stack configuration. Run the following command to correct the pam_seos lines in the PAM stack.

In PAMSC:
# /opt/CA/PAMSC/lbin/Linux_merge_pam_seos.sh /opt/CA/PAMSC

In PIM:
# /opt/CA/AccessControl/lbin/Linux_merge_pam_seos.sh /opt/CA/AccessControl

If the issue still occurs, please use the steps below to collect the necessary logs, then open a case with Broadcom Support.

# cd /opt/CA/(PAMS or AccessControl)/bin
# ./secons -tc -t+     ((this clears the trace log and starts a new trace))
((login to reproduce the issue))
# sewhoami -a
# ./secons -t-     ((this stops the trace))
# cd ../lbin
# ./support.sh -all     ((this will restart the endpoint, run this only when that is possible))

Powered by Wolken Software