Generic specialpgm or PACL with wildcard doesn't work after restart of CA Privileged Identity Manager (PIM).
Audit log only shows file name without full path as accessed program.
Let's say there is executable file /full/path/program and there is following specialpgm definition.
AC> er specialpgm /full/path/* pgmtype(fullbypass)
Above specialpgm should bypass all accesses by all programs under /full/path/ including /full/path/program.
However, the access by /full/path/program is not bypassed after PIM restart and audit log shows:
DD MON YYYY HH:MM:SS P FILE root Read 54 2 /tmp/test.txt program root
The accessed program only shows file name instead of full path of the file.
Release: R12.8 SP1 / PAMSC 14.x endpoint
This happens because PIM cannot get full path for the program on PIM restart.
When PIM is restarting, PIM is getting process information from /proc and stores in internal process table.
If there is no full path information for the process in /proc, then PIM cannot get full path.
This causes that PIM recognizes only file name for the accessed program name and it doesn't match specialpgm/PACL definition.
If the program was executed in full path, then /proc stored the full path of the program.
However, the program was executed not in full path, there is no full path of the program in /proc.
PIM can get the full path when the program is executed after PIM startup though the program was executed not in full path, it is because the interception data has full path.
This is working as intended and product limitation now.
This happens on AIX and HP-UX, not on RHEL and Solaris.
The workaround is either of following:
Define a specific specialpgm/PACL with full path for the program, instead of generic one (this can identify the file by device/inode)
Execute the program with full path
Execute the program after PIM startup