Symantec Privileged Access Management

CA Security Tech Tip: How to Determine Why Privileged Identity Management Untrusted a Program

  • 1.  CA Security Tech Tip: How to Determine Why Privileged Identity Management Untrusted a Program

    Broadcom Employee
    Posted Jul 01, 2015 09:11 AM

    When a program has been altered, PIM will untrust it and prevent it from being run. To determine why this has happened, use the seaudit utility to list the event and look up the watchdog code. In the seaudit output, untrust events contain "U PROGRAM" in the line.

     

    EXAMPLE:

    # seaudit -a | grep 'U PROGRAM'

    30 Jun 2015 11:24:56 U PROGRAM      seoswd                 1 8704 /bin/su                

    30 Jun 2015 11:25:36 U PROGRAM      seoswd                 1 8192 /opt/CA/AccessControl/bin/sebuildla

     

    The audit code for any untrust event will be 1 and the seoswd code will be next to it. In the examples above, the seoswd codes are 8704 and 8192. To look up the meaning of the seoswd codes, use seaudit with the -St or -Stat option.

     

    EXAMPLE:

    # seaudit -St 8192

    The INODE of the file was changed

    # seaudit -St 8704

    The INODE of the file was changed

    The MTIME of the file was changed

     

    In this example, the INODE of each file was changed. In addition, the MTIME of /bin/su was changed.