we are running CA PIM 12.9 sp1 , ENTM on Linux and managing many endpoints (AIX, Solaris, Windows)
we are trying to use the CA examples for protecting OS from the path (/opt/CA/AccessControlServer/APMS/AccessControl/samples/Policies/OS)
I trying to modify the _win2003_deploy.txt to our environment, adding the systems users and all that (I will attached the file I have modified)
but the problem is that when I try to apply it on test server (either from the endpoint management - configuration and upload the file , or register it as policy and apply it from the ENTM )
I receive errors regarding the defined variables , I will attached the error log .
I don't know the errors ,, is nearly used the CA sample without modification (expect adding the users in the AC role group )
ex: of error
ERROR: <!POLICY_AUDIT_MODE> is an invalid audit value for resources
although eh POLICY_AUDIT_MODE is defined !!
UPDATE: the creation of the ACVAR variables done successfully as I run ( sr ACVAR *) on the test machine and it list all build it and custom variables ,, but the system cannot translate or look after the variables when it is like ("!<POLICY_AUDIT_MODE>") for example.
can you help me ,, we need that in this project fast
Currently windows 2003 is not supported as endpoint.
CA Privileged Identity Manager Endpoint Compatibility Matrix - CA Technologies
Did you try this on window 2008 server or above?
Please let us know if you are facing the same issue with windows 2008 or 2012.
missed declairing that detail, my environment are windows servers are win 2008 R@ and windows 2012 R2 ,, no windows 2003 at all,, but CA example file have that name only, you can check the example files in any installation.
also i have same issue with linux/Aix/Solaris boxes , each having their own policy files , but all having same issue with variables.
I have tried to run the following command in my environment.
editres ACVAR ("POLICYAUDITMODE") value("FAILURE")
editres ACVAR ("POLICYDEFACCESS") value("ALL")
editres FILE ("C:\test.txt") audit(<!POLICYAUDITMODE>) owner(nobody) defaccess(<!POLICYDEFACCESS>) warning comment("AC Sample")
ERROR:<!POLICY_AUDIT_MODE> is an invalid audit value for resources
AaronArmagost mulan04 , Can you please confirm whether this is a bug or Am I doing something wrong?
Are you sourcing the policy from an interactive selang session? If so, references to variables do not work in that case. The variables can be created, but referencing the variable from another command, like editing a FILE object, does not work.
Variables can only be used in policies managed by Advanced Policy Management (APM). You can create the ACVAR objects in an interactive selang session, and those variables can be referenced by a policy managed by APM. You can also create the ACVAR objects within the policy managed by APM, as in the example I attached.
I successfully created a policy from the selang rules you noted through APM.
The following screenshot shows how the policy is defined in APM. It also shows that 12.9 SP1 was used.
The following screenshot shows confirmation from submitting the policy. NOTE: The confirmation notes "No operation was required." This is because I had successfully finalized the policy on a previous modification.
I got the idea ,,, but when i try to deploy the standard policy (win2003_deploy.txt ) as i attached it ,, i receive the following warning ,,, and when i try to log into the endpoint interface and search for the containers created or the monitored programs etc. nothing appears at all , as it the policy stopped after the 3 warnings
any idea what is my mistake here ?!!
Let's look at this in a step by step process.
- Share the screenshot where you have defined the ACVAR's as was displayed by Warren.
- Next the output of "sr ACVAR *"
- After this try to deploy the policy containing the ACVAR
If we are not able to help resolve your problem in communities, we would request you to open a support ticket as this might need more time to investigate and work in a lab environment.