Is there an issue where the blocking policy is triggered when the Hostnet class tries the warning policy?
In the test environment, I created a hostnet warning policy for ssh, and the blocking occurred. Is there an issue where the warning option does not apply to the Hostnet class?
If a HOSTNET resource is put in warning mode, PIM will allow the connection to occur and record it in seaudit. When it is not in warning mode, the connection will be blocked. I was able to confirm this by reproducing the use case on a test server.
Here is the output of seaudit from my test machine where I confirmed the behavior.
08 Feb 2018 14:17:22 W HOST ssh 202 4 testserver.ca.com /usr/sbin/sshd08 Feb 2018 14:17:27 P LOGIN root 59 2 testserver.ca.com SSH
....08 Feb 2018 14:18:47 S UPDATE HOSTNET root 305 0 localhost er HOSTNET testing warning-08 Feb 2018 14:19:00 D HOST ssh 169 3 testserver.ca.com /usr/sbin/sshd
And here is the rule I have on my lab server.
AC> sr HOSTNET *(localhost)Data for HOSTNET 'testing'-----------------------------------------------------------Warning : YesInet ACLs : Service Access * NoneMask/Match : 255.255.255.0/22.214.171.124Audit mode : AllOwner : root (USER )Create time : 08-Feb-2018 13:22Update time : 08-Feb-2018 14:18Updated by : root (USER )
Can you please confirm how you have the HOSTNET rule set up in selang along with what you see in seaudit when you try and log into the server?
CA Support Engineer
i tested it your way and the result are good.
Thanks a lot.
but, i was wandering.
I wonder how the HOST and HOSTNET policies are distinguished on the seaudit log.
If i are going to activate the HOSTNET policy from a customer with a large log volume, i should see only the logs generated by the HOSTNET policy.
I would appreciate it if it suggests a possible way.
The seaudit record itself will list show as HOST, but if you look at the seaudit code, it will mention HOSTNET. For example, I searched for the 169 audit code I received above and see that it is the HOSTNET rule that denied access.
# seaudit -t | grep 169CA ControlMinder seaudit v126.96.36.19973 - Audit log listerCopyright (c) 2013 CA. All rights reserved.169 HOSTNET (network or IP mask/match) inetacl asterisk