Symantec Privileged Access Management

 View Only
  • 1.  Hostnet class does not apply warning? or haven't?

    Posted Feb 07, 2018 08:38 PM

    Is there an issue where the blocking policy is triggered when the Hostnet class tries the warning policy?

    In the test environment, I created a hostnet warning policy for ssh, and the blocking occurred. Is there an issue where the warning option does not apply to the Hostnet class?



  • 2.  Re: Hostnet class does not apply warning? or haven't?
    Best Answer

    Broadcom Employee
    Posted Feb 08, 2018 03:25 PM

    Hello,

     

    If a HOSTNET resource is put in warning mode, PIM will allow the connection to occur and record it in seaudit. When it is not in warning mode, the connection will be blocked. I was able to confirm this by reproducing the use case on a test server.

     

    Here is the output of seaudit from my test machine where I confirmed the behavior.

    08 Feb 2018 14:17:22 W HOST ssh 202 4 testserver.ca.com /usr/sbin/sshd
    08 Feb 2018 14:17:27 P LOGIN root 59 2 testserver.ca.com SSH

    ....
    08 Feb 2018 14:18:47 S UPDATE HOSTNET root 305 0 localhost er HOSTNET testing warning-
    08 Feb 2018 14:19:00 D HOST ssh 169 3 testserver.ca.com /usr/sbin/sshd

     

    And here is the rule I have on my lab server.

    AC> sr HOSTNET *
    (localhost)
    Data for HOSTNET 'testing'
    -----------------------------------------------------------
    Warning : Yes
    Inet ACLs :
    Service   Access
    *              None
    Mask/Match : 255.255.255.0/141.242.141.0
    Audit mode : All
    Owner : root (USER )
    Create time : 08-Feb-2018 13:22
    Update time : 08-Feb-2018 14:18
    Updated by : root (USER )

     

    Can you please confirm how you have the HOSTNET rule set up in selang along with what you see in seaudit when you try and log into the server?

     

    Thanks,

    Brian Rehder

    CA Support Engineer



  • 3.  Re: Hostnet class does not apply warning? or haven't?

    Posted Feb 18, 2018 08:21 PM

    i tested it your way and the result are good.

    Thanks a lot.

     

    but, i was wandering.

     

    I wonder how the HOST and HOSTNET policies are distinguished on the seaudit log.

     

    If i are going to activate the HOSTNET policy from a customer with a large log volume, i should see only the logs generated by the HOSTNET policy.

    I would appreciate it if it suggests a possible way.

     

    Thanks,

    Best Regards.



  • 4.  Re: Hostnet class does not apply warning? or haven't?

    Broadcom Employee
    Posted Feb 20, 2018 05:49 PM

    Hello,

     

    The seaudit record itself will list show as HOST, but if you look at the seaudit code, it will mention HOSTNET. For example, I searched for the 169 audit code I received above and see that it is the HOSTNET rule that denied access. 

     

    # seaudit -t | grep 169
    CA ControlMinder seaudit v12.81.0.3073 - Audit log lister
    Copyright (c) 2013 CA. All rights reserved.
    169 HOSTNET (network or IP mask/match) inetacl asterisk

     

    Thanks,

    Brian