Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  Parameters that can be set for bypass_services

    Posted Apr 07, 2020 10:24 PM
    Edited by Haruka Murata Apr 08, 2020 12:38 AM
    Product Infomation:CA PRIVILEGED IDENTITY MANAGER 12.8

    I'm worried about the bypass_services token in the [pam_seos] section.

    According to the following URL, two services, ftp and vsftpd, are registered by default.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-privileged-access-management/privileged-identity-manager/14-0/reference/configuration-files/ the-seos-ini-initialization-file / pam-seos.html

    When adding other services, what values can be registered?

    Is there something like a list of services that can be registered?


    Regards


  • 2.  RE: Parameters that can be set for bypass_services

    Broadcom Employee
    Posted Apr 10, 2020 07:48 AM
    Haruka

    I do not believe we have any documented list of services that can be bypassed. We do occasionally have requirements to stop scanning process from services like Oracle and other databases. Our kernel processes filter access by monitoring every system call like open and read. this can slow high priority threads down so if there is no need to monitor we exclude them. If you have a specific process that you believe my be negatively impacted by us then we can review how best to handle that. Are you seeing a problem?

    Joe Lutz
    Original Message


  • 3.  RE: Parameters that can be set for bypass_services

    Posted Apr 17, 2020 02:24 AM

    Hi Joe,

    thank you for your answer.
    I understand that there is no particular list.

    There is no problem with this setting.
    I was concerned about the value to specify when changing the bypass_services setting.

    I'm sorry for my lack of understanding. For example, if you want to bypass httpd in a Linux OS environment, do you agree with the following settings in bypass_services?


    1. Check the service operation status
    [example]
    [root @ apa ~] # ps -ef | grep httpd
    root 25062 1 1 15:08? 00: 00: 00 / usr / sbin / httpd -DFOREGROUND

    2. Add httpd to bypass_services in seos.ini
    [example]
    bypass_services = ftp, vsftpd, httpd


    Regards

    Haruka


    Original Message


  • 4.  RE: Parameters that can be set for bypass_services
    Best Answer

    Broadcom Employee
    Posted Apr 17, 2020 09:46 AM
    Haruka

    I think a more appropriate method to bypass for a process would be in the rules

    nr SPECIALPGM  /usr/sbin/httpd owner(nobody) pgmtype(fullbypass, propagate)

    Joe
    Original Message


  • 5.  RE: Parameters that can be set for bypass_services

    Posted Apr 20, 2020 03:08 AM
    Edited by Haruka Murata Apr 20, 2020 03:50 AM

    Joseph

    Thank you for your response.

    The above httpd is just presented as a sample when making configuration changes to bypass_service.
    It is said that the bypass using SPECIAL PGM is suitable when actually bypassing, but there is two question.

    [Question1]
    When adding a setting to bypass_service, is the process confirmed by the ps command compatible with the recognition that can be specified?

    [Question2]
    Is there any difference in behavior between bypass_service and SPECIALPGM class this time?
    If you need to use them properly, what kind of way should you set them?

    Regards

    Haruka


    Original Message