Symantec Privileged Access Management

  • Private Community
 View Only

 Server Control Agent Issue

Jump to Best Answer
Jorghy Misnan's profile image
Jorghy Misnan posted Aug 18, 2022 11:01 PM
This is my first time installing SC agent on Linux OS client and i've encountered the following issues:
1. Cannot run selang command using root level sudo user or using root itself
2. Following the step in documentation to fix the first issue, i tried to stop the service but not working as well.

Any idea the cause and solution for these?


Joseph Lutz's profile image
Broadcom Employee Joseph Lutz posted Aug 22, 2022 08:36 AM Best Answer
Jorghy

No, The method of your install will not change the the behavior but using sudo and su after PAMSC is started will. As I stated we add the root user to the terminal rights during the install. If you want pamuser to also have terminal rights you can add him to the admin group during the install or push a terminal rule to that user through the ENTM manager or PAM 4.x to this or all endpoints. Pravin's suggestion to stop PAMSC and update the database can also be helpful if you do not have ENTM or PAM configured yet to push policy updates. Pravin's suggestion about the name resolutions could also come into play but based on your use of su/sudo I would not assume this just yet..

Essentially you have to add a user to the terminal rule...
Assuming you want to do this through selang and do not want to log directly into the machine as root you will need to do the following
1. restart the server after making sure that seos is not set to restart on server boot... this will allow you to access the seosdb without our rules
2. login and su to root to run the following

[root@HOSTNAME ~]# hostname
HOSTNAME
[root@HOSTNAME ~]# /opt/CA/PAMSC/bin/selang -l
CA Privileged Access Manager Server Control selang v14.10.0.1633 - command line interpreter
Copyright (c) 2018 CA. All rights reserved.

PAMSC> sr terminal HOSTNAME
Data for TERMINAL 'HOSTNAME'
-----------------------------------------------------------
Defaccess : R
ACLs :
Accessor Access
+devcalc (USER ) W
+policyfetcher(USER ) W
root (USER ) R, W
Audit mode : Failure
Owner : root (USER )
Create time : 04-Aug-2021 20:06
Update time : 04-Aug-2021 20:06
Updated by : root (USER )

PAMSC> auth terminal HOSTNAME xuid(pamuser) access(all) owner(nobody)
Successfully created XUSER pamuser
Successfully added pamuser to HOSTNAME's ACL

PAMSC> sr terminal HOSTNAME
Data for TERMINAL 'HOSTNAME'
-----------------------------------------------------------
Defaccess : R
ACLs :
Accessor Access
+devcalc (USER ) W
+policyfetcher(USER ) W
root (USER ) R, W
pamuser (XUSER ) R, W
Audit mode : Failure
Owner : root (USER )
Create time : 04-Aug-2021 20:06
Update time : 22-Aug-2022 08:11
Updated by : root (USER )

PAMSC> exu pamuser admin
Successfully updated XUSER pamuser
PAMSC> sxu pamuser
Data for XUSER 'pamuser'
-----------------------------------------------------------
User mode : Admin
Owner : root (USER )
Create time : 22-Aug-2022 08:11
Update time : 22-Aug-2022 08:33
Updated by : root (USER )

PAMSC> exit
[root@HOSTNAME ~]# seload


Then try again


If you are struggling after this it may be simpler to open a support ticket to have a webex to demonstrate

Joe
Joseph Lutz's profile image
Broadcom Employee Joseph Lutz posted Aug 19, 2022 07:10 AM
PAMSC tracks the user login and applies rules based on the original user. Since root is a default admin in the seosdb he would have terminal rights but if you sudo or su to root the rules of the original user would still apply.
Use sewhoami -a to evaluate who you are logged in as and you can grant them terminal rights

logged in a user1
[user1@ORA12-1 ~]$ sewhoami -a
user1
ACEE Contents
User's Name : user1
ACEE's Handle : 142

su to root
[user1@ORA12-1 ~]$ su root
Password:
[root@ORA12-1 user1]# sewhoami -a
user1
ACEE Contents
User's Name : user1
ACEE's Handle : 142

By tracking the original user we can better maintain security even when someone accesses a root account

Pravin Bhole's profile image
Broadcom Employee Pravin Bhole posted Aug 19, 2022 03:44 PM
Hi Jorghy,
Looks like during install, the terminal got created wrongly. I have seen this kind of issues when there is name resolution issue with system. During install, the terminal got created either by short name or IP and communication happening exactly opposite to what created. If root user cannot do anything then only way is to login as root to system, make changes to system so that SC services will not start on reboot. Reboot the system. After reboot you can do 'selang -l'. Make the necessary changes to default local terminal so that after reboot you can selang as well as start/stop services. 
Regards,
Pravin Bhole
Jorghy Misnan's profile image
Jorghy Misnan posted Aug 21, 2022 11:02 PM
I install the agent using sudo command with user called "pamuser". Does this means that in order to use both selang and secons -s, i need to login to server as root and not as "pamuser" which then sudo su to root?
Pravin Bhole's profile image
Broadcom Employee Pravin Bhole posted Aug 22, 2022 07:47 AM
Jorghy,

Recommendation is to install application when login as root. It is ok even if you install application when login as different user and later switched to root user. You said in your first  post that even root user login can't manage application. This means there is terminal issue because of name resolution. Did you tried the solution I suggested(turn off application start on reboot and then selang -l)?
Regards,
Pravin Bhole
Jorghy Misnan's profile image
Jorghy Misnan posted Aug 23, 2022 12:04 AM
OK, let me test both solutions. I'll let you know how it goes.
Jorghy Misnan's profile image
Jorghy Misnan posted Aug 23, 2022 04:15 AM
Thanks Joseph and Pravin, now i able to run selang command after login as root.