Symantec Privileged Access Management

Socket Filter Agent 2.7 installed on AIX 6.1 and AIX 7.1 are not blocking SSH access to the blacklisted hosts specified in the socket filter list. Whitelist is working accordingly.

SFA marks the hosts in the filter list as invalid filter IP and ignores them:

<6>gksfd: 2017-04-06 19:33:43 >>> device information:
<6>gksfd: 2017-04-06 19:33:43 device: ip(***.***.xx.xx) port(22) policy(b)
<4>gksfd: 2017-04-06 19:33:43 make_struct: ignore invalid filter ip (10.***.xx.***/23 22)
<4>gksfd: 2017-04-06 19:33:43 make_struct: ignore invalid filter ip (10.***.***.***/23 22)
<6>gksfd: 2017-04-06 19:33:43 >>> filter information: 0 filters.

In working use case, the filters should be recognized:

<6>gksfd: 2017-04-06 19:54:19 >>> device information:
<6>gksfd: 2017-04-06 19:54:19 device: ip(***.xx.xx.xx) port(22) policy(b)
<6>gksfd: 2017-04-06 19:54:19 >>> filter information: 2 filters.

SFA blocks the blacklist hosts as we remove the netmask associated with the host IP address.

Resolution

Troubleshooting SFA issues:

•     SFA is installed with Windows default Administrator account or UNIX root account
•     SFA is installed on supported Operating System (Platform Support Matrix)
•     Communication between target host and SFA on target host over port 8550 (default port for SFA) and 443 are not blocked
•     Ensure that SFA daemon is running (/etc/rc.d/init.d/gksfd start)
•     Check the gksfd.log (/var/tmp/gksfd.log)
•     Associate the socket filter to the user-device policy
•     On UNIX and Linux targets, SFA only filters non-root users. Ensure that you login to the target UNIX host with non-root user to test the access control according to the filter list and the non-root user is not specified with SECURE_USER in gksfd.cfg file