rehbr01

CA Security Tech Tip: How to Determine Why Privileged Identity Management Untrusted a Program

Discussion created by rehbr01 Employee on Jul 1, 2015

When a program has been altered, PIM will untrust it and prevent it from being run. To determine why this has happened, use the seaudit utility to list the event and look up the watchdog code. In the seaudit output, untrust events contain "U PROGRAM" in the line.

 

EXAMPLE:

# seaudit -a | grep 'U PROGRAM'

30 Jun 2015 11:24:56 U PROGRAM      seoswd                 1 8704 /bin/su                

30 Jun 2015 11:25:36 U PROGRAM      seoswd                 1 8192 /opt/CA/AccessControl/bin/sebuildla

 

The audit code for any untrust event will be 1 and the seoswd code will be next to it. In the examples above, the seoswd codes are 8704 and 8192. To look up the meaning of the seoswd codes, use seaudit with the -St or -Stat option.

 

EXAMPLE:

# seaudit -St 8192

The INODE of the file was changed

# seaudit -St 8704

The INODE of the file was changed

The MTIME of the file was changed

 

In this example, the INODE of each file was changed. In addition, the MTIME of /bin/su was changed.

Outcomes