Symantec Privileged Access Management

  • 1.  How to generate PIM events manually?

    Broadcom Employee
    Posted Jul 31, 2018 09:56 AM

    Hello All,

     

    Is there any way in PIM we can generate audit events manually( by command)?

    HINT- In eTrustAudit we used to generate events by etSAPIsend command.

    Thanks in advance.

    Regards,

    Pravin Bhole



  • 2.  Re: How to generate PIM events manually?
    Best Answer

    Posted Jul 31, 2018 12:10 PM

    Hi Pravin,

     

    I will demonstrate how to generate a basic denial against a file.  I am logged in as root.  Here is the sewhoami utility verifying my identity as 'root':

     

    [root@gomer02 install]# sewhoami -a
    root
    ACEE Contents
    User's Name : root
    ACEE's Handle : 22
    Group Connections Table:
    <Empty>
    Categories : <None>
    Profile Group : <None>
    Security Label : <None>
    User's Audit Mode : Failure LoginSuccess LoginFailure
    User's Security Level : 0
    Source Terminal : <Unknown>
    Process Count for ACEE : 39
    User's Mode : Admin Auditor
    ACEE's Creation Time : Tue Jul 31 08:17:25 2018

     

    Next, I created a flat file named 'test.txt':

    [root@gomer02 install]# touch test.txt

     

    Then, I created a file rule stating no one has access to it:

    AC> ef /install/test.txt defaccess(none) owner(nobody)

    (localhost)
    Successfully created FILE /install/test.txt

     

    --

    In the next SSH session, I am logged in as local_user1.  Here is the sewhoami utility verifying my identity as 'local_user1':

     

    -sh-4.2$ sewhoami -a
    local_user1
    ACEE Contents
    User's Name : local_user1
    ACEE's Handle : 30
    Group Connections Table:
    <Empty>
    Categories : <None>
    Profile Group : <None>
    Security Label : <None>
    User's Audit Mode : Failure LoginSuccess LoginFailure
    User's Security Level : 0
    Source Terminal : 141.202.114.213
    Process Count for ACEE : 3
    User's Mode : Auditor
    ACEE's Creation Time : Tue Jul 31 11:58:39 2018

     

    Here is me getting the denial of access:

    -sh-4.2$ cat /install/test.txt
    cat: /install/test.txt: Permission denied

     

    --

     

    I went back to my original SSH session as root.  I used the seaudit utility to ensure that there was a denial when local_user1 accessed, '/install/test.txt':

     

    [root@gomer02 install]# seaudit -a -st now-15 | grep ' D '
    CA Privileged Access Manager Server Control seaudit v14.01.0.412 - Audit log lister
    Copyright (c) 2016 CA. All rights reserved.
    31 Jul 2018 11:58:47 D FILE local_user1 Read 69 2 /install/test.txt /usr/bin/cat gomer02-w10a.ca.com local_user1

     

    Here is the code below which provides a definition as to why there was a resource being blocked.  As you can see, we blocked the access from happening:

     

    [root@gomer02 install]# seaudit -t | grep 69
    CA Privileged Access Manager Server Control seaudit v14.01.0.412 - Audit log lister
    Copyright (c) 2016 CA. All rights reserved.
    69 No Step that allowed access

     

    I hope this helps.

     

    Thanks,

    Eric



  • 3.  Re: How to generate PIM events manually?

    Broadcom Employee
    Posted Jul 31, 2018 01:06 PM

    Hi Eric,

     

    This will definitely help to generate audit event. Actually I was looking for some command to write some dummy events in seaudit so that I can collect them in SIEM to ensure there is no loss of event as well as load test.

    I think, I can use your suggestion  and write a script to access resource so that it can generate audit events.

    Do we have any command to generate events in PIM?

    Regards,

    Pravin Bhole



  • 4.  Re: How to generate PIM events manually?

    Posted Jul 31, 2018 01:37 PM

    Hi Pravin,

     

    You can accomplish this in numerous ways.  However, the scenario I have described earlier in the thread is the most basic use-case of trying to generate a denial within the seaudit utility when a user does not have access to said filesystem resource.

     

    Let us take the same example and break down the syntax:

    AC> ef /install/test.txt defaccess(none) owner(nobody)

     

    The defaccess() flag will take effect for all users who are not explicitly defined.  The defaccess(R) is for access, whereas defaccess(W) is for administrative access.

     

    As for the owner() flag, we put nobody in there as a placeholder because the owner of a rule is not restricted by the rule. If we do not specify an owner, then the user who created the rule is the owner

     

    Thanks,

    Eric