CA Access Control r12_5 SP5 FIXLIST - CA Technologies
{{search ? 'Close':'Search'}}

CA Access Control r12.5 SP5 FIXLIST

All Service Packs are accumulated therefore fixes included in previous releases are not mentioned in the FIXLIST

Last Updated: October 24, 2011

No. Severity Module Problem summary Package Problem ID Test Fix ID/Published ID OS Cause of the problem Conditions Solution or workaround Reproduction steps
1 2 Unix endpoint user mode Fixes an issue with Access Control on HP where the seoswd (watchdog) daemon starts a new process if the seosd daemon is not responding but does not wait for the child process to exit. AC125SP40194 1587 T243754 Unix all There is no signal handling for the child process in the parent process N/A Add a signal handling in the parent process. This signal handle waits for the child process's status. Once the Child process is successfully created, the parent process can move on and do its own stuff
  1. vi seos.ini
    kill_ignore = no
  2. start up AccessControl.
    # issec
    To check the PID of seosd.
  3. kill [PID of seosd]
  4. Wait for a minute for seosd to start up.
  5. ps -ef | grep defunct

    If you don't see any defunct processes, then it works.
2 1 Unix endpoint user mode Fixes an issue with Access Control on HPUX where SSH sessions are not tracked AC125SP50018 1613 TC61135 Unix all ssh has a sequence of setuid, on HPUX last setuid in the sequence is for root, therefore KBL flag is reset by audit mask of root. N/A ProcServer_set_trace() is not called for login program in NoLoginSetuid(). N/A
3 1 Unix endpoint kernel mode Fixes an issue with Access Control on HPUX where the file table use is growing while Access Control is running AC125SP50011 1612 TC61133-4 HPUX IA64 Faulty code in SEOS_syscall Faulty code in SEOS_syscall N/A N/A
AC125SP40258              
AC125SP40251              
4 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where if the IP is resolvable, then the hostname will be obtained for authorization check. the IP name is not collected. AC125SP40157 1597 T243761-3 Unix all The seosd daemon did not obtain the host name The IP name has to be resolvable. If the IP address is resolved into hostname, then seosd use the hostname for authorization check. If the IP is NOT resolved, then seosd use the IP name as the hostname. in this case, the problem is not reproducible Convert the IP data into IP formats seaudit -a", so that the hostname for IP is defined in ladb.
Once the IP is resolvable, then the IP definition in HOST will not work.
AC>nr host 192.168.1.1 owner(nobody) audit(a)
AC>auth host 192.168.1.1 service(*) acc(n)

Above rule should deny telnet/ssh login from the host 192.168.1.1, but it is allowed. It means the rule above doesn't work
5 2 Win endpoint user mode The upgrade process of AC is not completed successfully and some of the actions are skipped since they are not configured to handle terminal server configuration. AC125SP40102     Windows all The issue is since TerminalServer is installed and configured on the machine. Machine with Terminal Server installed and configured. The installation project should be updated and the actions should be configured to work with TerminalServer.
  1. Install Terminal Server using Add-Remove Windows components.
  2. Install AC using PE in custom mode with all the option selected.
  3. Make sure that you are importing users and groups while installation and also checked the box to connect user to the respective group.
  4. After installation restart the machine.
  5. Connect to DMS and create some users.
  6. Create a TCP resource and enable the TCP class.
  7. Create other resources also like file, registry, pmdb etc.
  8. Now, upgrade AC using PE and restart the machine after upgrade
  9. Connect to DMS and check if the users created still exists.
  10. Check the newly created TCP resource exists after upgrade.
  11. Check if all other resources exists after upgrade.
  12. Check if the users are there in the localhost database.

    Actual Result:
    All the users and resources are not there after upgrade. Also the changes made for TCP class is not effective.

    Expected Result:
    All the users and resources should be there after upgrade. Also the changes made for TCP class should be effective.
6 2 Win endpoint user mode Fixes an issue with Access Control where the webservice receives the audit records counter to display warning messages in CA Access Control Endpoint Management, the "Get Counter" task in that enumerates all audit records in audit file, does so without any filtering. AC125SP40087     All "Get Counter" task in Webservice that enumerates all audit records in audit file without any filtering. Endpoint has a large audit file more then 1,5G Modify registry value HKEY_LOCAL_MACHINESOFTWAREComputerAssociatesAccessControllogmgraudit_size in Windows or audit_size token in seos.ini file in UNIX so that the value will not exceed 1G The problem occurs whenever login (dashboard tab) and opening the audit event tab in Endpoint Management
7 3 Unix endpoint user mode Fixes an issue with Access Control on Linux where a single SSH login using PAM is displayed by two LOGIN records in the audit file AC125SP40006 1494 TC61052 Unix all Faulty code N/A Change SSH loginappl flags to 'none' (from 'pamlogin').
  1. Define local user in selang
  2. SSH into local system as user from step 1
  3. check 'seaudit -a| tail' to see how many 'P LOGIN' records you see
8 2 Unix endpoint kernel mode Fixes an issue with Access Control on UNIX where several processes killed by SIGHUP terminated without entering exit() call. Such processes remain in AC process table until next cleaning. AC125SP40013     Unix all Process not deleted from AC Process Table Send signal SIGHUP to process AC verifies if process with same PID exists in Process Table when creating new process. If AC found same PID process it verifies if old process is obsolete. AC compares parent processes of both old PID and new PID and compares entry creation time. N/A
9 2 Win endpoint kernel mode Fixes an issue with Access Control where wrong ACEE after SIGHUP occur due to an obsolete process in Access Control process table AC125SP40034     Unix all Obsolete process in AC process table Process killed by SIGHUP no solution, no workaround N/A
10 3 WebGUI Fixes an issue with Access Control in Japanese where the uninstaller file is garbled. AC125SP40117     All In Endpoint management Japanese localization file the product name has been translated into Japanese and that is the reason for the garbled uninstaller file name. Linux in Japanese The product name in JPN localization file should not be translated.
  • Install Endpoint Management JPN on LINUX machine.
  • After installation go to uninstall folder: /opt/CA/AccessControlServer/EndpointManagement/Uninstall_EndpointManagement and see that uninstaller file name is garbled.
11 2 Unix endpoint user mode Fixes an issue with Access Control on HPUX where checklogin failed with TCB and long passwords when PASSWORD class is used AC125SP40050 1575 T4B9073 Unix all When creating a user in command line in AC endpoint management GUI, if the given password longer than 8 characters, the checklogin will return error: Given password does not match OS password N/A N/A N/A
12 1 Win endpoint kernel mode Network rules that apply to 'accept' system call were not enforced on AIX. Network rules that apply to 'accept' system call were not enforced on AIX. AC125SP40017 1550 TC61123-4 AIX Faulty code N/A N/A
  1. Test on AIX.
  2. Block ftp port 21 in class HOST.
  3. Attempt to FTP into the AIX machine and see that it fails with proper error and audit.
13 2 Win endpoint kernel mode Fixes an issue with Access Control on Windows where a system memory dump is generated and the system reboots due to uncontrollable cache growth AC125SP40002 498 T5P7027 Windows all Uncontrollable cache size limit N/A Define upper limit to cache grows N/A
14 2 Unix endpoint user mode Fixes an issue with Access Control where the PAM sends login event for 'su' as well so when 'su' is defined as LOGINAPPL it will generate a LOGIN. AC125SP40018 1581 TC61128 Solaris Faulty code N/A N/A
  1. Test on Solaris 10
  2. copy /usr/bin/su to /usr/bin/su_test
  3. chmod 0777 /usr/bin/su_test chmod s /usr/bin/su_test
  4. In selang define /usr/bin/su_test as a LOGINAPPL with flags=pamlogin
  5. In selang define xgroups test1, test2, ... test16
  6. In native OS define user test01 (useradd -G test1,test2,...,test16 test01) set password for user test01 (passwd test01)
  7. In seos.ini make sure that 'osuser_enabled = yes' and 'create_user_in_db = yes'
  8. Start AC (seload)
  9. In selang define user test02 (AC> eu test02 password(123)
  10. See that the xgroups are defined in AC LADB (sebuildla -G | grep test) --> If not run 'sebuildla -g' and check again
  11. telnet localhost (login as user test02)
  12. /usr/bin/su_test test01 (provide password) --> After successful 'su' run '/opt/CA/AccessControl/bin/sewhoami -a' and see that all xgroups are listed.
15 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where sesu enables user to surrogate from root to another user without prompting for password AC125SP40021   TC61128 Unix all N/A N/A N/A
  1. Test on Solaris 10.
  2. Copy /usr/bin/su to /usr/bin/su_test
  3. chmod +s /usr/bin/su_test
  4. Define /usr/bin/su_test as a LOGINAPPL with loginflags(none)
  5. Set tokens:
    sesu.systemSU = /usr/bin/su_test sesu.UseInvokerPassword = yes
  6. Create 10 OS groups: AC> env native Native> nxg a1 (create until a10))
  7. Create OS users: AC> env native Native> nu test01 password(123) Native> nu test02 password(123) Native> join a1 test01 (create until a10)
  8. Start AC
  9. Telnet to system as root
  10. From root session run: sesu -n test01 --> It should NOT prompt for Invoker password
  11. As user test01 run: '/opt/CA/AccessControl/bin/sewhoami -a' --> You should see user test01 with all OS groups a1,..a10
  12. As user test01 run: 'sesu - test02'
  13. As user test02 run: '/opt/CA/AccessControl/bin/sewhoami -a' --> You should see user test01 with all OS groups a1,..a10
16 2 Win endpoint user mode Fixes an issue Access Control on Solaris where the sudo program has new DEV in i-node after OS patch that the PACL rule does not catch. AC125SP40048 1576 T3DB061 T540047 Unix all same program has different device OS patch applied Workaround is redefine rule or re-trust. Solution is to skip device verification when program definition does not require verification of "trust" in DB Not reproduced in Lab
17 2 Unix endpoint kernel mode Fixes an issue with Access Control on HPUX where the system malfunctions due to missing tty associated AC125SP40003 1564 T3E7113 HPUX System panicked in SEOS_is_pid_fggrp(). This happens when a process does not have a tty associated with N/A disable key logger N/A
18 3 Unix endpoint user mode Fixes an issue with Access Control where sebuildla -a stops responding due to double DNS query AC125SP40137 1590 T243760 Unix all DNS refuse the query when it believe this is a Denial of service attack leave the same DNS name in the first line and in the search line Make sure we don't query the same DNS more than one time

we may not be able to reproduce the problem in-house. here is how the client reproduce the problem.

  1. vi /etc/resolv.conf
    domain ca.com
    nameserver 192.168.x.x
    search <company>.com

    Please note ca.com in the first line and ca.com in the "search" line at the end.
    sebuildla will try to query ca.com twice, this is what causing the hangs.
19 2 Win endpoint kernel mode Fixes an issue with Access Control on Windows where system malfunctions due to drveng old (prior to windows 2003 64 bit ) networking code accessing NULL memory AC125SP40016 506 T5P7036 Windows all A handle leak causes Access Control to stop responding   Additional memory validity checks N/A
20 2 Win endpoint user mode Fixed an issue with Access Control on Windows where the user trace message showed the command line image as unavailable AC125SP40146     Windows all User trace message generally shows command line image, but it shows "unavailable" for some entry N/A Developed alternative method for starting processes command line retrieve N/A
21 3 WebGUI Fixes an issue with Access Control on Windows where PUPM fails to change an account password AC125SP40172 41 T5P0046 Windows all Added more details Endpoint name and the Account Name at the Audit event record N/A N/A
  1. Try to set automatic password change
  2. If and when the action fails there is no details regarding the end point name and the account name in Audit Privileged Accounts screen
22 3 WebGUI Fixes an issue with Access Control where creating a copy of an endpoint, the application login list is not copied AC125SP40051 45 T5P0040 Windows all Missing copy function in the code for login application N/A N/A
  1. 1. create a new Endpoint by copying an existing one
  2. Application Login list is not copied
23 2 Unix endpoint user mode Fixes an issue with Access Control on Windows 2008 Server where Access Control is abnormally terminated when performing an Automatic Login by Remote Desktop to the endpoint AC125SP40010 505 T5P7034 -5 Windows all If osuser_enable = 0 the handle of acee for the user will be (-1) making aceemgr_GetUserAcee(hAcee) to return pacee = NULL. N/A In HKLM\SOFTWARE\ComputerAssociates\AccessControl\OS_user set osuser_enable = 1
  1. Stop AC
  2. Set in Registry HKLM\SOFTWARE\ComputerAssociates\AccessControl\OS_user osuser_enable = 0
  3. Create regular User
  4. Start AC
  5. RDP Logon to the host from another host. Check seosd process exited and record "The CA Access Control Engine service terminated unexpectedly." is created in Application Event Log. The seosd.dmp minidump is produced in AC/bin
24 2 Unix endpoint user mode Fixes an issue with Access Control on HPUX where preventing access to NULL memory in sdbio_Fetch causes a core dump of seosd AC125SP40026 1567 T5P7037 HPUX IA64 Code defect. N/A Added checking pointers on NULL in relevant allocations. On seosd restart performed by seoswd the allocation can fail but corresponding pointer is referenced without checking on NULL.
25 2 WebGUI Fixes an issue with Access Control where the By parameter was too long to be stored at QWRT table AC125SP40105 52 T5P0044 Windows all QWRT table as a limitation size N/A Replace the initiated By parameter that was saved at the database to be the Account name parameter
  1. user store is AD
  2. Perform check out account by a user with long DN over 80 chars
  3. The job used to failed to be stored at the database
26 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where using the "who am I" command fails when KBL is enabled due to empty session ID in audit file after previous fixes for "who" AC125SP40068 1570 T3DB055 Unix all cmdlog initializes header when prepares request to update utmp KBL enabled use separate request header to send urmp update request kbl enabled + trace user > seaudit -kbl 01 Mar 2011 19:14:50 P LOGIN lipyu01 0 12 cmdlog There is 0 session id in kbl audit record.
AC125SP40022   T3DB059 T3DB060          
AC125SP40053   T243776-8          
27 3 Unix endpoint user mode Fixes an issue where the command "who am i" output is empty AC125SP40022 1570   Unix all KBL creates new tty without updating utmp DB KBL enabled, AC is up cmdlog sends request to agent to update utmp with new tty line.

Steps to reproduce:

  1. kbl_enabled = yes
  2. Start AC
  3. login to host
  4. # who am i => EXPECTS line like "lipyu01 pts/2 Jan 25 18:09 ..." => ACTUAL: empty output
28 High Unix endpoint user mode "who am i" does not work. Fix AC125SP40022 does not work on HP >= 11.23 AC125SP40053 1570   HPUX IA64 HPUX 11.23 and higher uses new API set to update utmps DB KBL enabled Use HPUX API function "pututsline"
  1. kbl_enabled = yes
  2. Start AC
  3. login to host
  4. # who am i => EXPECTS line like "lipyu01 pts/2 Jan 25 18:09 ..." => ACTUAL: empty output
29 3 Unix endpoint user mode Fixes an issue with Access Control on Linux where setuid bit in the post script is reset by the install_base script AC125SP40094     Unix all The script to reset the setuid bit is run after the post script Install Access Control using a customized post script. Use the setuid bit in the post script move the POST_EXIT after AccessControl_own(...).

Apply the fix install_base

install_base -autocfg -command Proceed -post /install/post_chmod

we have the following in post_chmod.

#!/bin/bash

chmod 4555 /opt/CA/AccessControl/bin/sesu
chmod 4555 /opt/CA/AccessControl/bin/sesudo
chmod 4555 /opt/CA/AccessControl/bin/sepass

After the installation, we expect to see 4555 for /opt/CA/AccessControl/bin/sesu, but the setuid bit is reset after the upgrade

30 2 WebGUI Fixes an issue with Access Control where the connection to LDAP was corrupted AC125SP40155 54 T5P0045 Windows all LDAP provider managed the connection pool and from time to time close unused connection N/A retry to get the managed object and by that refreshing the connection N/A
31 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where seaudit -tr prints garbled data AC125SP40020     Unix all when record is created parameter with type "u" is saved as long (function trace_build_binary()), but when record is printed "u" is treated as int (function trace_format_string()). 64-bit AC on Linux x64 N/A ./seaudit -tr
32 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where SNMP traps are sent twice if the system issue both IPV6 and IP4 AC125SP40038     Unix all SNMP TRAP are sent by IPv6 and IPV4. Linux system that IPv6 and IPV4 are configured. N/A AC 12.5 SP4 / RHEL 5.5 x64/x86 1. snmp trace receiver 2. configure selogrd to send snmp trap # cat /etc/selogrd.ext snmp /lib/snmp.so # cat /log/selogrd.cfg: snmpRule snmp localhost include Class(*LOGIN*) Code(*). . 3. run selogrd 4. do login to record login audit log 5. check snmptrapd output [expected result] one trap is received for one audit log [actual result] two traps are received for one audit log
33 2 Win endpoint user mode Fixes an issue with Access Control on Windows where the password is not checked on matching rule parameters if the Dictionary registry value is not set or rejected passwords file does not exist. AC125SP40037 507 T5P7038 Windows all VerifyPasswordSyntax() does not control UseDict value. N/A N/A Set UseDict = no does not disable password check with matching to Dictionary.
34 2 WebGUI Fixes an issue with Access Control on Windows where the trust flag at SECFILE is always checked in the CA Access Control Enterprise Management. AC125SP40057     windows all

case 1: Untrusted but GUI shows trusted.

  1. Create SECFILE record and it change Untrusteder SECFILE /tmp/SECFILES/secuity1.txt
  2. Login Endpoint Management and check SECFILE resource.
  3. You can see trust flag is checked at audit tab.

case 2:

1. login Endpoint Management and check SECFILE resource.

2. check off trust flag at audit tab and save

3. check SECFILE resource again.

you can see the trust flag is checked.

N/A N/A

case 1: Untrusted but GUI shows trusted.

1. create SECFILE record and it change Untrusted

er SECFILE /tmp/SECFILES/secuity1.txt

2. Login Endpoint Management and check SECFILE resource.

3. you can see trust flag is checked at audit tab.

case 2:

1. login Endpoint Management and check SECFILE resource.

2. check off trust flag at audit tab and save

3. check SECFILE resource again.

you can see the trust flag is checked.

35 2 Unix endpoint user mode Fixes an issue where Access Control fails to start after disabling the PROGRAM class in local mode. AC125SP40023 1571 T4CC102-5 Unix all seosd gives an error if PROGRAM class is off on startup PROGRAM class is off on startup Not disable PROGRAM class on startup  
T4CC110
36 3 Unix endpoint user mode Fixes an issue with Access Control where the trusted program run-table is not loaded when PROGRAM class is off on startup AC125SP40058 1571   Unix all The trusted program run-time table is not loaded when PROGRAM is off on startup. PROGRAM is off on startup. Do not disable PROGRAM class on start startup.
  1. stop AC
  2. disable PROGRAM class
  3. selang -l
  4. AC> er PROGRAM /opt/CA/AccessControl/bin/sebuildla trust blockrun Successfully updated PROGRAM /opt/CA/AccessControl/bin/sebuildla ERROR: Failed updating run-time tables. AC> rr PROGRAM /opt/CA/AccessControl/bin/sebuildla Successfully deleted PROGRAM /opt/CA/AccessControl/bin/sebuildla
  5. start AC
  6. selang AC> er program /opt/CA/AccessControl/bin/sebuildla trust blockrun (localhost) ERROR: Failed updating run-time tables. Successfully created PROGRAM /opt/CA/AccessControl/bin/sebuildla
37 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where the pgmtype of propagate for SPECIALPGM is not taking effect if the child process is defines as SPECIALPGM AC125SP40032     Solaris Faulty code N/A N/A
  1. Test on Solaris 10.
  2. echo "test" > /tmp/test.txt
  3. Create a script /tmp/test.sh #!/bin/sh # /usr/bin/cat /tmp/test.txt
  4. Start AC.
  5. AC> ef /tmp/test.txt owner(nobody) audit(a) defacc(n) AC> er specialpgm /tmp/test.sh pgmtype(pbf propagate) AC> er specialpgm /usr/bin/cat pgmtype(pbf)
  6. /tmp/test.sh --> Make sure you see the word 'test' displayed, meaning that bypass inheritance worked.
38 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where after installation token osuser_enabled should be set to no by the setup AC125SP40025     Unix all a value during installation is ignored. select "no" for OS users during installation. Set "No" to token osuser_enabled after install
  1. Install AC by interactive mode
  2. select 'n' for OS users [ Set up OS users ] You may define OS users as CA Access Control database administrators. Specify user IDs separated by space. If you do not want to define OS administrators now, hit ENTER. Do you want CA Access Control to support OS users? [Y/n]:n after installation token osuser_enabled should be set to "no" by the setup
39 3 WebGUI Fixes an issue with Access Control where the you cannot delete a report snapshot. This in turn generates a lot of data , with no option to delete. AC125SP40182     All executeUpdate() (jdk) method with ms-sql jdbc driver did not work as expected I believe this method is for executing prepareStatement and not for executing store procedures exist in the database, change it to use execute() method , that solve the issue on sql server, From some reason executeUpdate() (jdk) method with ms-sql jdbc driver did not work as expected I believe this method is for executing prepareStatement and not for executing store procedures exist in the database, change it to use execute() method, that solve the issue. Manually delete from the database execute delete snapshot
40 3 Unix endpoint user mode Fixes an issue with Access Control on Linux where due to missing symbol version information in the JRE libraries, error messages were displayed on startup AC125SP40060 1573 T47D022 LINUX s390 Missing symbol version information in Java stub libraries. AC installed on S390X SLES 10 or 11 platform. Install 32 bit JRE on the endpoint (if not already installed) and set[global].java_home token in accommon.ini to its location, e.g. java_home = /opt/ibm/java2-s390-50/jre Install AC on s390x SLES 10 or 11. Start AC daemons.
41 1 Win endpoint kernel mode Fixes an issue with Access Control on Windows where memory corruption is cainstrm.sys leads to crash due to missing double-linked list entry backward link initiation AC125SP40049 508 T5P7039 Windows all N/A N/A Fixed double linked list Start several .Net applications while verifier enabled for cainstr.cyc
42 2 WebGUI Fixes an issue with Access Control on Windows where the Access Control Endpoint Management installer does not write the Webservice configuration into the 64 bit section of the registry, rather, it writes the configuration into the 32 bit section of it. AC125SP40086     Windows x64 The root cause of the problem resides in the fact AC Endpoint Management installer is not aware the Webservice configuration should be written into the 64 bit section of the registry. Instead it writes the configuration into the 32 bit section of it. AC is not running when installing AC Endpoint Management. Work around (without the solution): Install AC Endpoint Management when AC endpoint's services are running. Solution (after installer change): The installer execute selang -l -c "env config" commands instead of trying to update the registry on its own. On Windows x64 machine: A. Install AC endpoint. B. Install JBoss. C. Shutdown AC endpoint services. (secons -s) D. Install AC Endpoint Management. E. Verify the Webservice registry path does not exist.
43 1 Unix endpoint kernel mode Fixes an issue with Access Control on Solaris where special device files are not protected in internal Solaris zones AC125SP40056 1581 TC61128 Solaris Faulty code N/A N/A
  1. Test on Solaris 10 with internal zones.
  2. Install AC on all zones.
  3. In internal zone write an ACL on /dev/null allowing access only to root and audit(all).
  4. In internal zone run 'cat /dev/null' -> See in audit that file name does NOT have zone prefix.
44 1 Unix endpoint user mode Fixes an issue with Access Control on UNIX where cron jobs stay defunct on SLES 11SP1 S390X AC125SP40065     Unix all Code attempting to get peername from SEOS_syscall even though it is not applicable for cron jobs N/A N/A
  1. Test on SLES 11SP1 on S390X.
  2. Create a script called test.sh that looks like: #!/bin/sh # date > /tmp/date.log
  3. chmod 0755 test.sh
  4. Define a cron job to run test.sh every minute. --> Check that there are no defunct processes for test.sh and cron
45 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where if the "sshd" or "nobody" users attempt to surrogate to root, they are denied AC125SP40195 1603 T243771 Unix all special treatment for user "nobody" and "sshd". Reproduce the problem with user "nobody" and "sshd". Special treatment for "nobody" and "sshd" only if the process is a login program chres SURROGATE ("_default") audit(SUCCESS FAILURE) comment('"Defined by baseline rules"') defaccess(NONE) gowner('secadmin')
46 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where selogrd ceases to send audit records while reading PASSWORD records of un-supported type AC125SP40074 1585 T5P7042 Unix all The new PASSWORD type of audit records exists beginning from 12.5 GA, thus cannot be interpreted by 80sp1 collector. N/A For target protocol less then 5 it should ignore the record and write LOG_DEBUG message to syslog. N/A
AC125SP40063
47 1 Unix endpoint kernel mode Fixes an issue with Access Control on AIX where if you mount two file systems on top of the '/' file systems, when a program attempts to open the /Unix kernel, Access Control 'opens' an interception attempt to resolve the full path of /Unix. As a result, Access Control causes a system crash. AC125SP40077     AIX Fixed faulty code in SEOS_syscall Customer has mounted two File systems on top of the '/' file system. One the local root file system and another NFS file system. In this condition when attempting to open the /Unix kernel file machine crashed in AC get_realname (path resolving) code. N/A editres SURROGATE ("GROUP._default") audit(FAILURE) defaccess(READ)
48 2 WebGUI Fixes an issue with Access Control on UNIX where after the installation, the webservice is not populated AC125SP40096     LINUX The ENTM installation runs the Solaris EndpointManagement install package on Linux machine. LINUX machine. The ENTM installation now runs the Linux EndpointManagement install package on Linux machine.
  1. Install ENTM on LINUX
  2. Start JBoss.

    Result: Failed to invoke ENTM Web GUI after starting JBoss using ./runs.sh -b 0.0.0.
49 1 Unix endpoint user mode Fixes an issue with Access Control where using Kerberos PAM to authenticate Active Directory users causes login fails if Access Control is running AC125SP40121     HPUX In PAM account management, when Kerberos PAM exists login never invokes AC PAM account management and thus login fails. using Kerberos PAM to authenticate AD users on HPUX. N/A When using Kerberos PAM to authenticate AD users - AD users login fails when AC is up
50 3 Unix endpoint user mode Fixes an issue where Access Control did not untrust the SECFILE by file handle After enabling the watchdog_refresh token. AC125SP40216     Unix all SECFILE is not checked by file handle SECFILE and FILE is defined yes is set to token watchdog_refresh N/A
  1. #touch /tmp/miyhi02
  2. #seload
  3. #selang
    AC>nr secfile /tmp/miyhi02 owner(nobody)
    AC>nr file /tmp/miyhi02 defacc(a) audit(f) owner(nobody)
  4. #secons -s
  5. watchdog_refresh = yes
  6. #seload
  7. #touch /tmp/miyhi02

    seaudit should show a "U SECFILE" record.
    selang should shows the secfile is untrusted.
51 2 Unix endpoint kernel mode Fixes an issue with Access Control on UNIX where the operating system crashed because of a pointer passed to bcopy was invalid AC125SP40111 1589 T3DB065 Solaris Pointer passed to bcopy is invalid The streams message seems invalid (may be lost packet), it has type T_CONN_REQ, data length is 1 byte, data pointer plus destination offset points wrong memory. AC streams interception type is TCP hook Disable network interception chres SURROGATE ("_default") audit(SUCCESS FAILURE) comment('"Defined by
52 2 WebGUI Fixes an issue with Access Control where a null value is inserted to hashtable AC125SP40097     Windows all insert null value to hashtable N/A N/A
  1. Create a copy of break glass task -> remove the "hide task in menu".
  2. Assign the task to break glass role
  3. Change "break glass WF" task to NULL participant
  4. browse to Home tab -> go to new create Task
  5. Select Account from the search list enter Justification

    A null pointer exception message
53 3 Unix endpoint user mode Fixes an issue with Access Control where allocating memory to create an xternal user, the amount of the allocated memory size is incorrect AC125SP40144 1601 T243769 Unix all This is because AC is trying to allocate memory to create an xternal user. the amount of the allocated memory is huge or the size is incorrect AC>auth program /tmp/testabc xuid(tt01) access(all);

Run this command exactly.

selang core dumps.
N/A This selang command will crash selang or eacws.
54 3 Win endpoint user mode Fixes an issue with Access Control on UNIX with a memory leak in seagent due to a command in a policy that makes seagent keeps executing the same command repeatedly AC125SP40145 1605 T243774-5 Unix all A memory leak in seagent Include the "nobody'" command in the policy N/A

a policy with these lines in the contents.

####
#This is for test.
#------------------
nobody'
nu user01

When this policy is deployed, then seagent will keep running the command and we'll see the memory leaks.

55 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where the VFTP login terminal is displayed as console although it is located on the remote host AC125SP40136     Unix all Peer address is not resolved. RHE4 using vsftp standard installation. N/A Please note xuid(..) and ';' at the end. if we have a combination of these two, selang will core dump and eacws will core as well in creating a policy and deploying a policy
56 3 Win endpoint user mode Fixes seaudit -netaddr -a -detail to show IP address for login events from class terminal AC125SP50009     All N/A N/A run seaudit -netaddr -a -detail and see that login events from class terminal show hostname instead of IP address N/A
Unix endpoint user mode                  
57 2 Unix endpoint kernel mode Fixes an issue with Access Control on Solaris where seosd tried to get the peer address of the sshd process. When the seosd thread could not retrieve it from the sshd process, it tried to get it from the parent process of the sshd process. If the parent process exist, it could cause AC125SP40178 1592 TC61129 SOLARIS System panicked in SEOS_get_pid_peeradr(). This happened when seosd tried to get the peer address of the sshd process. When the seosd thread could not retrieve it from the sshd process, it tried to get it from the parent process of the sshd process. If the parent process is exiting, it could cause system panic. When the parent process might exist before the kernel that intercepting the child process has a chance to get the peer address If the parent process is exiting, return with error N/A
T3E7125
58 2 Unix endpoint user mode Fixes an issue with Access Control on UNIX where the ReportAgent exposed excessive memory growth that was mainly caused by UNAB database report thread AC125SP40196 1602 T5P7047 Unix all Incomplete or missing allocated memory release. N/A N/A
  1. Install ReportAgent on UNAB host.
  2. Configure ReportAgent for sending to Distribution Server
  3. Set interval = 3 in accommoon.ini
  4. Start ReportAgent in debug mode: ReportAgent -debug 1 -task 2
  5. Monitor ReportAgent process memory consuming growth.
  6. Stop service "CA Access Control Message Queue" on Distribution Server for disconnecting ReportAgent from Tibco and keep monitoring memory growth.
59 3 Unix endpoint user mode Fixes an issue with Access Control on UNIX where after killing the serevu process, a LOGOUT record appears without a corresponding LOGIN record AC125SP40223     Unix all LOGOUT record by serevu should be restrained from auditing. kill serevu process N/A start serevu then kill the process. there is no corresponding LOGIN record.
60 3 Unix endpoint user mode Fixes an issue with Access Control on Linux where an incorrect "who am i" version was included on Linux x86_64 AC125SP40205     LINUX x64 cmdlog process verifies if newly crated tty already exists in utmp. it finds such process exists and does not send update request to agent. Later login process removes this temporary tty KBL enabled on x86_64 and AC 64-bit installed avoid verification of tty existance Install AC, enable KBL, start AC login as test user check "who am i" EXPECT: same output as AC is down
61 2 WebGUI Fixes an issue with Access Control on Windows where the column size in the database is to small to hold multiple values of long user if AC125SP40200 56 T5P0047 Windows all

Cannot add new PUPM endpoints agentless.

If you remove a pupm endpoint, then it's possible to create a new one. Getting Fatal error message:

Failed to execute CreateEndpointEvent. ERROR MESSAGE: Create administrative acc

account for endpoint failed: details:String or binary data would be truncatated

N/A N/A Create multiple endpoint with large name and with the same account manager
62 2 WebGUI Fixes an issue with Access Control on Windows where the USER_ID column at PRIVILEGE ACCOUNT REQUEST is not long enough AC125SP40211     Windows all the USER_ID column at PRIVILEGED ACCOUNT REQUEST is too short N/A N/A The column size in the database exceed its size limit
63 2 Unix endpoint kernel mode Fixes an issue with Access Control on UNIX where a system failure occurred when attempting to store a long variable on a Solaris 8 32 bit system AC125SP40217 1610 T3E7132 Solaris System panicked with a data alignment issue when attempting to store a long variable not at double-word alignment on a Solaris 8 32-bit system. AC on a Solaris 8 32-bit system N/A Install AC 12.5 SP4 on a Solaris 8 or 9 32-bit system and start AC. It will panic shortly.
64 3 UNAB Fixes an issue with UNAB where the uxauthd daemon denied login for user whose Unix attributes are not in Active Directory, local files or NIS AC125SP40209 12 T243779 Unix all uxauthd wrongly denied user login because did not find user Unix attributes not in AD nor in local files or NIS N/A uxauthd should check is Unix attributes are in NSS User has Unix attributes set in LDAP Directory (not AD) and account with the same name in AD
AC125SP40191
65 3 UNAB Fixes an issue with UNAB where uxauthd wrongly denies user login because UINAB could not find the user Unix attributes in Active Directory, in the local files or NIS AC125SP40191     Unix all uxauthd wrongly denied user login because did not find user Unix attributes not in AD nor in local files or NIS N/A uxauthd should check is Unix attributes are in NSS User has Unix attributes set in LDAP Directory (not AD) and account with the same name in AD
66 2 WebGUI Fixes an issue with Access Control on Windows where users cannot perform an Automatic Login after checking out an a privileged account password AC125SP40236 58 T5P0050 Windows all java throws an exception when invoking String.replaceAll method ant trying to replace to a string which contains $ sign N/A do not use $ in account password of endpoint
  1. create login Application and assign it to endpoint which it's password contains $
  2. at My Privileged Accounts try to Automatic Log in to this account. when having $ sign at the password it used to failed
67 2 Unix endpoint kernel mode Fixes an issue with Access Control on HPUX 64 bit where a system error occurred due to incomplete checks AC125SP40187 1612 TC61145 HPUX IA64

seosd calls SEOS_syscall to get peeradr information of a process during login.

If SEOS_syscall fails to get it from process it tries to get it from parent process. It did not do satisfactory checks whether parent process is valid.

N/A It does more strict validity tests on parent process before it scans its' open files N/A
68 2 Unix endpoint kernel mode Fixes an issue with Access Control on Linux s390 where SEOS_syscall fails to load. AC125SP40024 1568 T47D021 LINUX s390 Security patch modifies kABI. SLES 10 SP3 on 390x with kernel level 2.6.16.60-0.69.1 or above. N/A Update SLES 10 SP3 on 390x to kernel level 2.6.16.60-0.69.1 (or later). Prior to this package, SEOS_syscall will fail to load. After this package SEOS_syscall will load and operate normally.
69 2 Unix endpoint kernel mode Fixes an issue with Access Control on Linux s390 where the SEOS_syscall failed to load. AC125SP40045 1573 T47D022 LINUX s390 SLES 11 SP1 patch modifies kABI. SLES 11 SP1 on 390x with kernel level 2.6.32.27 or later. N/A Update SLES 11 SP1 on 390x to kernel level 2.6.32.27 (or later). Prior to this package, SEOS_syscall will fail to load. After this package, SEOS_syscall will load and operate normally.
70 3 Unix endpoint kernel mode Fixes an issue with Access Control on Linux x64 where if the keyboard logger is enabled during SSH login, the system malfunctions. AC125SP40054 1577 T47D023 LINUX x64 Bug causes incorrect code path in sys_execve interception if KBL is enabled and new login shell is created. SLES 11 x64, KBL enabled Do not enable KBL. Enable KBL. Attempt SSH login.
71 2 install Internal--Unab should be stopped before removal AC125SP40115     Unix all Bug N/A N/A Install UNAB on HP machine and run it. Uninstall and check uxauth folder containing bin is not present under the /opt/CA directory.
72 1 Unix endpoint kernel mode Fixes an issue with Access Control on Linux s390 where a 32-bit compatible structure was being passed to the 64-bit version of the syscall hook AC125SP40238     LINUX s390 A 32-bit compatible structure was being passed to the 64-bit version of the syscall hook. N/A Code fixes assembly stub to call correct syscall hook. #include #include #include #include #include #include void signal_handler(int sig, siginfo_t *sip, void *p ) %7B printf( "--------------------n" ); printf( "Get rt_signal(%d)n", sig ); printf( "si_signo:%dn", sip->si_signo ); printf( "si_code:%dn", sip->si_code ); printf( "si_pid:%dn", sip->si_pid ); printf( "si_uid:%dn", sip->si_uid ); printf( "si_errno:%dn", sip->si_errno ); printf( "value.sival_int:%dn", sip->si_value.sival_int ); printf( "value.sival_ptr:%#xn", (unsigned int)sip->si_value.sival_ptr ); printf( "--------------------n" ); %7D int main(int argc, char *argv[]) %7B struct sigaction newact, oldact; union sigval value; int status; newact.sa_sigaction = signal_handler; sigemptyset(&newact.sa_mask); sigaddset(&newact.sa_mask,SIGRTMIN); newact.sa_flags = SA_SIGINFO|SA_RESTART; sigaction (SIGRTMIN, &newact, &oldact); if( argc > 1 )%7B status = atoi(argv[1]); %7Delse%7B status = 21; %7D value.sival_int = status; printf("SIGRTMIN:%d,SI_QUEUE:%d,sival_int:%dn",SIGRTMIN, SI_QUEUE, value.sival_int ); if(( sigqueue( getpid(), SIGRTMIN, value )) != 0 )%7B perror(" sigqueue error "); exit( 0 ); %7D if( fork() == 0 )%7B usleep( 100 * 1000 ); value.sival_int = status; printf("sival_int:%dn", value.sival_int ); if(( sigqueue( getppid(), SIGRTMIN, value )) != 0 )%7B perror(" sigqueue error "); exit( 0 ); %7D %7Delse%7B usleep( 200 * 1000 ); %7D sleep(100); exit( 0 ); %7D
73 2 Unix endpoint user mode When seoswd is slow to start then seagent might start a new seoswd AC125SP40156 1483 TC61048 AIX seoswd on startup is closing 64k files which might take a while and thus seagent might start a new seoswd AC startup N/A Cycle AC many times and you might see the problem. 1) On AIX 5.3 sometimes the seagent starts more than one seoswd. 2) Start AC many times and see that there is only one seoswd running.
74 2 Unix endpoint user mode Fixes an issue with Access Control where the policyfetcher consumes a high cpu usage AC125SP40019 1545 T243700 All This is because policyfetcher stuck in a endless loop waiting for a reply from the target machine where the connection is established, but there is no reply from the target server Requires a code fix on policyfetcher.

We need to break the connection if the loop on waiting for reply takes too long.
a proxy server that can be configured so that the connection to the target server is unreachable
75 2 Unix endpoint kernel mode Fixes an issue with Access Control where a newly created socket is setting up a filter struct but not yet allocating a filter lock. In the meantime, seosd is restarting and attaching SEOS module to all existing sockets. When it tries to acquire the filter lock, it is still a NULL pointer, which causes a system malfunction AC125SP40169 1612 TC61145 HPUX There is a condition that a newly created socket is setting up a filter struct but not yet allocating a filter lock. seosd is restarting and attaching SEOS module to all existing sockets. When it tries to acquire the filter lock, it is still a NULL pointer N/A disable network interception This could not be easily reproduced. To reproduce, you need to do network stress test and repeatedly restart seosd, not restart AC. Another bug, resolved by AC125SP30176, added a third condition that makes this race condition more possible.
AC125SP40170
76 2 SEOS_syscall Fixes an issue with Access Control that when seosd is restarted, it attempts to attach SEOS STREAMS module to all existing TCP socket files, but fails to check if SEOS module is already attached. AC125SP40170     HPUX When seosd is being restarted, it tries to attach SEOS STREAMS module to all existing TCP socket files. It however fails to check if SEOS module is already attached. When seosd is being restarted, it tries to attach SEOS STREAMS module to all existing TCP socket files. It however fails to check if SEOS module is already attached disable streams attachment It is very difficult to reproduce this problem. It is recommended to run network stress tests and additional sftp sessions that put and get thousands of files.
77 2 Win endpoint kernel mode Fixes an issue with Access Control on Windows where if network interception is enabled and rules are defines, Access Control drops packages that match the rules but were intercepted at dispatch IRSL AC125SP40122 509 T5P7045 Windows all N/A N/A Changed code to make AC reaction in the case configurable N/A
78 3 Unix endpoint user mode Fixes an issue with Access Control where it fails to update utmp on Linux AC125SP40113 1570 T3DB055 Unix all cmdlog verifies if new tty already exists in utmp and does not send update request to agent. At stage of verification there already exists same tty line in utmp. Login process erases this tty later. KBL enabled on Linux i86 disable KBL

On Linux x86

  1. kbl_enabled = yes
  2. Start AC
  3. login to host
  4. # who am i => EXPECTS line like "lipyu01 pts/2 Jan 25 18:09 ..." => ACTUAL: empty output
79 2 Unix endpoint kernel mode Fixes an issue with Access Control on HPUX where under heavy network load, a new socket file can be created with while Access Control is being shut down AC125SP40168 1569 T3E7122 HPUX Under heavy network load, specifically a lot of new connections, a new socket file may be created with SEOS module attached while AC is being shut down. SEOS STREAMS module attached while AC is being shut down. This results in blocked connection and may cause system panic later disable STREAMS It may be difficult to reproduce this problem. Theoretically, this could occur while under network stress tests and frequent AC stop and restart. When this happens, there will be blocked connection or result in system panic.
80 2 Unix endpoint user mode Fixes an issue with Access Control on HPUX where the command "last" is missing the last terminal that was generated by cmdlog AC125SP40180 1570 T3DB057 HPUX On HP the AC should run API updatebwdb() to update wtmps file, command "last" uses this file to show last login. Keyboard logger enabled AC should call API updatebwdb() to update wtmps file AC + kbl logon to test machine # tty # last | head EXPECT: same tty in "last"
81 3 Unix endpoint user mode Fixes an issue with Access Control where if keyboard logger is enabled, the command "last" is incorrectly displayed AC125SP40131     Unix all API function "pututline" does not update "last" KBL enabled Call API updwtmp() to update DB "last"
  1. enable KBL, start AC
  2. login to test machine
  3. run "who am i" and "last | head" EXPECT: same tty and user in output of who and "last"
82 3 Unix endpoint kernel mode Fixes an issue with Access Control where the wrong output of command "set" is displayed when keyboard logger is enabled AC125SP40181     Unix all the SEOS_procserver_kbl_arg0() returns empty string, as result cmdlog sets wrong arguments of exec(). KBL enabled Fixed kernel functions set / get to save and return arg0 Enable KBL, start AC Solaris 9 login to host as root using ssh # set EXPECT: output is same as AC is not running
83 2 Unix endpoint kernel mode Fixes an issue with Access Control on Solaris 8 where the system malfunctions when seosd calls SEOS_syscall to get peer information for a sshd process during login. AC125SP40151 1592 TC61129 Solaris Implementation of SEOS_get_pid_peeradr for Solaris in SEOS_syscall did not protect process data in kernel while parsing process's files to look for socket with peer information. As a result process data was modified while examining files and machine crashed. N/A N/A
  1. Test on Solaris 8 that has OPEN SSH installed.
  2. Start AC.
  3. Run many SSH logins into the machine --> If you are lucky system will crash
84 2 Win endpoint user mode Fixes an issue with Access Control on Windows server 2008 where when using a software distribution system, Access Control is installed using the NTAuthoritySystem. As a result, the installation fails to complete AC125SP50013     Windows all AC EP install on w2k8 r2 in system context should run successfully and create all objects in database. Windows 2008 add the ADV_POLICY_MNGT_CLIENT=1 property in the silent command and verify that DH objects and policyfetcher user are created in db after setup. N/A
85 2 Win endpoint user mode Fixes an issue with Access Control on Windows where if you use the NT AuthoritySystem account to install, operations for creating users and objects fail. This is because the NT AuthoritySystem is not defined as an administrator the database. As of this release, the "NT AuthoritySystem" admin user in the database and is created and removed when all the actions are completed. AC125SP40234     Windows all N/A N/A This fix temporarily creates the "NT AuthoritySystem" admin user in the database and removes it once all the actions in DB are completed N/A
86 2 Win endpoint user mode Fixes an issue with Access Control on Windows where an application is a badging system called ESB a in cluster environment was crashing on one of the cluster nodes. AC125SP40199 513 T5P7048 Windows all N/A N/A N/A N/A
87 2 Win endpoint kernel mode Fixes an issue with Access Control on Windows where in a function that retrieved the process object report did so without actually getting the object AC125SP40228     Windows all N/A N/A Improved code to return correct error code for given case N/A
88 2 Win endpoint user mode Fixes an issue with Access Control on Windows where a registry key was not defined during the installation AC125SP50014     Windows all N/A N/A N/A N/A
89 2 Unix endpoint kernel mode Fixes an issue with Access Control on UNIX where keyboard logger corrupts user stack AC125SP40095     Unix all KBL kernel part corrupts user stack KBL enabled KBL kernel part rewritten from scratch
  1. ssu to root
  2. enable kbl in seos.ini
  3. start AC
  4. do_as qash_adm sewhoami as: No such file or directory.
90 1 Unix endpoint kernel mode Fixes an issue with Access Control on AIX where my_link() called update_file_tables() with the wrong arguments that caused the system to malfunction AC125SP40110     AIX my_link() called update_file_tables() with the wrong arguments, causing a crash. Calling link syscall causes panic N/A running "echo ls|at now" panics the system
91 3 UNAB Fixes an issue with UNAB where memory leaks occurred after migration process completed AC125SP40123     Unix all N/A N/A N/A
  1. Install UNAB, register, activate
  2. Default_login_access 1
  3. set tokens [agent]/nss_cache_update_grp_login = no and [agent]/wingrp_ update_login = no
  4. Migrate a user and it gets migrated successfully
  5. uxauthd -start
  6. ../eacLotsOfTelnet -n ismesl61 -t 1 -s 10000

    Expected Output: uxauthd must allow login
    Actual Output: After 30 minutes login is not allowed Daemon is still running
92 1 UNAB Fixes an issue with UNAB where enumeration function did not properly indicate that the supplied buffer was too small to fit all results and the module crashed during buffer release AC125SP40127     Unix all enumeration function did not properly indicate that the supplied buffer was too small to fit all results 1. nss.db must contain groups with hundreds of members (total size of data should exceed 1K) error condition in nss_uxauth is mapped to an error code telling libc that the call must be repeated with a larger buffer
  1. make sure there are AD groups in nss.db which have a very large number of members;
  2. execute a command that will exercise enumeration APIs in nss_uxauth: either adduser username or getent group
93 3 WebGUI Fixes an issue with Access Control where the web.xml and ReportsConfig.jsp where not copied in the build process. AC125SP40202     Unix all web.xml and ReportsConfig.jsp where not copied in the build process. N/A N/A check BO connection in idmmanage
94 2 UNAB Fixes an issue with UNAB where during high load of login with mapped user account handle leaks occur AC125SP40201     Unix all high load of login with mapped user account leads to handle leaks which after some time break UNAB normal functionality high load of login with mapped user account no high load of login with mapped user account
95 2 Unix endpoint kernel mode Fixes an issue in Access Control that when loading SEOS kernel module on HP-UX 11.11 32-bit, the module fails with error messages from som2elf AC125SP40253 1606 T3E7133 HPUX N/A N/A N/A N/A
96 2 Win endpoint user mode Fixes an issue with Access Control on Windows with a parsing error in rules parsing code AC125SP40190 1606 T3E7133 Windows all Parsing issue in AC rules parsing code N/A Fixed bug in rules parsing code
  1. install AC12.5SP4
  2. create directory/file
    C:> mkdir aaaaa
    C:> mkdir aaaaaccccc
    C:> echo TEST > aaaaatest.txt
  3. create generic policies
    AC> nf ("c:aaaaa*") defacc(all) owner(nobody)
    AC> nf ("c:aaaaaccccc") defacc(all) owner(nobody)
    AC> nf ("c:aaaaaccccc*") defacc(all) owner(nobody)
    AC> auth FILE ("c:aaaaaccccc*") uid(<machine name>Administrator) acc(N)
  4. access c:aaaaatest.txt -> This is denied.
97 3 Win endpoint user mode, Unix endpoint user mode Fixes an issue with UNAB where seaudit -netaddr -a -detail does not show IP address for login events from class terminal. AC125SP40247     All seaudit -netaddr -a -detail does not show IP address for login events from class terminal. N/A N/A run seaudit -netaddr -a -detail and see that login events from class terminal show hostname instead of IP address.
98 3 Unix endpoint user mode Fixes an issue with Access Control where the "Execute" access mode of non setuid/setgid program is not checked by the FILE class AC125SP40207 1611 T4CC114 Unix all Check of trusted program by FILE class is skipped in PROGRAM handle. a program is defined by PROGRAM and FILE not a setuid/setgid program N/A
  1. create test file # touch /tmp/aaa
  2. create file class resource AC> ef /tmp/aaa defacc(n) audit(a) own(nobody) AC> auth file /tmp/aaa id(*) acc(a) via(pgm(/usr/bin/cat)) -> this creates program class for /usr/bin/cat
  3. test file rules # more /tmp/aaa /tmp/aaa: Permission denied # cat /tmp/aaa # seaudit -a -sd today D FILE root Read 69 2 /tmp/aaa /usr/bin/more host P FILE root Read 63 3 /tmp/aaa /usr/bin/cat host -> this is working as expected
  4. create file rule for cat AC> ef /usr/bin/cat defacc(n) audit(a) own(nobody)
  5. test file rules AC 8.0 SP1 CR18: # cat /tmp/aaa cat: cannot execute # seaudit -a -sd today D FILE root Exec 69 2 /usr/bin/cat /sbin/sh host -> The access is denied as expected AC 12.5 SP4: # cat /tmp/aaa # seaudit -a -sd today P FILE root Read 63 3 /tmp/aaa /usr/bin/cat host root -> The access is permitted; file resource defined in step 4 is ignored.
99 2 Unix endpoint kernel mode Fixes an issue with Access Control on UNIX where deletion of SPECIALPGM, PROGRAM, loginprogram and STOP fails as a hash value created to delete is incorrect. AC125SP40239     Unix all a hash value created to delete is not correct. deleteSPECIALPGM, PROGRAM, loginprogram and STOP online N/A
  1. er specialpgm /tmp/oldver pgmtype(propagate)
  2. er specialpgm /tmp/oldver pgmtype(dcm)
  3. You will see as below, eventually the record is updated successfully. 12 May 2011 17:00:58 S UPDATE SPECIALPGM root 305 0 /tmp/oldver sec758l4-l4-l53 er specialpgm /tmp/oldver pgmtype(propagate) 12 May 2011 17:01:08 F UPDATE SPECIALPGM root 305 0 /tmp/oldver sec758l4-l4-l53 er specialpgm /tmp/oldver pgmtype(dcm)
  4. secons -kt 1 still show /tmp/oldver and the pgmtype is propagate
100 3 Unix endpoint kernel mode Fixes an issue with Access Control where it cannot extract the zone prefix for a file located on an internal zone. As a result, Access Control uses program full real path on real root file system. Access Control ignores file / program rules defined relatively to zone root. AC125SP40277 1619 T3DB067 Solaris Solaris loopback mount allows mounting of zone folders to global zone folder. Such mounted full path does not consist of full zone path. For example: full path is /export/zone/au6omzzta08_apps/opt/seos/bin/selang zone root is /export/zone/au6omzzta08/root Function SEOS_del_zone_root() is not able to cut off zone prefix Solaris 10 zone has loopback mounts AC name resolver should save loopback mount points and cut off mount path for programs running in internal zone In global zone do like this: > mkdir /zone1/z1_app > mkdir /zone1/root/app > mount -o ro -F lofs /zone1/z1_app /zone1/root/app > echo test > /zone1/root/app/test Internals zone z1: # ls /app/test /app/test # start AC # start AC trace # cat /app/test => shows full path including zone prefix "/zone1/root/app/test"
101 3 Win endpoint user mode Fixes an issue with Access Control on Windows where segraceW fails to connect to a remote endpoint by "can not connect to AC database" although defenc.dll is located on current directory AC125SP40270 515 T4CC119 Windows all SegraceW fails to find defenc.dll where "Encryption Package" is not defined(i.e. AC is not installed) SegraceW runs in stand alone mode Add Reg value "Encryption Package" in HKLMSOFTWAREComputerAssociatesAccessControl and define the encryption package

[Problem] SegraceW doesn't work from the remote host using the logon script. [Env] AC r12.5SP4 / Windows(x86) - DC(x86)

  1. NETLOGON folder |_defenc.dll (Renamed the one from "Encryption Package" in the registry) |_SegraceW.exe |_batch script to run "segracew -s DC_host"
  2. Configure the logon script for the domain user to run the batch script. - Member(x86) Logon by the domain user. => "ERROR:can not connect to AC database."
102 3 ENTM Fixes an issue with Access Control on Windows where the query over the database for Initiated By filter done by NATIVE_USER field that is not populated when using an RDBMS as user store AC125SP40279 59 T5P0051 Windows all the query over the database for Initiated By filter done by NATIVE_USER field which is not populated at all when working over RDBMS user store N/A N/A perform audit search (Privileged Accounts?Audit?Audit Privileged Accounts) using the Initiated by and providing a valid initiator, there are no results returned.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing