|No. ||Severity ||Module ||Problem summary ||Package ||OS ||Cause of the problem ||Conditions ||Solution or workaround ||Reproduction steps ||Problem ID ||Test Fix ID / Published ID |
|1 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control where running secons -s by a non administrator user generates a shutdown deny audit log ||AC1263186 ||Unix all || || || || || || |
|2 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control where if the login sequence is set with SGRPS, SGID will turn on the login trigger for SGRPS. ||AC1263240 ||Unix all || || || || ||1444 ||T243595 |
|3 ||2 ||Windows endpoint user mode ||Fixes an issue with Access Control on Windows where authenticated user accounts are displayed instead of native account only. ||AC1263273 ||Windows all || || || || |
- Launch ENTM
- Create Windows 7 Endpoint
- Configure a windows service with a native user
- Run service account discovery wizard
- Only native user accounts should display
| || |
|4 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on HPUX where an incorrect message appears, indicating that the password length exceeds the maximum defined length in tcb after you set the maximum length to 0. ||AC1263274 ||HPUX || || || || ||1553 ||T243710 |
|5 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on AIX where the serevu utility sent repeated messages concerning multiple root failed login attempts. ||AC1263276 ||Unix all || ||In case that root makes failed login attempt for more than 3 times ||The solution is after we print the warning message about root, we should also reset the failed counter for root. || |
- install AC endpoint
- in seos.ini change the tokens as per shown below:
- failed_login_file = /opt/CA/AccessControl/log/pam_seos_failed_logins.log
- use these two tokens and then make failed login 3 times for root.
And then check /opt/CA/AccessControl/log/pam_seos_failed_logins.log, if root is on the file, then you should get the syslog.
- Now try to login as root with wrong password.
- now try to see the syslog file which should contain only 1 warning message for root wrong password.
|1552 ||T243709 |
|6 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on HPUX when seos.audit is corrupted, selogrd or seaudit send multiple error messages to the syslog . ||AC1263279 ||Unix all ||When seos.audit is corrupted selogrd or seaudit may send lots of error message to syslog. the error message for every record that is corrupted. || ||The fix here is if the offset is consecutive, there is no need to send the error message over and over. ||run selogrd and seaudit. If there is no problem in seaudit or selogrd, then it works || || |
|For example, if offset 1,2,3,4 and so on are corrupted, we send the message to syslog for 1,2,3,4… |
|7 ||3 ||Unix endpoint user mode ||Fixes an issue with Audit filtering for HOST record that does not work properly if a program name is specified. ||AC1263292 ||Unix all || || ||The HOST record should be filtered by program name only if /usr/sbin/sshd is specified || |
- activate HOST class
AC> so class+(HOST)
- modify HOST _default for auditing
AC> er host _default audit(a)
AC> auth host _default service(*) acc(a)
- login by ssh
# ssh 0
- check audit log
# seaudit -a -s today
08 Dec 2010 17:36:03 P HOST ssh 180 3 localhost.localdomain /usr/sbin/sshd
08 Dec 2010 17:36:04 P LOGIN root 59 2 localhost.localdomain SSH
both host and login audit logs are recorded. this is expected.
- stop AC
# secons -s
- add HOST filter with <program-path> in audit.cfg
* <program-path> can be anything
- start AC
- repeat step 3 and 4
08 Dec 2010 17:38:45 P LOGIN root 59 2 localhost.localdomain SSH
only login audit log is recorded. This is not expected since host audit record filter should not applied for different program path (/tmp/aaa vs /usr/sbin/sshd).
| || |
|8 ||2 ||Windows endpoint user mode ||Fixes an issue with Access Control on Windows where caption label overlap in Review Settings screen occurred. ||AC1263319 ||Windows all || || || || |
- Launch AC Runtime SDK install from Product Explorer.
- Scroll through all the sections providing proper inputs.
- In Review Settings screen, found caption labels overlap.
Found caption label overlap in Review Settings screen.
There should not be any overlap of labels.
| || |
|9 ||3 ||Windows endpoint user mode ||Fixes an issue with Access Control on Windows when you export rules from PMDB as local directory, the join command appears twice. ||AC1263325 ||Windows all || || || || |
- create a pmdb
- create join a native user to a group in the pmdb
join testuser group(testgroup)
- export pmdb
dbmgr -e -l
- verify multiple join command not appear. Before this fix it was:
join ("testuser") group('testgroup')
join ("testuser") group('testgroup')
|501 ||T4CC099 |
| 10 || 2 || WebGUI ||Fixes an issue with Access Control on Windows where the displayed value of the "Full name" field in the Endpoint || AC1263337 || All || || || || |
- Prepare Windows box (2003 or 2008)
- Install AC12.5 SP2, 3rd party products and 12.5SP2 Endpoint Management
- create new native user from "Users" <- "Users" and Groups" <- "Computer Management" <- "Administrative Tools" as below.
User name: TEST01
Full name: TEST01 FULLNAME
Description: TEST01 DESC
Confirm password: Paaword01
- Start Internet explorer and connect to Endpoint Management
- select "Users" tab
- click "Go"
- click *TEST01
- select "Native" tab
- You can confirm "TEST01" instead of "TEST01 FULLNAME" is displayed in "full name" field.
| || |
|Management UI, is not equal to the value of the user properties screen of the native users. |
|11 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control on Solaris where the ReportAgent terminated unexpectedly. ||AC1263345 ||All || || || || ||1557 ||T4B9063 (Solaris) |
|T4B9065 (HPUX) |
|T4B9066 (HPUX IA64) |
|T4B9067 (LINUX) |
|T4B9068 (LINUX x64) |
|T4B9069 (AIX) |
|T4B9070 (Windows x86) |
|T4B9071 (Windows x64) |
|12 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on Solaris that causes a significant degradation in system performance. ||AC1263407 ||Unix all || || || || || || |
|13 ||3 ||WebGUI ||Fixes an issue with PUPM where privileged accounts search with more than one criteria specified, does not display search results. ||AC1263412 ||All || || || || || || |
|14 ||3 ||WebGUI ||Fixes an issue with Access Control on Windows where the Endpoint Management UI displayed an incorrect time format. ||AC1263418 ||All || || || || ||38 ||T5P0034 |
|15 ||3 ||Unix endpoint user mode ||Solved an issue with Access Control on Linux where after a user logs out, the user remains in another session (ssh) loose its ACEE. As a result, Access Control policies no longer work for the Access Control user. ||AC1263421 ||LINUX || || || || ||1560 ||T4CC101 |
|16 ||3 ||WebGUI ||Fixes an issue with PUPM where the valid until date in the CA Service Desk ticket request changed, causing failure to send the privileged account password request. ||AC1263423 ||All || || || || || || |
|17 ||3 ||Windows endpoint user mode ||Fixes an issue with Access Control on Windows where exporting rules that includes the native join command, results in failure. ||AC1263426 ||Windows all || || || || ||504 ||T4CC100 |
|18 ||3 ||Windows endpoint user mode ||Fixes an issue with Access Control on Windows where the segrace command does not display grace count and password expiration dates. ||AC1263471 ||Windows all || || || || || || |
|19 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control for UNIX where the Keyboard Logger audit file (kbl.audit%7D is not a member of the audit group that Access Control defines during the installation. As a result, users that are not members of the Keyboard Logger group cannot access the kbl.audit file. ||AC1263514 ||Unix all || || || || || || |
|20 ||2 ||WebGUI ||Fixes an issue with Access Control on Windows, where if the expiration date and time of an approved privileged account request that the user checked out overlaps with the server down time, the automatic deletion ||AC1263518 ||All || || || || || || |
|of privileged account exception is stopped |
|21 ||2 ||WebGUI ||Fixes an issue with PUPM where the password policy days checkbox is disabled. ||AC1263533 ||All || || || || || || |
| 22 || 3 || WebGUI || Fixes an issue with PUPM where the sort option in the My Privileged Accounts screen did not work. || AC1263563 || All || || || || |
- My Privileged Account List
- sort by Endpoint Name tab and Endpoint
- sort is not working
| 43 || T5P0038 |
| 23 || 3 || Unix endpoint user mode ||Improves AC audit filtering and allows INCLUDE and EXCLUDErules in config file. || AC1263570 || Unix all || || || || |
- Enable KBL
- create AC user audit(A)
- start AC
- login as test user, perform some activity
- Stop AC
- check kbl.auit saved trace records (seaudit -tr)
- Clean log directory
- edit <AC_dir>/etc/kblaudit.cfg like this
- Start AC
- Perform steps 4 - 6
EXPECT: kbl.audit keeps records accordingly to filter rules
| || |
|24 ||2 ||Unix endpoint user mode ||Solves an issue with UNAB, where thread-enabled version of libsqlite3.a was used for the nss_uxauth module. A non-threaded SQLite3 library was built and used for linking the nss_uxauth module ||AC1263599 ||LINUX ||thread-enabled version of libsqlite3.a used for the nss_uxauth module || ||To resolve the problem a non-threaded SQLite3 library was built and used for linking the nss_uxauth module || ||1574 ||T243736 |
| 25 || 3 || Unix endpoint user mode || Fixes an issue with Access Control where the seadmapi.a library was missing several UNAB API symbols that caused a linkage error || AC1263664 || Unix all || seadmapi.a library was missing some UNAB API symbols which caused this linkage error || || Added UNAB API objects and others to resolve unresolved symbols and their dependencies ||cd /opt/CA/AccessControl/apisamples/passwd || || |
|gmake SOLARIS (or any other platform) |
|In general this can happen with other apisamples which link with 'seadmapi.a'. |
| 26 || 2 || Windows endpoint user mode || Solves an issue with Access Control on Windows where the PMDB did not save PMDB history for native user accounts. || AC1263724 || Windows all ||PMDB synchronized subscribers don't get password history for native user. It means that when you created native user with password in MASTER pmdb, you can't login with this password after propagation. || || || |
- install AC and create pmd as pmd1
- create native user with password in PMDB.
eu pmdusr01 password(eTrust01)
- add subscriber with -n option as synchronize mode.
- check error log on PMDB. And then you can find fail to create the user at OS on subscriber.
- You need to enable bi-directional password encryption to propagate password to new subscribers.
> so password(rules(bidirectional))
- In case the target endpoint has native password policy that disallows creating users without password, an error will appear in the PMD error log. It does not mean the password is not propagated successfully
| || |
|When add subscriber as synchronize mode, -n, native user on PMDB cannot deliver |
|to subscriber on Windows node as following error. |
|ERROR: Failed create USER acadmin |
|ERROR: failed to add NT Network user: Windows Error Code=2245... |
|27 ||2 ||Windows endpoint user mode ||Added the ability to assign new endpoints to a hostgroup according to hostnamecriteria, automatically. ||AC1263796 ||Windows all || || || || |
- Run the er GHNODE command on ENTM setting the criteria
- on endpoints matching that criteria execute the command
dmsmgr -config -endpoint
dmsmgr -config -dhname DH__@entmname
- start AC on the endpoint
- Once policyfetcher executes successfully on the endpoint these hosts must appear in the GNODE created with that criteria
| || |
| 28 || 3 || Unix endpoint user mode || Fixes an issue with Access Control on HPUX, even when token Undef_ForPacl is set to 0, undefined user in AC is checked for file access with UACC but PACL with uid(*). undefined user in AC should be checked by PACL with uid(*). || AC1263824 || Unix all || || || || |
- Set these tokens in Seos.ini
osuser_enabled = no
create_user_in_db = no
Undef_ForPacl = 0
- Start AC
- Login to Selang
AC(native)>eu user1 password(user1)
AC>nr file /tmp/filetest defacc(n) audit(all) owner(nobody)
AC>auth file /tmp/filetest uid(*) via(pgm(/usr/bin/vi))
- Login as user1 and try opening the file and file opens for read only.
- Stop AC change the token to Undef_ForPacl = 1 and start again.
- Now try opening the file "Permission is denied"
Hence Undef_ForPacl = 0, user1 is allowed with PACL and Undef_ForPacl = 1 UACC denies the file access.
| || |
|29 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on Solaris, where the upgrade process creates an incorrect link to backed up lib if the libsnmp.so.125.0.preTestFix is located in the lib directory ||AC1263889 ||Unix all || || || || || || |
|30 ||3 || WebGUI ||Fixes an issue with PUPM where password change did not occur. ||AC1263916 ||All ||One event or more was failed but it was recorded on the parent event || ||Adding more information on the VST event regarding the endpoint name and account name || || || |
|31 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control where the host name mask address was incorrectly interpreted. ||AC1263935 ||Unix all || || || || ||1599 ||T243766 (Linux x86) |
|T243767 (Linux x64) |
|32 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where the IP address is resolved locally, but not in the DNS. This caused Access Control to stall while waiting for the DNS to resolve the IP address. ||AC1263944 ||Unix all || || || || ||1600 ||T243768 |
|33 ||3 ||Unix endpoint user mode ||Added possibility to modify and reload audit filter without recycling AC. ||AC1263957 ||Unix all ||The AC currently reads audit filter configuration just once on startup || ||new "secons" option to make seosd to reload audit filter. || || || |
|34 ||2 ||WebGUI ||Fixes an issue with PUPM where the endpoint column size in the database could not contain the full DN of the endpoint. ||AC1263972 ||All || || || ||Create multiple endpoint by long name and with the same account manager ||56 ||T5P0047 |
|The column size in the database exceed it's size limit |
|35 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control for UNIX, where after upgrade, existing policy were deleted in case it included single quote in it ||AC1263986 ||Unix all || || || || || || |
|36 ||2 ||Unix endpoint user mode ||Fixes an issue with UNAB, where If a user creates a computer object for the Unix client machine using Active Directory management tool (MMC), that object can not be programmatically extensible and any software that attempts to update it via LDAP will fail. ||AC1263987 ||Unix all || || || || || || |
|37 ||3 ||Unix endpoint user mode ||Removes port 445 (Microsoft-ds) because UNAB does not use that port so no need to check it or report about it ||AC1264000 ||Unix all || || || || || || |
|38 ||3 ||Unix endpoint user mode ||sepmd -e does not print error list on x64 ||AC1264003 ||LINUX-X64 ||Fixes an issue with Access Control on UNIX, where the sepmd -e command does not display the error list on x64 platform ||sepmd 64 bit binary || || |
- install AC12.5 SP3 x64 version on RHEL
- create PMDB0 as parent pmd
- set parent_pmd token as PMDB0@^=host name=^
- subscribe AC endpoint to PMDB0 # sepmd -s PMDB0 ^=host name=^
- start selang and connect to PMDB0 # selang AC=^ host PMDB0@ AC=^ eu TEST owner(testuser) (PMDB0@localhost) ERROR: Failed to fetch data for USER/GROUP testuser AC=^ exit *note: testuser is not existed on AC/PMDB to get above error purposely
- check PMDB0 error information as below # cd /^=AC-install-dir=^/policies/PMDB0 # ls -l ERR* -rw- 1 root root 235 May 10 11:11 ERROR_LOG * looks some data are written, but # sepmd -e PMDB0 CA Access Control sepmd v126.96.36.1997 - Policy Model management Copyright (c) 2010 CA. All rights reserved. * not shown any error
| || |
|39 ||3 ||Unix endpoint user mode ||Added Japanese support for the keyboard logger records. ||AC1264019 ||Unix all ||Non ascii code is skipped. ||A command include Japanese || || |
- enable KBL
- create user user01 both AC and native from selang with audit(logins, loginf, f, interact)
- login TEST user
- enter command "mkdir /tmp/TESUTO # TESUTO: Japanese Kana characters
- enter command "mkdir /tmp/TESUTO/aaa" Confirm KBL output by "seaudit -kill -sid ^=nnn=^ -cmd".
The output shows as below. 14 Sep 2010 11:29:38 P TRACE user01 4c8edc26:0000014e konsh01 KBL input rhel54-54 3337 XX: SessionCmd: mkdir /tmp/ 14 Sep 2010 11:30:00 P TRACE user01 4c8edc26:0000014e user01 KBL input rhel54-54 3337 XX: SessionCmd: mkdir /tmp//aaa XX: Kanji characters that stand for information.
| || |
| 40 || 3 || Unix endpoint user mode || Added a check for UNAB of sshd version on AIX for known problems || AC1264023 || AIX || sshd v.5.4p1 supplied by IBM does not work properly with AIX security subsystem preventing logon of a valid AD user || || || |
- set up a new AD user who is allowed to log in by UNAB.
- try to log in via ssh
- logon fails and depending on whether NIS is used one can or cannot log in via ssh later on (with NIS used, /etc./security/lastlog is not updated)
| || |
|41 ||3 ||Unix endpoint user mode ||Enhanced support.sh to collect PMD policies ||AC1264024 ||Unix all || || || || || || |
| 42 || 3 || Windows endpoint user mode || Fixes an issue with Access Control on Windows, where audit records were not filtered in the audit.cfg file. || AC1264025 || Windows all || access type "kill" is ignored. || || Use '*' for access type of PROCESS || |
AC 12.5 SP4 / W2K8
- try to kill lsass.exe =^ taskkill /im lsass.exe -=^ this is denied as expected
- see audit log 20 May 2011 17:39:34 D PROCESS W2K8-X64Administrator Kill 601 10 c:w Windowssystem32lsass.exe C:Windowssystem32taskkill.exe
- stop AC and add following filter in audit.cfg and restart AC PROCESS;c:windowssystem32lsass.exe;*;*;Kill;D
- step 1-2 again [expected result] audit log of kill is filtered. [actual result] audit log of kill is not filtered. The audit log can be filtered if access type is changed to '*'. PROCESS;c:windowssystem32lsass.exe;*;*;*;D The access type of 'Kill' is described in Reference Guide.
| || |
| 43 || 3 || Unix endpoint user mode || Fixes an issue with Access Control on UNIX, where Access Control does not start after upgrade because of ???_updates files in a PMDB. || AC1264035 || Unix all || libacdki.so is already removed when upgrade fail due to existence of ???_updates file in a PMDB. . || upgrade fails due to existence of ???_updates file in a PMDB. || || |
- Create PMDB.
- Create "hostname_updates" file in PMDB directory. eg) [ACDir]/policies/PMDB/aaa_updates ==^ This file can be a dummy.
- Run install_base. ==^ This is aborted with below message(=expected).
-- You are still updating this subscriber: aaa. You must finish updating this subscriber before upgrading, or you will lose this update. Note: You can use the -force flag to upgrade anyway.
- Cannot start AC by seload. # seload CA Access Control seload v188.8.131.527 - Loader Utility Copyright (c) 2010 CA. All rights reserved. The token SEOS_syscall.LINUX_SeOS_Syscall_number, now set to '300'. CA Access Control system call is not loaded. ERROR: Timeout waiting for CA Access Control daemon. CA Access Control system call is not loaded
| || |
| 44 || 3 || Unix endpoint user mode || Fixes an issue with UNAB, where starting UNAB generated a code file for the ReportAgent. || AC1264045 || Unix all ||When one runs /opt/CA/AccessControlShared/bin/ReportAgent -debug 0 -task 3 -nowon a SELinux system which prevents 'eac_irapi.so' from loading due to text relocation restrictions a core is dumped due to missing exception handler || || || |
- Install UNAB in default location.
- Run uxpreinstall, Register and activate.
- Now go to the following location /opt/CA/AccessControlShared/lbin, and configure the report agent as shown below:
./report_agent.sh config -server 10.130.229.26 -proto ssl -port 7243 -queue queue/snapshot -audit
- Now confirm the settings and restart the UNAB daemons.
NOTE: As the report agent is configured restarting UNAB will also start Report Agent.
- Kill the report agent
- cd /opt/CA/AccessControlShared/bin
- Set the Acuxch key
- ./ReportAgent -debug 0 -now
| || |
|45 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where so class(file) flags+(w) does not catch syntax error ||AC1264047 ||Unix all ||so class(file) flags+(w) fails to return syntax error ||execute so class(file) flags+(w) || ||AC=^ so list | grep FILE FILE : Yes AC=^ so cwarnlist (localhost) Data for CA Access Control options ^=empty=^ AC=^ so class(file) flags+(w) -=^ NO ERROR (localhost) AC=^ so cwarnlist (localhost) Data for CA Access Control options -- ^=still empty=^ || || |
| 46 || 3 || Windows endpoint user mode || Fixes an issue with Access Control for Windows, where the Japanese audit record "Successfully subscribed" was garbled || AC1264048 || Windows all || Audit record "Successfully subscribed" was not written in UTF8 in pmd.auidt || AC is installed Japanese system. || || |
- Create PMDB
- Add the subscriber =^ subs pmdb subs(subscriber)
- Check pmd.audit =^ seaudit -a -fn pmd.audit 4. You will see code 338 is garbled.
It doesn't happen in English seos.msg. 24 May 2011 17:00:10 S UPDATE PMD SECV6Administrator 338 10 pmd1 secv6 host pmd1 ??TuXNCu??B
| || |
|47 ||3 ||Windows endpoint user mode ||Fixes an issue with Access Control on Windows, where segraceW fail to work from remote host following a "can not connect to AC database" message, although the defenc.dll file is located in the current directory. ||AC1264070 ||Windows all ||defenc.dll is not found where "Encryption Package" is not defined (i.e. AC is not installed). ||SegraceW runs as standalone. ||Add Reg value "Encryption Package" in HKLMSOFTWAREComputerAssociatesAccessControl and define the encryption package. || |
- NETLOGON folder |_defenc.dll (Renamed the one from "Encryption Package" in the registry) |_SegraceW.exe |_batch script to run "segracew -s DC_host"
- Configure the logon script for the domain user to run the batch script. - Member(x86) Logon by the domain user. ==^ "ERROR: can not connect to AC database." Until SP3, it works with above configuration.. step: 1.install AC on DC 2.copy egraceW.exe and encryption package to NETLOGON shared folder on DC. default encryption package is aes256enc.dll
- rename the encryption package to defenc.dll
- open the NETLOGON from a workstation
- run egraceW.exe -s ^=DC hostname=^
- verify you don't get "ERROR: can not connect to AC database."
| || |
| 48 || 3 || Unix endpoint user mode || Fixes an issue with Access Control on UNIX, where seos token values were missing after upgrade. || AC1264075 || Unix all || tokens ldap_xxx in seos section are not copied from original seos.ini || || || |
- Defined tokens ldap_xxx in seos section
- Upgrade AC
- tokens ldap_xxx in seos.ini are not inherited
| || |
| 49 || 3 || WebGUI || Fixes an issue with Access Control on AIX, where creating a generic file rule in CA Access Control Enterprise Management fails. || AC1264078 || All ||Method validateName || || || |
In the Endpoint Manager UI.
- Create a file rule for '/home/d000623s.*'
- Create a file rule for '/home/d000623*' and you will receive the error:
Error: There is already a FILE entity with the name: /home/d000623*
| || |
|Searching element that contains * cause the search function to act as a wild card |
|And all elements that containing the search criteria are retrieving |
|Therefore code needs to evaluate the retrieving results and check for duplicate element for each entry |
|50 ||1 ||Unix endpoint user mode ||Fixes an issue with Access Control on AIX, where *.tmp files were found in /etc/security. ||AC1264101 ||AIX || || || || |
- Test on AIX 6.1
- Stop AC (secons -s)
- useradd test01
- rm -f /etc/security/*.tmp
- Run 'selang -l': AC=^ env Unix Unix=^ ru test01
- ls -qal /etc/security/*.tmp -=^ You should NOT see any files created during the test
|1618 ||T243782 |
|51 ||3 ||unix endpoint kernel mode ||Fixes an issue with Access Control on HPUX, where the file path that seaudit displays is corrupted when bypass_realpath is enabled. ||AC1264103 ||HPUX ||1.path name was not null terminated 2.used lookuppn() returned value that is last component of the path name ||set 1 to token bypass_realpath ||set 0 to token bypass_realpath || || || |
| 52 || 2 || WebGUI || Fixes an issue with PUPM, where after creating and discovering privileged accounts on SSH endpoints, CA Access Control Enterprise Management displays an incorrect container. || AC1264105 || All || back slash () and the double quotes (") cause the auto login script to fail || || When SSH endpoint is not connected, add a default value of the account container field at Modify Privileged Account screen to show the correct container || |
- Create SSH PUPM end point
- Discover the end point
- Enter to the SSH account at Modify Privileged Account screen when the endpoint is down
- The shown container is wrong
| 60 || T5P0052 |
| 53 || 2 || WebGUI || Fixes an issue with the Enterprise Management Server, where a back slahs and double quotes characters cause the automatic login scripts to fail. || AC1264113 || All || back slash () and the double quotes (") cause the auto login script to fail || || A wrong pre define default value was set on the container field || |
- Crate endpoint that contains back slash () or double quotes (") at the password
- Assigned to this endpoint Login application (RDP)
- Try to perform Automatic Login for this account , the operation failed
| 61 || T5P0053 |
|54 ||2 ||unix endpoint kernel mode ||Fixes an issue with Access Control on UNIX, where seos.ini tokens were not copied on upgrade. ||AC1264114 ||All || || || || || || |
| 55 || 4 || WebGUI || Fixes an issue with PUPM, where the password policy minimal length of 16 characters, failed due to a dummy check. || AC1264124 || All || || || Remove the validation that check weather Max Length is over 15 chars || |
- create password policy with Mind length 16 and max length 19
- assigned this policy to an account
- try to check out this account, the operation fails
| 62 || T5P0054 |
|56 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where running the command secons -CD results in an infinite loop. ||AC1264127 ||All ||"rec userd" is not cleared while file records are when the period cache erasing is called. secons -CD goes into an infinite loop as "rec userd" and actual records differ. ||the period cache erasing is called after file activities is cached. || || || || |
| 57 || 4 || WebGUI || Fixes an issue with the Enterprise Management Server, on Linux where during role validation an exception for a user which should not be allow to see break glass account appeared. || AC1264141 || All || during role validation we had an exception for a user which should not allow to see break glass || || || |
- create a privileged account "demouser"
- duplicate Role PUPM USER to SamplePUPMUser and modify Membership to "user=jdoe" scope "accountname=*demo*" If you login with jdoe you will see the demouser pupm account in his priv accounts.
- disabled the OOTB "breaking glass" role (which should not have any effect) Login with jdoe again and no accounts are shown now.
| || |
| 58 || 2 || WebGUI || Fixes an issue with PUPM, where the Automatic Login option does not work if the password contains special characters, for example a dollar ($) sign, back slash () or double quotes ("). || AC1264144 || All || || || || |
- Crate endpoint that contains dollar sign ($) at the password
- Assigned to this endpoint Login application (RDP)
- Try to perform Automatic Login for this account , the operation
| 66 || T5P0056 |
|59 ||3 ||Unix endpoint kernel mode ||Fixes an issue with Access Control on Linux, where running secons -sk 2 caused the system to malfunction. ||AC1264147 ||LINUX-X86 ||conversion specifies of fine and f_sz for snprintf are not correct. ||run secons -kt 2 on LINUX X86 || ||install AC on LINUX x86 start AC run secons -sk 2 -=^fatal exception in eac_TrustPg_prec() || || |
|60 ||3 ||Win endpoint user mode ||Fixes an issue with Access Control on Windows, where defining TERMINAL rule that contains an IPv4 IP address only, results in selang failure to connect to seosdb. ||AC1264151 ||Windows all ||getaddrinfo could return IPv6 IP address on mixture env. Hence TERMINAL in IPv4 IP address does not match. ||IPv4 and v6 mixture(like Win2008). TERMINAL is defined in IPv4 IP address only. Token TerminalSearchOrder is name or IP. ||Define TERMINAL by hostname || || || |
| 61 || 3 || WebGUI || Fixes an issue with Access Control on Linux, where the encoding of the login page was sent as basic charset and not translated || AC1264159 || All || the encoding while loading the login page sent as basic charset and not translated || || || |
- Install endpoint management on a machine with Japanese local
- Set the browser local to be Ja
- Open endpoint management login screen and without typing anything press login
The message that you see is not clear
| || |
|62 ||High ||Win endpoint kernel mode ||Fixes an issue with Access Control on Windows, where an incorrect processing of interceptions setup at driver reload occurred ||AC1264162 ||Windows all ||1. Copy and paste mistake at interception processing 2. Incorrect processing of interception setup at driver reload || || || |
- Install AC on Windows 2008 system
- Reboot and define blocking rule in build-in windows firewall
- Test the firewall rule - check that it's not working.
- Unload AC ( secons -s, net stop seosdrv, net stop drveng - order is IMPORTANT ).
- Test the firewall rule again - now it's working
- Restart AC( net start drveng, seosd -start, order IMPORTANT)
- Test AC network interception - it's not working.
| || |
|63 ||3 ||Unix endpoint kernel mode ||Enhances the Access Control Keyboard Logger utility with the ability to begin tracing user actions when connecting to host. ||AC1264165 ||Unix all || || || || || || |
|64 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where a memory leak in seosd causes Access Control to stop responding when seosd reaches 1G in memory ||AC1264169 ||Unix all || || ||This package adds functionality to AC watchdog. The watchdog will monitor size of seosd and will restart seosd if seosd process size is too big. It also changes watchdog to control size of uxauthd. || || || |
|65 ||3 ||Win endpoint user mode ||Fixes an issue with Access Control on Windows, where setoption for max_len/min_len aborts if no password rules are found in the database ||AC1264170 ||Windows all ||setoption for max_len/min_len abort if no password rules exist in the database. ||set max_len/min_len after password rules are disabled by so password(rules-) ||set other password rules first than max_len/min_len || || || |
|66 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where running the sepmd -m generates the following error message: "Error in Maker-Checker command : No authorization to access the Policy Model" ||AC1264176 ||Unix all ||PMDB admin check for running user is done by a ticket after the ticket is removed. ||any option for sepmd -m(i.e. la, lo, l, d, and p) fails. || || || || |
|67 ||3 ||Unix endpoint user mode ||We forgot to backup the file .pmd_error. ||AC1264187 ||Unix all ||Enhances the Access Control backup process by including the .pmd_error file. ||1. There is a pmdb name pmdb. ||Please apply the fix sepmd and sepmdd. ||run this command. "sepmd -bd pmdb /work/backup". Check if there is a file named .pmd_error in /work/backup. || || |
|2. run this command to backup the pmdb "sepmd -bd pmdb /work/backup". |
|68 ||4 ||Unix endpoint kernel mode ||Fixes an issue with Access Control on Linux, where if the redhat_release files have been manually modified, the kernel module cannot be found. ||AC1264201 ||Unix all ||redhat_release file has been manually modified causing AC kernel module cannot be found || || ||Test install on OEL 5.5 where redhat_release file has been manually modified to contain "Carthage" instead of "Tikanga". || || |
| 69 || 3 || Win endpoint user mode || Fixes an issue with Access Control on Windows, where Access Control failed to add the CONSENT.EXE file to ApplyOnProcess after upgrade. || AC1264213 || Windows x64 || Handling in case of 64 bit was missing in MergePlgApplyOnProcesss || 64 bit box upgrade from old release that does not have CONSENT.EXE by default || Add CONSENT.EXE to .InstrumentationPlugInsRunAsPlgApplyOnProcess by reg editor after upgrade || |
- install AC 12.5SP2 on Windows 64 bit box
- verify the value of ApplyOnProcess has no consent.exe. This is ok for SP2 HKLMSOFTWAREComputerAssociatesAccessControlInstrumentationPlugInsRunAsPlg ApplyOnProcess=runas.exe explorer.exe
- upgrade AC 12.5SP4
- verify consent.exe is added to ApplyOnProcess. SP4 does not add it.
| || |
|70 ||3 ||WebGUI ||Fixes an issue with Access Control on Windows, where an error message appears when creating a password policy without the weekdays option selected. ||AC1264225 ||All || || || || |
- Create or modify password policy without week day checked for scheduling
- Error message appears ParseException:unexpeted end of expression error
|64 ||T5P0055 |
|71 ||2 ||Unix endpoint user mode ||Fixes an issue with Unix Access Control Unix where HOSTNET class Mask given as 255.255.255.255 is displayed as 0.0.0.255 ||AC1264231 ||Unix all || || || ||AC=^ er HOSTNET testnet owner(nobody) audit(a) mask(255.255.255.255) match(127.0.0.1) AC=^ sr HOSTNET testnet -=^ Mask is shown as 0.0.0.255. || || |
|72 ||3 ||Win endpoint user mode ||Fixes an issue with Access Control on Windows, where seosd stops responding when the maximum number of entries in the audit.cfg audit file has been reached. ||AC1264239 ||Windows all ||seosd.exe couldn't handle the more 100 lines of entries in audit.cfg. ||Please add more than 109 lines of entries in audit.cfg and then start up seosd.exe. ||Please apply the fix seosd.exe or make sure the number of lines in audit.cfg are less than 100 lines. ||Please add 109 lines of entries to c:\program files\CA\AccessControl\data\auditl.cfg 1. stop AC \=^ secons -s 2. add 109 or more TRACE entry in audit.cfg I added following same 109 entries TRACE;*;*;*;*;*;*;* 3. start AC \=^ seosd -start seosd crash. || || |
|73 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on Linux, where if the Keyboard Logger is enabled, the "who am i" command is displayed twice. ||AC1264247 ||LINUX ||cmdlog checks utbuf-=^utmp_err, when it is not 0 it does not send logout event to agent and agent does not erase utmp line ||KBL ||function kbl_utmp_set_login() set utbuf-=^utmp_err = rv = 0; ||Not reproduced in Lab Customer reported that after different users logged in to the system using ssh the command "who am i" showed sometimes two lines of the same tty. [ acceso21 - caunix ]/home/caunix $ who am i u199956 pts/48 2011-07-11 11:17 (10.65.9.82) caunix pts/48 2011-07-12 11:36 (10.78.33.239) [ acceso21 - caunix ]/home/caunix $ tty /dev/pts/48 ||1570 ||T243783 (x64) |
|T243784 (x86) |
|74 ||4 ||Unix endpoint user mode ||Enhances Access Control to start if the redhat_release file has been altered. ||AC1264251 ||LINUX ||redhat_release file has been manually modified causing AC kernel module cannot be found ||redhat_release file has been manually modified causing AC kernel module cannot be found ||Solution ||Test install on OEL 5.5 where redhat_release file has been manually modified to contain "Carthage" instead of "Tikanga". Access Control fails to start. || || |
|75 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on Solaris where SEOS_load searches for the string "seos" in system configuration. The script assumes there already a device named "seos" and attempts to update it. ||AC1264258 ||SOLARIS ||The AC script SEOS_load searches "seos" device searching string "seos" in system configuration. There is different device which consists name of seosvol and it confuses SEOS_laod script. The script assumes there already exists device and tries update it. ||Solaris 10 + SEOS_use_ioctl ||Make more strict search, use pattern "/pseudo/seos" instead of "seos" ||Not reproduced in Lab, Customer sets SEOS_use_iotcl and runs SEOS_load ==^ failure # SEOS_load SEOS_load: Executing un/load exit file, /usr/seos/exits/LOAD/SEOS_load_int.always -pre SEOS_load: Updating device seos. SEOS_load: Couldn't update device. ||1625 ||T540064 |
| 76 || 3 || Win endpoint user mode || Fixes an issue with Access Control on Windows, where the dbmgr utility creates crypto key files protection records for seosdb that are not required, after upgrade. || AC1264259 || Windows all || install call dbmgr to create pmdb. dbmgr create crypto key files protection records for seosdb, which is not needed for pmdb. || pmdb exist before upgrade || remove the crypto key files protection records after upgrade || |
2.create PMDB selang =^env pmd =^create pmdb1
4.verify crypto key files protection records does not exist in the pmdb selang =^host pmdb1@ =^find file
| || |
| 77 || 2 || WebGUI ||Fixes an issue with the Enterprise Management Server, where the password policy doesn't prohibit any character, however if clientmanually reset the password and if password contain special characters it will pop up error message || AC1264262 || All || Char set validation is missing the semicolon char || || || |
1. create PUPM account
2. try to Reset Manually the password with semicolon char (;) getting a message The Password allowed characters does not comply with the password policy settings.
Change the password or use the recommended password
| 66 || T5P0056 |
|78 ||1 ||Unix endpoint user mode ||Fixes an issue with Access Control on Linux where root user could not login when AC PAM was active ||AC1264265 ||LINUX ||Login hangs when AC PAM auth hook comes before pam_unix Linux || || || |
1. Test on Linux AS4.
2. Modify /etc/pam.d/system-auth so 'auth optional pam_seos.so' will
be placed one line BEFORE 'auth sufficient /lib/security/$ISA/pam_unix.so
3. Start AC (seload).
4. AC> eu test01 password(123)
5. telnet localhost (login as user test01)
Before this fix telnet got hung right after providing user name
|1632 ||TC61166 (x86) |
|TC61167 (x64) |
|79 ||1 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where executing the command sepmd -db while specifying a relative path for the dest_path, renders the original PMDB directory un-usable. ||AC1264268 ||Unix all || || || || || || |
|80 ||3 ||Win endpoint user mode ||Fixes an issue with Access Control Windows where if a user reconnect to an endpoint using Remote Desktop, the user receives the session id of the previous session. ||AC1264271 ||Windows all || || ||save a list of disconnect session in seosd memory. In case the user is not authorized to login, search in the disconnect session list, if found then disconnect the user from the RDP session instead of logoff. || |
1. Create User in AC
2. Authorize the user to connect from terminal A.
3. Unauthorize the user to connect from terminal B.
4. Connect from terminal A using RDP.
5. Disconnect the RDP session.
6. Connect from terminal B using RDP.
7. The user will be logged off from both sessions.
|523 ||T243804 (x86) T243805 (x64) |
|T243806 (IA64) |
| 81 || 3 || Win endpoint user mode || Fixes an issue with Access Control on Windows, where a password change request intercepted is sent to the password PMDB as originating from user NT AUTHORITYSYSTEM and not the original user. || AC1264272 || Windows all || hosts command reset changing user with a user obtained by local_seadmapi_WhoAmI() which was added in 12.SP3(AC1262144). || User change own password via native password is managed by PMDB || || |
1. user log in GUI and change password with Ctrl+Alt+Del
2. Password change request send to local AC db and passwd_pmd to deliver it.
3. password change by service user such like NT AUTHORITYSYSTEM on PMD
4. deliver password by the user who is pwmanager.
5. set grace(1) since the change is update by Administrative user and not by original user
| || |
|82 ||2 ||Win endpoint user mode ||Fixes an issue with Access Control on Windows that caused Access Control to stop responding if the parameter WaitingTimeout is set to INFINITE. ||AC1264273 ||Windows all ||In case of seosd is in long term timeout ( recovery, termination. crash ), the Subauthentication thread waiting WaitingTimeout = INFINITE for respond from seadmapi_IsServerRunning() locks other threads resulting to getting stuck further logons. || ||Resolved by assignment global Waitingtimeout to Registry value LogonTimeOut or default 4sec. || ||521 ||T5P7077 |
|83 ||2 ||LINUX x64 ||Fixes an issue with Access Control on Linux, where the seagent daemon caused a system malfunction on startup. ||AC1264289 ||LINUX x64 ||Syscall intercepted via 32-bit syscall table tries to execute the 64-bit original syscall function that is not yet set and leads to system panic. ||See Invest. Notes. ||Solution is to hook the 64-bit syscall table before 32-bit syscall table. The workaround is to install 64-bit version of AC. ||Install AC on an X64 SLES 11 SP1 system and set AC to start automatically. Then reboot the system repeatedly, this may cause the system to crash. ||1636 ||T3E7134 |
| 84 || 3 || WebGUI || Fixes an issue with PUPM, where after checking out an account password, the account status is not updated when using the Automatic Login option. || AC1264302 || All || || || Refresh My Account page while committing Auto log in application || |
1. go to My Privileged Accounts
2. ect account with Auto Login Application setting
3. commit Auto login
4. the Status was not changed to Check out
| || |
|85 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control on HPUX, where the Access Control did not start on HP-UX 11.11 32-bit PA-RISC 1.1 system, because several components are not compatible. ||AC1264309 ||HPUX || || || || || || |
| 86 || 3 || Unix endpoint user mode || Fixes an issue with Access Control on AIX, where in case a username is longer than 8 characters, the user name is truncated. || AC1264324 || AIX || || || || |
1. Install AC
eu longnameuser02 password(123) audit(a)
3.Try Logging in with the user
4. Check the Seaudit -a
| || |
|87 ||1 ||Unix endpoint user mode ||Fixes an issue with Access Control where if using SSH remote commands, the target system executing the command doesnot resolve the hostname that the command was issued from. ||AC1264328 ||LINUX || || || || |
1. Test on Linux.
2. Start AC.
3. AC> nf /usr/bin/df owner(nobody) audit(all) defacc(all)
4. AC> nu test01 password(123) grace-
5. ssh-l test01 0 df -h
6. See the host name in FILE audit for /usr/bin/df and see that it is not 0.0.0.0.
|1633 ||TC61172 |
| 88 || 3 || Unix endpoint user mode || Fixes an issue with Access Control on Solaris, that when seosd stops responding, seoswd opens a new process that causes a defunct process from seoswd. || AC1264331 || Unix all || || || || |
2.ps -ef | grep defunct
No Defunct process to begin with (if there is already a defunct process no more defunct process should be started by SEOSWD)
3. vi seos.ini
kill_ignore = no
4. start up AccessControl.
5. issec to find out the seosd pid.
6. kill [pid of seosd]
7. ps -ef | grep defunct
8.No Additional Defunct processes should appear.
| 1587 ||T243914 (AIX) |
|T132915 (Solaris) |
|T243916 (Linux x86) |
|T243917 (Linux X64) |
|T243942 (HPUX IA64) |
|89 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX "sepmd -t pmdb auto" truncation.When updates.dat file grows to certain size, sepmdd will automatically truncate the file size of updates.dat. sepmdd didn't update the global offset correctly. ||AC1264332 ||Unix all ||The global offset is not updated correctly. ||sepmdd has to run auto truncate from within. updates.dat has to grow to a certain size limit. The limit is configurable in pmd.ini. ||Apply the fix sepmdd. or set trigger_auto_truncate = 1024, and then run "sepmd -t DH__WRITER auto" once a day. || || || |
|90 ||1 || ||Fixes an issue with Access Control on UNIX, where the FILE audit for SSH <cmd> displays the HOST prefix. ||AC1264353 || || || || || ||1633 ||TC61172 |
|91 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control on AIX, where the Keyboard Logger utility did not collect data to print using the seaudit -cmd command. ||AC1264354 ||AIX || ||multijobs shell, KBL enabled || || |
check -cmd on AIX:
1. install AC, enable KBL, start AC
2. create interactive user
3. set tcsh as login shell for the user (in /etc/passwd).
4. login to the system as interactive user
5. do several Unix commands, among them passwd (password change)
6. exit session
7. print -cmd for this session, there is no commands
|1637 ||TC61171 |
| 92 || 2 || Unix endpoint user mode ||Fixes an issue with Access Control Unix where selogrd detects corrupted record while intensivewriting to audit is performed.In other conditions selogrd processes the same log without errors of corrupted error detection || AC1264360 || Unix all || || ||On detecting corrupted record selogrd waits timeout = Interval*ChangeLogFactorand repeats read from the same offset of "bad" error and only than begins reading byte by byte skipping this record.Reproduction steps || || ||T5P7080 (HPUX) |
|T5P7081 (HPUX IA64) |
|T5P7082 (AIX) |
|T5P7083 (SUN) |
|T5P7084 (LINUX) |
|93 ||1 ||Unix endpoint kernel mode ||Fixes an issue with Access Control on Linux, where is accessing files from scripts, the root user could access files that Access Control was protecting. This occurred because Access Control was not properly enforcing rules ||AC1264381 ||LINUX ||Parent/child execution sequence in AC interception when scripts are executing many commands || ||AC kernel interception creates a Process control block before spawning a child and thus fixed the sequence problem of parent/child || ||1642 ||TC61175 |
|TC61191 (OEL) |
|94 ||2 ||WebGUI ||Fixes an upgrade issue with PUPM Access Control connector ||AC1264393 ||All || || || || || || |
|95 ||2 ||Unix endpoint user mode ||Fixes an issue with UNAB where a cronjob of an AD user was not executed ||AC1264394 ||Unix all ||busy condition in the SQLite3 database requires closing a database if a reset with a backoff is not sufficient. || ||Closing database after a few unsuccessful access attempts ensures that a client's operation is not affected for long-running processes like cron. ||set up a recurring cron job for an AD user and observe its execution ||16 ||TC61182 |
|96 ||3 ||Unix endpoint kernel mode ||Adds Access Control support for OEL 5.7 ||AC1264395 ||LINUX ||New version of OEL. || || || ||1639 ||RO35746 |
|97 ||3 ||Unix endpoint kernel mode ||Fixes an issue with Access Control on UNIX, where users cannot change the default value of the KILL_SIGNAL_MASK token. ||AC1264396 || Unix all ||KILL_SIGNAL_MASK is defined in hexadecimal but SKI_syscall_init() doesn't handle hexadecimal and ignores it. ||the default value of KILL_SIGNAL_MASK is changed. || || || || |
|98 ||2 ||WebGUI ||Fixes an issue with Access Control on Windows. Where a time out exception occurred while querying an endpoint with a large number of accounts. ||AC1264404 ||All || || ||change the query of retrieving an account Select Name, Domain from Win32_UserAccount where Domain = '^=DOMAIN=^' AND Name='^=USER=^' AND LocalAccount = True ||This is not a reproducible bug. It happened on a customer site where having on the local machine accounts A huge number of users. We had a socket time out exception when trying to retrieve the user account And windows endpoint creation used to failed ||70 ||T5P0060 |
|99 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control where Access Control cannot start when NFS files are protected. ||AC1264409 ||HPUX ||NFS returns 0 or wrong i-node, path name resolver fails. || ||Use original path name when AC file name resolving fails to find path of NFS file. ||Not reproduced in Lab ||1638 ||T3DB070 |
|100 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on Linux, where running the "who am i" command displays two lines of the same tty entry. ||AC1264413 ||LINUX ||The tty entry has not been deleted when session ends || ||Set DEAD utmp for both original tty and new KBL tty ||Not reproduced in Lab ||1570 ||T3DB071 (Linux x86) |
|T3DB072 (Linux x64) |
|T3DB073 (Linux IA64) |
|T3DB074 (AIX) |
|T3DB075 (Solaris) |
|T3DB076 (HPUX) |
|T3DB077 (HPUX IA64) |
| 101 || 3 || Unix endpoint user mode || Fixes an issue with Access Control on UNIX, where the "User must change password at next logon" is not cleared by sepass utility after user changes own password. || AC1264421 || Unix all || "User must change password at next logon" is not cleared by sepass even own password change. || "User must change password at next logon" is enabled user change own password by sepass || || |
AC> host pmdb1@
AC> nu test01 password(xxx)
4. enabled "User must change password at next logon" for native test01
1. define password pmdb
token : passwd_pmd = pmdb1@widnows host
2. create test user
AC> nu test01 password(xxx)
3. login by test01
4. change own password by sepass
Enter test01's old password:
Enter new password:
Verify new password:
user must change password as "User must change password at next logon" is still enabled.
| || T4CC126 |
| 102 || 2 || WebGUI || Fixes an issue with PUPM, where if a user created a schedule password policy and after that the OU of the user changed, the Change Password task failed because the user who created the password policy was not located. || AC1264448 || All || || || The scheduled job keeps the initiator of the password policy creator and uses it to invoke the task || |
With AD user store only
1. Create a schedule password policy
2. Assign it to account
3. Change the user's who creates the password policy OU
4. The change password event failed
| 72 || T5P0062 |
| 103 || 1 || unix endpoint user mode || Fixes an issue with UNAB where a fully migrated yes cannot log in to a Linux machine if the Active Directory domain controller is not available. || AC1264453 || LINUX || Wrong windows group list because missed UPN in off-line mode || || Add UNIX attributes to Windows group || |
1. Fully migrated user 'u1' is member of AD group w/o UNIX attributes 'g1'.
2. Login rule (local or enterprise) for group 'g'.
3. Run uxconsole and login in on-line mode
4. use FW to block tcp:389
5. Run xconsole and login in off-line mode
| ||TC61178 (Linux x86) |
|TC61179 (Linux x64) TC61180 for AIX |
|TC61181 for Solaris |
|104 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX, where during installation, the FILE resource/etc/* is not imported in to seosdb. ||AC1264456 ||All || || || || || || |
|105 ||2 ||Unix endpoint kernel mode ||Fixes an issue with Access Control on Solaris 10, where after restarting the internal zones, Access Control fails to enforce policy on users, because the users identity is lost ||AC1264457 ||SOLARIS || ||Solaris 10 zones environment. ||AC kernel code increments/decrements sessions counter correctly || ||1641 ||TC61174 |
|106 ||2 ||unix endpoint kernel mode ||Enhanced Access Control for Solaris to support Solaris 10u9 + patch. ||AC1264466 ||SOLARIS ||OS include files have changed between Sol 10u9 and Sol 10u9 + patch. dotoprocs() has an additional argument that leads to the panic. ||panic on shutdown ||new kernel modules needed for Sol 10u9 with patch ||Install AC125 sp5 on: Solaris 10 u9 sparc + kernel patch 144500-19 Solaris 10 u9 X64 / x86 + kernel patch 144501-19 AC panics on shutdown ||1640 ||T540074 |
|T540075 (x64) |
| 107 || 2 || Windows kernel user mode || Fixes an issue with Access Control for UNIX where short file name used in delete operation bypasses the partial match logicof Access Control || AC1264469 || Windows all || Short name used in delete operation bypass our partial match logic. || || Fixed code to match the case correctly || |
1. Under AC LOG folder create file seos1.audit.bak
2. Add AC rule with defacc(r) for the file full path wildmask at the end, i.e. ^=full path=^seos1.audit.bak*
3. Try to read the file - it should pass.
4. Try to delete the file via command line - it should be denied, if the issue is fixed).
| || |
|108 ||3 ||WebGUI ||Fixes an issue with Access Control on Windows, where an error message is displayed in the Endpoint Management user interface ||AC1264472 ||All || || || || || || |
| 109 || 2 || WebGUI ||Fixes an issue with PUPM and ObserveIT 5.3 where ObserveIT application error occurs when trying to view session recording viaOIT from EntM audit. || AC1264480 || All ||There might be multiple recording session on the same audit event.the record Ids are handles as one record id. || || loop over the record ids, if there are multiple, and show each one of them as a separate link || |
1. log into EntM server via RDP.
2. open EntM WebUI (http://localhost:18080/iam/ac) and login as
3. navigate to [home] - [[My Accounts] - [My Privileged Accounts]
4. select "putty_oit" from [action] drop down list of test01@vmrh51x64-2
5. you can see putty window with test01 login and message box showing
6. close message box and logout from rhel via putty.
7. click yes to check-in test01.
8. navigate to [Privileged Accounts] - [Audit] - [Audit Privileged Accounts]
9. click search to show audit
10. click recording icon to show slide viewer.
-> you can see the session recording without any problems.
11. log into EntM server via another RDP session.
* leave the first RDP session as login; do not logout from the server.
12. do step 2-10 on the second RDP session.
-> you can see the sessionID in message box as comma separated multiple
value on step 5.
-> you will get an error in slide viewer
| 74 || T5P0065 |
|110 ||2 || ||Fixes an issue with Access Control on Windows, where Access Control stops resending after running the secons -s command. ||AC1264487 || || || || || || || |
|111 ||1 || ||Fixes an issue with a Korean version of Access Control for UNIX , where after applying Keyboard Logger patch, the system stops responding. ||AC1264510 || || || || || || || |
|112 ||3 ||unix endpoint kernel mode ||Fixes an issue with Access Control on AIX, where a timeout message appear on startup. ||AC1264532 ||AIX ||seload starts seosd and makes 9 attempts to get answer from seosd. Time interval between tries is 5 seconds. Total waiting time is 45 second. It takes about 50 seconds to seosd to start. ||AIX 6.1 ||seload will check tunable timeout parameter. User may set higher timeout if 45 second is not enough to start seosd. ||Not reproduced in lab ||1646 ||T3DB078 |
|113 ||2 ||Windows endpoint kernel mode ||Fixes an issue with Access Control on Windows, where the system stops responding on shared folder file access. ||AC1264549 || ||drveng missed oplock related flag at open operation ||Access to shared files ||Added missed flag || ||525 ||T5P7090 |
|114 ||2 ||Windows endpoint kernel mode ||Fixes an issue with Access Control on Windows, where a resource sharing violation conflict occurred that causes Access Control to stop responding ||AC1264570 ||Windows all ||Sharing violation ||System reboot ||Fixed Sharing violation ||Define rule for deviceharddiskvolume* with defacc(a) audit(f) owner(nobody) and check that no exists services fails to load after reboot. || || |
|115 ||2 ||WebGUI ||Fixes an issue with Access Control on Windows, where the CredintialsSener contain clear text passwords ||AC1264578 ||Windows all || || || || || || |
| 116 || 3 || Win endpoint user mode || Fixes an issue with Access Control on 64 bit Windows, where eACSyncLockout.exe was not installed. || AC1264585 || Windows all || eACSyncLockout.exe in not included in 64 bit AC || || || |
- Install AC on 64bit system(X64 IA64)verify eACSyncLockout.exe is installed on <AC home>bin
- run eACSyncLockout.exe -startverify the service is startedenable Audit account management in local Auditing Policyenable Account lockout threshold in Account Lockout Policycreate PMDB and subscribe local hostset PMDB@local host to registry
passwd_pmd/parent_pmdcreate testuser in AC/Nativeenable password class in ACperform failed login attempts by testuser till locked out in nativeverify testuser in AC is locked out
| || |
| 117 || 3 || WebGUI ||Enhances the date and time picker option to display the user's GMT time. Also added 'Valid Until' and 'Start Date' options. ||AC1263411 || All || || || || || 82 || T5P0072 |
|Related code changes also resolves date time picker issue, localization related problems of the Privileged Account Request page dates in the Approve Privileged Account page. ||AC1264723 |
|118 ||3 || ||Enhances the date and time picker option in PUPM to display user's time for privileged account passwords request and approvals ||AC1264524 || || || || ||AC PUPM - Valid Until date fields timezone fix The new date picker is a component which holds both the date and the time. It should display the time in the user's browser GMT time zone. Behind the scene, the time zone will be saved in our DB at GMT 0 (conversion), and when the approver will need to check the date and time, it will be re-converted to his browser GMT. From user perspective, he will only see dates and times in his current browser GMT. Use cases to check: 1. User tries to request access to an account immediately for 1 hour. Administrator should approve the request, then the user will be able to access the account in this hour. 2. User tries to request access for future use, like in 30 min from now for a certain period of time. Administrator should approve, and the tester should wait to see if in 30 min the account is accessible for the user. || || |
|119 ||3 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX where the dbmgr -e -l failed to handle a group has members more than 15 members. ||AC1264540 ||Unix all ||When a group has a lot of members, dbmgr -e -l will try to break the command into two commands. We have a problem in the new command. || || ||have a group that has more than 15 members. ||1653 ||T243829 |
|120 ||2 || ||Fixes an issue with Access Control Out-of-the-box policies, where after upgrade, policies with space characters in their name, were not upgrade ||AC1264609 || || || || || || || |
|121 ||2 ||Unix endpoint user mode ||Fixes an issue with Access Control on UNIX where clear text passwords appear in log files ||AC1264616 ||Unix all || || || || || || |
|122 ||3 ||WebGUI ||Fixes an issue with PUPM endpoints where the Advanced option in the Create Endpoint window did not work properly ||AC1264642 ||All || || || || || || |
| 123 || 3 || WebGUI || Fixes an issue with PUPM, where if more then a single Active Directory endpoint is defined, the service discovery wizard displays incorrect results || AC1264643 || All || || || || |
- Create 2 AD endpoints
- Try service discovery for one of the AD endpoints.
- Try service discovery for another AD endpoint.
- Validate that display is correctly and you don't see endpoint from the first try
| || |
|124 ||3 ||WebGUI ||Fixes an issue with PUPM, where a Cisco endpoint creation failed using SSH device endpoint type ||AC1264650 ||All || || || || || || |
|125 ||3 ||WebGUI ||Fixes an issue with Access Control where the tooltip for the start time and end time fields are incorrectly displayed ||AC1264670 ||All || || || || || || |
|126 ||3 ||WebGUI ||Fixes an issue with PUPM, where rediscovering an identical account with different password policy, does not overwrites the previous policy ||AC1264681 ||All || || || || || || |
| 127 || 2 || Unix endpoint user mode || Fixes an issue with the keyboard logger, where an incorrect user name (root) is displayed in the keyboard logger records instead of the root user (id=0) || AC1264533 || Unix all || Logged uses system call for getting user name from uid. AC api should be used. || PamPassUserInfo = 1 kbl_enabled = yes || || |
- Set kbl_enabled = yes PamPassUserInfo = 1
- Create user with uid=0 Define the user as interactive in selang Login via ssh as created user
- Check sewhoami -a shows correct user nameCheck KBL records for this session
| || |
|128 ||2 ||Win endpoint user mode ||Fixed stability issues with Access Control on Windows ||AC1264635 ||Windows all || || || || || || |
|129 ||2 ||Win endpoint kernel mode ||Fixes an issue with Access Control Windows where the server became unstable after installation and BSOD occurs due to cainstrm error with function failure return code processing ||AC1264679 ||Windows all || || || || || || |
| 130 || 1 || WebGUI || Fixes an issue with the Enterprise Management Server, where filtering by host name returns 100 results only and limits the user to search within those results only || AC1264692 || All || || ||Improves deployment audit performance when there are many deployments and gdeployments by changing the ways we retrieve the data from the DMS. || || || |
|Fixes a null pointer exception that happens when there are more than 100 deployments. |
|Adds missing types (AutoAssign/delete hnode/ delete ghnode). |
|Show the On Behalf Of user in the Updater field. |
|Load deployment errors on demand (only when opening the result records) |
|131 ||2 ||WebGUI ||Fixes an issue with PUPM, where users cannot discover privileged account passwords on Solaris endpoint with more than 1000 users ||AC1264716 ||All || || || || || || |
|132 ||2 ||Unix endpoint user mode ||Adds missing 32-bit nss and pam libraries to UNAB s390 support ||AC1264718 ||All || || || || || || |
|133 ||2 ||WebGUI ||Fixes an upgrade issue with the Enterprise Management Server ||AC1264721 ||All || || || || || || |
|134 ||3 ||WebGUI ||Fixes an issue with PUPM, where checking out a privileged account password from a SSH device fails ||AC1264646 ||All || || || || || || |
|135 ||3 ||WebGUI ||Fixes an issue with PUPM where the automatic password reset of service accounts failed to reset the password ||AC1264690 ||All || || || ||Discovery of windows service accounts and password consumers, then executing automatic password reset for those accounts. || || |
|136 ||2 ||WebGUI ||Fixes an issue with PUPM where the creation of SSH device endpoint type failed when done using the feeder option ||AC1264722 ||All || || || || || || |
|137 ||3 ||WebGUI ||Fixes an issue with the Enterprise Management Server, where an error message appears when a requestor changes the start and end date of a privileged account password request ||AC1264723 ||All || || || || || || |
|138 ||3 ||WebGUI ||Enhances the Access Control reports to include additional fields ||AC1264734 ||All || || || || || || |
|139 ||2 ||Unix endpoint user mode ||Fixes stability issues with the ReportAgent on UNIX ||AC1264521 ||Unix all || || || || || || |
|140 ||3 ||WebGUI ||Fixes an issue with PUPM where creating searching from an Active Directory user failed ||AC1264680 ||All || || || || || || |
|141 ||3 ||WebGUI ||Fixes an issue with Access Control where an error message appeared when attempting to assign a policy to more than 10 endpoints ||AC1264713 ||All || || || || || || |
|142 ||3 ||WebGUI ||Fixes an issue with PUPM, where the connection to ObserveIT Enterprise failed ||AC1264764 ||All || || || || || || |
| 143 || 2 || WebGUI || Fixes an issue with Access Control where the User DN could not be store in the PRIVILEGED_ACC_EXCEPTION table, which resulted in an error message || AC1264770 || All || || || Enlarge APPROVER_ID column in PRIVILEGED_ACC_EXCEPTION table ||User store AD |
Try to approve privileged account request by user which has more than 80 characters in his DNThe update to PRIVILEGED_ACC_EXCEPTION table used to fail
| || |
|144 ||2 ||WebGUI ||Fixes an issue with the Enterprise Management Server, where error messages appeared after changing the search root in the CA Identity Manager Management Console ||AC1264563 ||All || || || || || || |
|145 ||3 ||WebGUI ||Fixes an issue with PUPM, where approver cannot approve or reject privileged account requests because of an error when opening the work list link ||AC1264773 ||All || || || || || || |