1. vi seos.ini
   kill_ignore = no
2. start up AccessControl.
   # issec
   To check the PID of seosd.
3. kill [PID of seosd]
4. Wait for a minute for seosd to start up.
5. ps -ef | grep defunct
   
   If you don't see any defunct processes, then it works.

1. Install Terminal Server using Add-Remove Windows components.
2. Install AC using PE in custom mode with all the option selected.
3. Make sure that you are importing users and groups while installation and also checked the box to connect user to the respective group.
4. After installation restart the machine.
5. Connect to DMS and create some users.
6. Create a TCP resource and enable the TCP class.
7. Create other resources also like file, registry, pmdb etc.
8. Now, upgrade AC using PE and restart the machine after upgrade
9. Connect to DMS and check if the users created still exists.
10. Check the newly created TCP resource exists after upgrade.
11. Check if all other resources exists after upgrade.
12. Check if the users are there in the localhost database.
    
    Actual Result:
    All the users and resources are not there after upgrade. Also the changes made for TCP class is not effective.
    
    Expected Result:
    All the users and resources should be there after upgrade. Also the changes made for TCP class should be effective.

1. Define local user in selang
2. SSH into local system as user from step 1
3. check 'seaudit -a| tail' to see how many 'P LOGIN' records you see

• Install Endpoint Management JPN on LINUX machine.
• After installation go to uninstall folder: /opt/CA/AccessControlServer/EndpointManagement/Uninstall_EndpointManagement and see that uninstaller file name is garbled.

1. Test on AIX.
2. Block ftp port 21 in class HOST.
3. Attempt to FTP into the AIX machine and see that it fails with proper error and audit.

1. Test on Solaris 10
2. copy /usr/bin/su to /usr/bin/su_test
3. chmod 0777 /usr/bin/su_test chmod s /usr/bin/su_test
4. In selang define /usr/bin/su_test as a LOGINAPPL with flags=pamlogin
5. In selang define xgroups test1, test2, ... test16
6. In native OS define user test01 (useradd -G test1,test2,...,test16 test01) set password for user test01 (passwd test01)
7. In seos.ini make sure that 'osuser_enabled = yes' and 'create_user_in_db = yes'
8. Start AC (seload)
9. In selang define user test02 (AC> eu test02 password(123)
10. See that the xgroups are defined in AC LADB (sebuildla -G | grep test) --> If not run 'sebuildla -g' and check again
11. telnet localhost (login as user test02)
12. /usr/bin/su_test test01 (provide password) --> After successful 'su' run '/opt/CA/AccessControl/bin/sewhoami -a' and see that all xgroups are listed.

1. Test on Solaris 10.
2. Copy /usr/bin/su to /usr/bin/su_test
3. chmod +s /usr/bin/su_test
4. Define /usr/bin/su_test as a LOGINAPPL with loginflags(none)
5. Set tokens:
   sesu.systemSU = /usr/bin/su_test sesu.UseInvokerPassword = yes
6. Create 10 OS groups: AC> env native Native> nxg a1 (create until a10))
7. Create OS users: AC> env native Native> nu test01 password(123) Native> nu test02 password(123) Native> join a1 test01 (create until a10)
8. Start AC
9. Telnet to system as root
10. From root session run: sesu -n test01 --> It should NOT prompt for Invoker password
11. As user test01 run: '/opt/CA/AccessControl/bin/sewhoami -a' --> You should see user test01 with all OS groups a1,..a10
12. As user test01 run: 'sesu - test02'
13. As user test02 run: '/opt/CA/AccessControl/bin/sewhoami -a' --> You should see user test01 with all OS groups a1,..a10

we may not be able to reproduce the problem in-house. here is how the client reproduce the problem.

1. vi /etc/resolv.conf
   domain ca.com
   nameserver 192.168.x.x
   search <company>.com
   
   Please note ca.com in the first line and ca.com in the "search" line at the end.
   sebuildla will try to query ca.com twice, this is what causing the hangs.

1. Try to set automatic password change
2. If and when the action fails there is no details regarding the end point name and the account name in Audit Privileged Accounts screen

1. 1. create a new Endpoint by copying an existing one
2. Application Login list is not copied

1. Stop AC
2. Set in Registry HKLM\SOFTWARE\ComputerAssociates\AccessControl\OS_user osuser_enable = 0
3. Create regular User
4. Start AC
5. RDP Logon to the host from another host. Check seosd process exited and record "The CA Access Control Engine service terminated unexpectedly." is created in Application Event Log. The seosd.dmp minidump is produced in AC/bin

1. user store is AD
2. Perform check out account by a user with long DN over 80 chars
3. The job used to failed to be stored at the database

Steps to reproduce:

1. kbl_enabled = yes
2. Start AC
3. login to host
4. # who am i => EXPECTS line like "lipyu01 pts/2 Jan 25 18:09 ..." => ACTUAL: empty output

1. kbl_enabled = yes
2. Start AC
3. login to host
4. # who am i => EXPECTS line like "lipyu01 pts/2 Jan 25 18:09 ..." => ACTUAL: empty output

install_base -autocfg -command Proceed -post /install/post_chmod

we have the following in post_chmod.

#!/bin/bash

chmod 4555 /opt/CA/AccessControl/bin/sesu
chmod 4555 /opt/CA/AccessControl/bin/sesudo
chmod 4555 /opt/CA/AccessControl/bin/sepass

After the installation, we expect to see 4555 for /opt/CA/AccessControl/bin/sesu, but the setuid bit is reset after the upgrade

case 1: Untrusted but GUI shows trusted.

1. Create SECFILE record and it change Untrusteder SECFILE /tmp/SECFILES/secuity1.txt
2. Login Endpoint Management and check SECFILE resource.
3. You can see trust flag is checked at audit tab.

case 2:

1. login Endpoint Management and check SECFILE resource.

2. check off trust flag at audit tab and save

3. check SECFILE resource again.

you can see the trust flag is checked.

case 1: Untrusted but GUI shows trusted.

1. create SECFILE record and it change Untrusted

er SECFILE /tmp/SECFILES/secuity1.txt

2. Login Endpoint Management and check SECFILE resource.

3. you can see trust flag is checked at audit tab.

case 2:

1. login Endpoint Management and check SECFILE resource.

2. check off trust flag at audit tab and save

3. check SECFILE resource again.

you can see the trust flag is checked.

1. stop AC
2. disable PROGRAM class
3. selang -l
4. AC> er PROGRAM /opt/CA/AccessControl/bin/sebuildla trust blockrun Successfully updated PROGRAM /opt/CA/AccessControl/bin/sebuildla ERROR: Failed updating run-time tables. AC> rr PROGRAM /opt/CA/AccessControl/bin/sebuildla Successfully deleted PROGRAM /opt/CA/AccessControl/bin/sebuildla
5. start AC
6. selang AC> er program /opt/CA/AccessControl/bin/sebuildla trust blockrun (localhost) ERROR: Failed updating run-time tables. Successfully created PROGRAM /opt/CA/AccessControl/bin/sebuildla

1. Test on Solaris 10.
2. echo "test" > /tmp/test.txt
3. Create a script /tmp/test.sh #!/bin/sh # /usr/bin/cat /tmp/test.txt
4. Start AC.
5. AC> ef /tmp/test.txt owner(nobody) audit(a) defacc(n) AC> er specialpgm /tmp/test.sh pgmtype(pbf propagate) AC> er specialpgm /usr/bin/cat pgmtype(pbf)
6. /tmp/test.sh --> Make sure you see the word 'test' displayed, meaning that bypass inheritance worked.

1. Install AC by interactive mode
2. select 'n' for OS users [ Set up OS users ] You may define OS users as CA Access Control database administrators. Specify user IDs separated by space. If you do not want to define OS administrators now, hit ENTER. Do you want CA Access Control to support OS users? [Y/n]:n after installation token osuser_enabled should be set to "no" by the setup

1. Test on Solaris 10 with internal zones.
2. Install AC on all zones.
3. In internal zone write an ACL on /dev/null allowing access only to root and audit(all).
4. In internal zone run 'cat /dev/null' -> See in audit that file name does NOT have zone prefix.

1. Test on SLES 11SP1 on S390X.
2. Create a script called test.sh that looks like: #!/bin/sh # date > /tmp/date.log
3. chmod 0755 test.sh
4. Define a cron job to run test.sh every minute. --> Check that there are no defunct processes for test.sh and cron

1. Install ENTM on LINUX
2. Start JBoss.
   
   Result: Failed to invoke ENTM Web GUI after starting JBoss using ./runs.sh -b 0.0.0.

1. #touch /tmp/miyhi02
2. #seload
3. #selang
   AC>nr secfile /tmp/miyhi02 owner(nobody)
   AC>nr file /tmp/miyhi02 defacc(a) audit(f) owner(nobody)
4. #secons -s
5. watchdog_refresh = yes
6. #seload
7. #touch /tmp/miyhi02
   
   seaudit should show a "U SECFILE" record.
   selang should shows the secfile is untrusted.

1. Create a copy of break glass task -> remove the "hide task in menu".
2. Assign the task to break glass role
3. Change "break glass WF" task to NULL participant
4. browse to Home tab -> go to new create Task
5. Select Account from the search list enter Justification
   
   A null pointer exception message

a policy with these lines in the contents.

####
#This is for test.
#------------------
nobody'
nu user01

When this policy is deployed, then seagent will keep running the command and we'll see the memory leaks.

1. Install ReportAgent on UNAB host.
2. Configure ReportAgent for sending to Distribution Server
3. Set interval = 3 in accommoon.ini
4. Start ReportAgent in debug mode: ReportAgent -debug 1 -task 2
5. Monitor ReportAgent process memory consuming growth.
6. Stop service "CA Access Control Message Queue" on Distribution Server for disconnecting ReportAgent from Tibco and keep monitoring memory growth.

Cannot add new PUPM endpoints agentless.

If you remove a pupm endpoint, then it's possible to create a new one. Getting Fatal error message:

Failed to execute CreateEndpointEvent. ERROR MESSAGE: Create administrative acc

account for endpoint failed: details:String or binary data would be truncatated

1. create login Application and assign it to endpoint which it's password contains $
2. at My Privileged Accounts try to Automatic Log in to this account. when having $ sign at the password it used to failed

seosd calls SEOS_syscall to get peeradr information of a process during login.

If SEOS_syscall fails to get it from process it tries to get it from parent process. It did not do satisfactory checks whether parent process is valid.

On Linux x86

1. kbl_enabled = yes
2. Start AC
3. login to host
4. # who am i => EXPECTS line like "lipyu01 pts/2 Jan 25 18:09 ..." => ACTUAL: empty output

1. enable KBL, start AC
2. login to test machine
3. run "who am i" and "last | head" EXPECT: same tty and user in output of who and "last"

1. Test on Solaris 8 that has OPEN SSH installed.
2. Start AC.
3. Run many SSH logins into the machine --> If you are lucky system will crash

1. ssu to root
2. enable kbl in seos.ini
3. start AC
4. do_as qash_adm sewhoami as: No such file or directory.

1. Install UNAB, register, activate
2. Default_login_access 1
3. set tokens [agent]/nss_cache_update_grp_login = no and [agent]/wingrp_ update_login = no
4. Migrate a user and it gets migrated successfully
5. uxauthd -start
6. ../eacLotsOfTelnet -n ismesl61 -t 1 -s 10000
   
   Expected Output: uxauthd must allow login
   Actual Output: After 30 minutes login is not allowed Daemon is still running

1. make sure there are AD groups in nss.db which have a very large number of members;
2. execute a command that will exercise enumeration APIs in nss_uxauth: either adduser username or getent group

1. install AC12.5SP4
2. create directory/file
   C:> mkdir aaaaa
   C:> mkdir aaaaaccccc
   C:> echo TEST > aaaaatest.txt
3. create generic policies
   AC> nf ("c:aaaaa*") defacc(all) owner(nobody)
   AC> nf ("c:aaaaaccccc") defacc(all) owner(nobody)
   AC> nf ("c:aaaaaccccc*") defacc(all) owner(nobody)
   AC> auth FILE ("c:aaaaaccccc*") uid(<machine name>Administrator) acc(N)
4. access c:aaaaatest.txt -> This is denied.

1. create test file # touch /tmp/aaa
2. create file class resource AC> ef /tmp/aaa defacc(n) audit(a) own(nobody) AC> auth file /tmp/aaa id(*) acc(a) via(pgm(/usr/bin/cat)) -> this creates program class for /usr/bin/cat
3. test file rules # more /tmp/aaa /tmp/aaa: Permission denied # cat /tmp/aaa # seaudit -a -sd today D FILE root Read 69 2 /tmp/aaa /usr/bin/more host P FILE root Read 63 3 /tmp/aaa /usr/bin/cat host -> this is working as expected
4. create file rule for cat AC> ef /usr/bin/cat defacc(n) audit(a) own(nobody)
5. test file rules AC 8.0 SP1 CR18: # cat /tmp/aaa cat: cannot execute # seaudit -a -sd today D FILE root Exec 69 2 /usr/bin/cat /sbin/sh host -> The access is denied as expected AC 12.5 SP4: # cat /tmp/aaa # seaudit -a -sd today P FILE root Read 63 3 /tmp/aaa /usr/bin/cat host root -> The access is permitted; file resource defined in step 4 is ignored.

1. er specialpgm /tmp/oldver pgmtype(propagate)
2. er specialpgm /tmp/oldver pgmtype(dcm)
3. You will see as below, eventually the record is updated successfully. 12 May 2011 17:00:58 S UPDATE SPECIALPGM root 305 0 /tmp/oldver sec758l4-l4-l53 er specialpgm /tmp/oldver pgmtype(propagate) 12 May 2011 17:01:08 F UPDATE SPECIALPGM root 305 0 /tmp/oldver sec758l4-l4-l53 er specialpgm /tmp/oldver pgmtype(dcm)
4. secons -kt 1 still show /tmp/oldver and the pgmtype is propagate

[Problem] SegraceW doesn't work from the remote host using the logon script. [Env] AC r12.5SP4 / Windows(x86) - DC(x86)

1. NETLOGON folder |_defenc.dll (Renamed the one from "Encryption Package" in the registry) |_SegraceW.exe |_batch script to run "segracew -s DC_host"
2. Configure the logon script for the domain user to run the batch script. - Member(x86) Logon by the domain user. => "ERROR:can not connect to AC database."