CA ControlMinder 12.8 - CumulativeFix-1 (CF1) Endpoints FIXLIST
3915
24 May 2019
24 May 2019
| No. | Severity | Module | Problem summary | Package | OS | Cause of the problem | Conditions | Solution or workaround | Reproduction steps |
| 1 | 3 | Unix endpoint user mode | Fixes an issue where seosd core dumps due to signal 6 (abort). This behavior occurs when a system command "reboot" is issued. | AN01831 | Unix all | seosd takes a long time to shutdown and the system issue another signal 6 to seosd. | 1.cp /opt/CA/AccessControl/samples/system.init/LINUX/S95seos /opt/CA/AccessControl/bin 2. chmod +x /opt/CA/AccessControl/bin/S95seos 3. ln -s /opt/CA/AccessControl/bin/S95seos /etc/rc5.d/S95seos 4. start up ControlMinder and then issue the command "reboot". 5. When the system come back up, please check for core dump in / or /opt/CA/AccessControl/bin. Note that you may not be able to reproduce the problem. The problem can be reproduced only if seosd got a lot of cleanup to do in the client's environment | ||
| 2 | 2 | Unix endpoint user mode | Fixes an issue where seosd produces a core dump during reboot | AN02078 | Unix all | Any 12.5 SP5 GA with patch that includes changes by AC125SP50555 or 12.5 SP5 CR1 will have this problem. | Add check to make sure not to free already freed memory. | Install 12.5 SP5 CR1. Run AC. Execute reboot. | |
| 3 | 3 | Unix endpoint user mode | Fixes an issue where login session terminates when scrolling a file in Vi if the keyboard logger is enabled | AN02108 | Unix all | negative length as parameter to call read() | KBL enabled and kbl_output_limit=10 | AIX 6.1 seos.ini: kbl_enabled = yes kbl_output_limit = 10 AC=^ eu root audit(interactive) login as root # vi /opt/CA/AccessControl/seos.ini scroll opened file down EXPECTED: can scroll as long as you wish ACTUAL: login session terminates, Connection to ... closed by foreign host. | |
| 4 | 3 | Unix endpoint user mode | Fixes an issue where in case the file time stamp was changed, the oldest file cannot be retrieved | AN02134 | Unix all | the time stamp of the seos.audit backup files are changed. This is why seosd is not able to find the oldest file created correctly. | make sure the backup files seos.audit.bak.xxx.xx are not touched by any other processes. | set the following tokens. BackUp_Date = daily audit_max_files = 3 (or any number you would like to) 1. cd /opt/CA/AccessControl/log 2. cp seos.audit.bak.30-Mar-2014-09:44:32 seos.audit.bak.31-Mar-2014-09:44:32 3. cp seos.audit.bak.30-Mar-2014-09:44:32 seos.audit.bak.01-Apr-2014-09:44:32 Now, we have three back up files. audit_max_files is set to 3. if seos.audit is renamed in the next day, then the oldest backup file will be deleted. According to the name extension, 30-Mar-2014-09:44:32 is the oldest file, and this file should be deleted in the next day when seos.audit is renamed to the backup file. However, if we shutdown CM and then run "touch seos.audit.bak.30-Mar-2014-09:44:32", the file seos.audit.bak.30-Mar-2014-09:44:32 is not the oldest file anymore. this file will not be deleted when seos.audit is rolled to the backup file. | |
| 5 | 2 | Unix endpoint user mode | Fixes an issue on Zlinux where AgentManager and ReportAgent generate error when loading Java shared libraries libjvm.so and libjsig.so | AN01812 | LINUX s390 | Created LD_LIBARARY_PATH does not include path to libjsig.so | modify condition to include checking s390x machine type. | ./report_agent.sh start Observed: /opt/CA/AccessControlShared/bin/ReportAgent: error while loading shared libraries: libjsig.so: cannot open shared object file: No such file or directory | |
| 6 | 3 | Win endpoint user mode | Fixes an issue where CA ControlMinder fails to fetch hosts from DNS on AIX 6.1 and higher | AN02091 | AIX | Commands "nslookup -ls" and "host -l" are not supported on AIX 6.1 | Implement "dig" command to fetch list of hosts from DNS server | AIX 6.1 Install CM # dig DNS_server Domain_Name axfr // for example: dig 130.119.181.119 memco.co.il axfr if not-empty hosts list then may continue testing # sebuildla -h # sebuildla -H EXPECTED fetched list of hosts | |
| 7 | 3 | UNAB | Adapt UNAB to recent changes on RHEL for nss_uxauth data exchange | AN02092 | LINUX all | ||||
| 8 | 3 | Unix endpoint user mode | Fixes an issue where the watchdog attempts to kill seosd process on restart. As a result the SMF service enters into "maintenance" mode after restart and both SMF and watchdog attempt to restart seosd | AN02080 | Unix all | in saferoute check returned error, if error is SEOSSFR_E_NOSERV then do not kill seosd | |||
| 9 | 2 | Unix endpoint kernel mode | Fixes an issue where a spurious /etc/os-release file causes SEOS_load to fail | AN02081 | LINUX x64 | Spurious /etc/os-release file being incorrectly parsed by getvar.sh | RHEL 5.x with added /etc/os-release file | On a rhel 5.10 X64 system: 1. Ensure SOES kernel module is unloaded - SEOS_load -u 1. add a /etc/os-release file which just contains the text "redhat". 2. execute SEOS_load to load the seos kernel module CM should load and run (previously SEOS_load was detecting the OS as Debian) | |
| 10 | 2 | Unix endpoint user mode | Fixes an issue where sepass does not work for local users when UNAB is installed | AN01934 | Unix all | On a machine where both ControlMinder endpoint and UNAB are installed Create a User from the native #useradd test111 #passwd -r files test111 6.Now Use Sepass to change the Password for local user when UNAB is installed and running. bash-3.00# sepass test111 CA ControlMinder sepass v12.80.0.1675 - Password replacement Copyright (c) 2013 CA. All rights reserved. Changing password for test111 Enter your password: Enter new password: Verify new password: Permission denied Local password updated successfully. 7.Now Login with Local user with the new changed Password Login is sucessfully done. | |||
| 11 | 3 | Unix endpoint kernel mode | Fixes an issue where the keyboard logger fails to work properly on the Solaris internal zone. | AN01829 | Unix all | CM initializes global structure "SEOS_kbl_info_t KBL_info" only when starting CM in global zone. The CM uses this global structure also in internal zones. | CM does not run in Solaris global zone | Create per-zone KBL_info, this structure keeps "cmdlog" binary description and initializes it when starting CM in zone | |
| 12 | 2 | Unix endpoint kernel mode | Fixes an issue where on Solaris 10, the Solaris 10 zone with a long path name causes system crash. | AN01861 | Solaris Sparc | Attempt to write 1028 bytes string in buffer of 1024 bytes | Solaris 10 zone with long path name | Check the length of result of adding zone name to path name. Do not exceed buffer length MAXPATHLEN=1024 | Solaris 10 internal zone, Create file such that total path length is 1020 bytes in internal zone. Start CM in global and internal zone. Try access this file from internal and from global zone. ------------ The CM path resolving tried to add zone prefix to long path and ended up with heap corruption error. |
| 13 | 3 | Unix endpoint user mode | Fixes an issue where the Selang connection to the remote host fails when using libscramble.so | AN01868 | LINUX s390 | encryption layer fails decrypt data ACCIPHER layer load shared libraries for encryption. The function _unscramble() in libscrable.so expect input parameter for buffer size as 'int*' while ACCIPHER layer sends 'long*'. On zLinux int is 4 bytes while long is 8 bytes. As result called function returns invalid buffer size value (extremely big value) and ACCIPHER layer returns an error. | using libscramble.so | in case of failed decryption check size of returned buffer size, if it is very big number most likely function expect pointer to 'int'. Call decryption again with new parameter 'int*' | Host 1: * Solaris 10 + CM 2.6sp1 (or any other version) * set ^=CM=^/lib/libcrypt -=^ /opt/CA/AccessControl/lib/libscramble.so.126.0 * start CM Host 2: * Linux s390x + CM 12.6sp2 * set ^=CM=^/lib/libcrypt -=^ /opt/CA/AccessControl/lib/libscramble.so.126.0 * Start CM ------------------------- on Host 1 run selang and try AC=^ host host2.ca.com EXPECTED: Successfully connected INFO: Target host's version is 12.62-0 (000) |
| 14 | 3 | Unix endpoint user mode | Fixes an issue with seagent where a corrupted seos.audit file with an empty space fails to retrieve events. As a result, the number of records seen through the Enterprise Management UI is different than the number of records seen through "seaudit -a". | AN01883 | Unix all | a corrupted seos.audit to see the problem. | Get a corrupted seos.audit where there is a big space in seos.audit are empty. Connect to this box from Endpoint management WEB UI and then click on Audit Event to show all the reords. The problem is the number of records you see in Web UI and the number of records in "seaudit -a" are different. It means there are some records are missing. | ||
| 15 | 3 | Unix endpoint user mode | Fixes a problem where selogrd exits unexpectedly when it fails to read the seos.audit file locked by seosd. | AN01153 | Unix all | While seosd sends logs to a long seos.audit file It locks the file seos.audit . When selogrd tries to open the file seos.audit, it failed. | seosd locks the file seos.audit for too long. | If selogrd couldn't open the file, it will go to sleep for 10 seconds and then try to open the file again. | |
| 16 | 3 | Unix endpoint user mode | Fixes an issue where on certain AIX systems a user fails to update the password for a user with username longer than 8 characters. | AN01527 | AIX | it is the AIX system's own API don't support username that is more than 8 characters. | The problem happens on AIX only. | Please pick uaser whose username is more than 8 characters. AC=^eu longusername01 password(12345) vi /etc/security/passwd The password is not udpated. | |
| 17 | 3 | Unix endpoint user mode | Fixes an issue where the command “logout fails” when the keyboard logger is enabled. | AN01613 | Unix all | reproduced however error is different 1. install CM 2. seos.ini kbl_enabled=yes 3. logon to the system 4. # logout 3004-064 You must be the login user. | |||
| 18 | 1 | UNAB | Fixes UNAB issue where an account with a hash character (#) in the password fails to customize the rpm package for registration during the package installation. | AN02073 | Unix all | ||||
| 19 | 3 | Unix endpoint user mode | Fixes an issue where a new shell (new process) wrongly executes a new setuid. | AN02082 | Unix all | a new shell execute setuid to root. | old_sesu is set to no and we'll have to have the OS that works in a way that a new shell execute setuid to root. | ||
| 20 | 2 | Unix endpoint kernel mode | Fixes an issue with HOST class denials. Consider that all the connections are by default denied and a specific port for a particular IP address is enabled. Given this case, if a telnet executes on the same port with a different IP address, the CA ControlMinder will deny the connection leaving a sock entry half opened. After a while, the OS file decryptor table would be full and the server would crash. | AN02064 | Unix all | The problem is that the original accept system call has already created a new file descriptor for the connected socket when SEOS decides to deny the connection. The existing code terminates the socket but fails to close the file descriptor. As a result, a valid file descriptor is pointing to an invalid socket. Depending on the plaform, it could result in panic or memory leak. | When incoming connection is denied. | Close the file descriptor and it will automatically clean up the socket. | 1. Install CM. 1a. (Optional for Solaris 10 and up or HP-UX 11.23 and up only) Make sure to use the syscall network interception method. Set the following token in seos.ini: SEOS_use_streams = no SEOS_network_intercept_type = 2 2. Start CM. 3. Activate the HOST class. 4. Add the following selang rules: chres ADMIN("HOSTNET") audit(failure) defaccess(none) editres HOSTNET("all") audit(failure) owner(nobody) mask(0.0.0.0) match(0.0.0.0) chres UACC("HOSTNET") authorize HOSTNET("all") access(r) service(22) authorize HOSTNET("all") access(none) service(*) NOTE: With the last rule, all TCP services except SSH will be blocked. Using "sshd -p 22033" is simply to track file table of a daemon more easily, better than inetd. 5a. For Linux and HP-UX, start a second sshd daemon monitoring a different port. /usr/sbin/sshd -p 22033 5b. For Solaris, start a second sshd daemon monitoring a different port. /usr/lib/ssh/sshd -p 22033 6. Try to connect to this second sshd daemon from another host. ssh -p 22033 this_host 7. Verify in the audit log that this connection is denied. 8. Identify the PID of this second sshd daemon. ps -ef | grep sshd | grep "-p 22033" 9a. For Linux and HP-UX, list this PID's files. lsof -p second_sshd_pid You will see a file of sock with "can't identify protocol" for each failed connection attempt. 9b. For Solaris, list this PID's files may cause system to panic. pfiles secodn_sshd_pid |
| 21 | 3 | Unix endpoint user mode | Fixes an issue where the created user name is not resolved to name when the user is not in Look aside DB. | AN02071 | Unix all | pam_seos.so in 64 bit is communicating with a 32 bits seosd. The data structure is not matched when data is transmitted from 64 bit to 32 bit. | We can reproduce problem only if we install x32 bit version of CM on a Linux X64 bits. the user is created by a native tool and the user is never added to ladb. These are the two conditions to reproduce the problem. | We need to either apply the fix seosd or please make sure to add the user in ladb. | 1. Install 12.8 on Linux X64 bit system. However, the 12.8 version is in x32 bits. 2. x64 bit of the pam_seos.so is in used, it is in /lib64/security. 3. run useradd to create a user and create a passwd for the user. Note the user is not in ladb 4. login the user for the first time and then run "sewhoami -a", there are two user name in sewhoami -a instead of one. |
| 22 | 2 | Win endpoint user mode | Fixes a problem where "N PROCESS" audit logs for killing ControlMinder processes are not filtered with "PROCESS;*;*;*;Kill;*" in audit.cfg | AN02047 | Windows all | 1. set "PROCESS;*;*;*;Kill;*" in audit.cfg 2. kill seosd.exe from taskmanager 3. following audit log is recorded. 08 Apr 2014 15:53:29 N PROCESS Administrator Kill 600 10 \device\harddiskvolume2\program files\ca\accesscontrol\bin\seosd.exe C:\Windows\system32\taskmgr.exe Additional information: When set "PROCESS;*;*;*;*;*" in audit.cfg, above audit log is filtered. Same symptom is observed when killing seosagent.exe and seoswd.exe. | |||
| 23 | 3 | Unix endpoint user mode | Fixes an issue where ftp login fails on HP 11.11 because SEOS_load -u successfully unload SEOS_syscall, but token HPUX11_SeOS_Syscall_number is still set in seos.ini. | AN02059 | HPUX PA-RISC | HPUX11_SeOS_Syscall_number is still set in seos.ini when SEOS_syscall is unloaded. | it is on hpux11.11 only. | apply the fix SEOS_load or remove HPUX11_SeOS_Syscall_number manually from seos.ini. | 1. Install ControlMinder on HPUX11.11. 2. start up ControlMinder. 2. secons -sk 3. SEOS_load -u 4. vi seos.ini and look for HPUX11_SeOS_Syscall_number, if this token is removed (not there), then it works. If HPUX11_SeOS_Syscall_number is still set in seos.ini, then it is not working. 5. ftp into this box, if there is no problem to login, then it works. |
| 24 | 3 | Unix endpoint user mode | Fixes policyfetcher problem that produced core file. | AN02042 | Unix all | NULL pointer access | Verify string pointer before usage | ||
| 25 | 3 | Unix endpoint user mode | Fixes an issue where user is able to login despite DENY audit record | AN02022 | Unix all | pam_seos is optional in PAM configuration. return value from pam_seos is ignored on Linux | PAM loginappl | This package defines new token in seos.ini [pam_seos] pam_deny_login_kill=yes With the default value "yes" the CM will kill "denied" process. Setting token to "no" makes CM return "deny" to pam_seos.so which returns PAM_PERM_DENIED to the service. In such case admin should also change "optional pam_seos.so" to "required pam_seos.so" in /etc/pam.d/system-auth | On Linux: AC=^ er loginappl VFTP loginflags(PAM, nograce) AC=^ er terminal 123.234.567.89 defaccess(n) owner(nobody) ---- From the terminal (IP defined above in terminal rule) do "ftp tet_host" EXPECTED: login fails ACTUAL: login succeeded |
| 26 | 3 | Unix endpoint kernel mode | Fixes a performance issue where CPU load enlarge when ControlMinder is up | AN02030 | LINUX all | frequent access to kernel tables when verifying file access to /proc | Problem occurred on machine of 128 CPUs | check token proc_bypass in kernel and return immediate ALLOW when SEOS_proc_bypass=1 and accessing /proc | |
| 27 | 2 | Win endpoint user mode | Fixes an issue where the Watchdog thread monitoring ControlMinder services crashes. Setting the registry value GenerateMemDump = 0 in HKEY_LOCAL_MACHINESOFTWAREComputerAssociatesAccessControlAccessControl does not disable process dump generation. Also, 'secons -i' prints the wrong values of virtual memory size and handles in "CA ControlMinder memory utilization statistics” section. | AN01984 | windows all | It's caused by openning process with PROCESS_QUERY_LIMITED_INFORMATION access mask on Win2003. | Open monitored process with access right PROCESS_QUERY_INFORMATION. Add validation of values of VirtualMemorySize and HandlesCount and generating process dump depending on GenerateMemDump value. | Install CM enpoint on Win 2003 with services ReportAgent, Task Delegation, advanced policy management. Start CM and wait near 15 min for generating DMP files in AccessControlbin | |
| 28 | 2 | Unix endpoint kernel mode | Fixes an issue where CentOS 6.5 was not properly identified, creating an incorrect link for SEOS_syscall | AN01989 | LINUX all | getvar.sh is not detecting the OS correctly and SEOS_syscall is linked incorrectly on CentOS 6.5 | |||
| 29 | 3 | Unix endpoint user mode | Fixes an issue where clear text password got saved in KBL audit log | AN01980 | Unix all | cmdlog send all typed input to audit log | modify cmdlog to hide text after prompt "Password:" | Enable KBL Create user AC=^ eu test audit(interactive) Login as 'test' % su Password: **** seaudit -kbl -sid 28327 -cmd ==^ SessionCmd: shows clear text password | |
| 30 | 2 | Unix endpoint user mode | Fixes an issue where ControlMinder fails to start when system has 8000 processes | AN01982 | Unix all | The seosd allocates initial process table of 8000 entries when starting. If there are not space in table to keep all processes, the seosd re-allocates table to bigger size. The function OLD_ProcServer_add_entry() saved entry pointer 'p' to previous table, then table was reallocated, but function used an old pointer and crashed. | System has more than 8000 alive processes | Change OLD_ProcServer_add_entry(), save original process table entry in local store, use that saved entry later when copying data to new entry. | Run on the test system more than 8000 processes in total. Start CM -------- EXPECTS: successful start |
| 31 | 3 | Unix endpoint user mode | Fixes an issue where seosd is killed by watchdog, while reading lookaside DB. | AN01965 | Unix all | watchdog killed seosd; the seosd was reading ladb and acquiring or waiting file lock; it is not clear what happened to lock, the seosd was patched by TC61368 and there was not saved not stripped version of binary, unable to read core | Try check if file lock is available before requesting lock when accessing ladb from seosd. | ||
| 32 | 3 | Unix endpoint user mode | Fixes an issue where GUI stopped working when running SEOS_load -u | AN01947 | LINUX x64 | command in unload exit script /etc/init.d/messagebus stop | do not call /etc/init.d/messagebus stop on Linux RH | RH 6.4 run SEOS_load -u ==^ Xserver stopped | |
| 33 | 3 | Unix endpoint user mode | Fixes an issue where Terminal rule is ignored when Lookaside DB is disabled | AN01906 | Unix all | The seosd fails find host name in hosts cache, result is usage of IP address Function uxcache_gethostbyaddr() returns NULL for any host | use_lookaside=no in seos.ini | Host cache entirely remade. | seos.ini use_lookaside = no terminal_search_order = name Create two DM rules for the same host, one rule with name, another with host IP AC=^ nr TERMINAL my_test.ca.com defaccess(READ) owner('nobody') AC=^ nr TERMINAL 130.119.22.222 defaccess(none) owner('nobody') Try login to server FROM my_test.ca.com ==^ EXPECTED: access allowed by first terminal rule ==^ ACTUAL: connection closed, decision made by IP rule |
| 34 | 3 | Unix endpoint user mode | Fixes an issue where FTP login records occasionally show wrong remote host IP. When LOGINAPPL for FTP is set PAMLOGIN there is wrong IP address in the audit file | AN01881 | Unix all | The CM is missing PAM flag for VFTP loginappl and skips PAM login handling. The CM fetches IP address from kernel for vftpd process and returns IP of different connection (the kernel takes address from first available socket of process). The seosd saves one last login flag in RT tables when updating LOGINAPPL rule, while it should add all flags to login table entry. | using libscramble.so | Add all flags to RT login program entry. | Was reproduced on S1 Linux Oracle RH 6.4 1. Start CM on Linux 2. edit LOGINAPPL rule er loginappl VFTP loginflags(PAMLogin nograce) 3. SSH to Linux from another system (on reproduction used Windows 155.35.97.157) 4. On Linux restart ftp using "service vsptpd restart" 5. connect ftp from 3rd system to Linux (reproduction used Windows 155.35.97.240) 6. On Linux run seaudit -a 21 Feb 2014 05:13:17 P LOGIN root 59 2 155.35.97.157 SSH 21 Feb 2014 05:14:24 P LOGIN root 54 2 155.35.97.157 VFTP -------- The CM saved FTP record with IP address of 1st Windows when connecting from 2nd Windows. |
| 35 | 3 | Unix endpoint kernel mode | Fixes an issue where changed kernel symbol after kernel upgrade, cases SEOS_load to fail | AN01864 | LINUX x64 | symbol version does not match | kernel upgrade | SUSE 10SP2, x86_64, kernel 2.6.16.60-0.66.1 link SEOS_syscall to next OSMIC level - SEOS_syscall.100SUSEcX86_64.MP.ko | Linux SUSE 10 SP2 x86_64 2.6.16.60-0.66.1-smp SEOS_load SEOS_load: SEOS_syscall isn't loaded |
| 36 | 3 | Unix endpoint user mode | Fixes an issue where on Enterprise Management Linux box, seagent core dumps once in a while due to connections with a NULL ACCIPHER handle. | AN01840 | Unix all | The ACCIPHER handle is NULL. | There is connection to seagent with a NULL ACCIPHER. | We need to apply the fix seagent. | Install ENTM on a linux box, seagent core dumps once a while. If you turn on the debug log for seagent, we can see that there are connections with a NULL ACCIPHER handle. The reason it cores, it is because the handle is NULL. |
| 37 | 2 | Win endpoint kernel mode | Fixes an issue where due to logical error while some user accesses share folder, audit log replaces one user with another, in spite there is no access rights for the other user | AN01827 | windows all | CM has thread attributes cache used for storing impersonation information per thread. In context of work with the cache , function that updates cache content with new data (new user SID) performed cache entry update prior to removing the invalidated cache entry, so this update created window of opportunity for another thread to assume identity of wrong user and created the issue. The fix removed the update as obsolete that prevents from opportunity to make wrong impersonation | Fixed update table | ||
| 38 | 3 | Unix endpoint kernel mode | Fixes an issue where ftruncate call fails to truncate file to size over 4GB | AN01834 | AIX | Calling ftruncate to set the file length to more than 4GB long. | Change the data type to off_t. | Create a program that calls ftruncate to create a file and truncate its size to over 4GB long. Start AC. Run this test program. It will create a file of (intended_size - 4GB) long. (Please make sure that ulimite for file size is set to unlimited.) | |
| 39 | 2 | Unix endpoint kernel mode | Fixes an issue where system crash while kernel process server function SEOS_procserver_list_len() | AN01811 | Unix all | another process KBL cmdlog calls AC_ProcGetOrigArg0() and kernel function SEOS_procserver_getArg0(). This kernel procserver function called alloc while keeping spinlock when scheduler removed this process from cpu. -------- stack trace: ID: 12060 TASK: ffff81010d2b7100 CPU: 1 COMMAND: "AC" #0 [ffff81001bb75c78] schedule at ffffffff80062f90 #1 [ffff81001bb75d50] __cond_resched at ffffffff800900c8 #2 [ffff81001bb75d60] cond_resched at ffffffff800630c5 #3 [ffff81001bb75d70] __kmalloc at ffffffff800de725 #4 [ffff81001bb75d90] eAC_calloc at ffffffff886c5008 [seos] #5 [ffff81001bb75dc0] SEOS_procserver_getArg0 at ffffffff886c281c [seos] #6 [ffff81001bb75e00] _SEOS_syscall_ at ffffffff886a41f6 [seos] | Do not call blockable alloc() while holding spinlock. | ||
| 40 | 3 | Unix endpoint user mode | Fixes an issue where sesu - user01 got denied when old_sesu is set to no in seos.ini. This is because setuid from /bin/su is not allowed | AN01803 | Unix all | /bin/su also make setuid calls. | change old_sesu to no. | The workaround is to code a SURROGATE rules to allow the setuid calls. | on Aix, vi seos.ini and change old_sesu to no. Please login as user tt01 and then run "sesu - tt02", the command will get denied. |
| 41 | 2 | Unix endpoint kernel mode | Fixes an issue where Kernel module fails to load with SLES 10sp2 kernel running in SLES 10sp3 system | AN01765 | LINUX all | AC is using /etc/SuSE-release file to detect if SLES 10 sp2 or sp3 AC should be using uname -r to detect kernel version | AC kernel module fails to load | Install modified getvar.sh | Install SLES 10 sp3 (kernel 2.6.16.60-0.54) Revert kernel to SLES 10 sp2 kernel 2.6.16.60-0.21 AC fails to load |
| 42 | 2 | Unix endpoint kernel mode | Fixes an issue where a coexistence problem caused a panic working with Symantic sisip kernel module | AN01766 | LINUX x64 | ||||
| 43 | 2 | Win endpoint user mode | Fixes an issue where TERMINAL generic rules with wildcards (* ?) do not work properly | AN01775 | Windows all | Added search TERMINAL objects matched client host name or IP in generic resource table ( objects with wildcards ). | On CM endpoint A: 1. Stop CM and specify TerminalSearchOrder = name,RDPIP in HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\SeOSD 2. Create user tuser. 3. Verify RDP login to A from host B for tuser. 4. Start CM 5. Create CM user tuser. eu tuser owner(nobody) 6. Create TERMINAL rule for IP of host B using wildcard like: er terminal(130.119.179.*) owner(nobody) defaccess(none) and check RDP connection from B. Expected result: Denied login Actual result: Permit login | ||
| 44 | 3 | Unix endpoint user mode | Fixes an issue where process /usr/sbin/saslauthd has growing number of opened file descriptors | AN01750 | Unix all | pam_seos.so does not close open socket | Problem discovered on RH 6.0, applies to all platfroms | close socket if PUPM connection fails in pam_create_socket_client_handle() | Support S1 created reproduction environment server 155.35.114.85 On this server do: ------------------- # ps -ef | grep saslauthd root 20004 1 0 Oct28 ? 00:00:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam -n 1 # ls -l /proc/20004/fd (mark number of opened files) # telnet localhost 110 USER tanma07 +OK Name is a valid mailbox PASS tanma07 +OK Mailbox locked and ready QUIT +OK # ls -l /proc/20004/fd ==^ shows one more opened socket |