CA ControlMinder r12.8 FIXLIST
3930
11 September 2017
11 September 2017
| CA ControlMinder 12.8 GA FIXLIST | |||||||||
| No. | Severity | Module | Problem summary | Package | OS | Cause of the problem | Conditions | Solution or workaround | Reproduction steps |
| 1 | 2 | Unix endpoint user mode | Fixes and issue where ControlMinder PAM installer does not update the file with pam_seos.so binaries. | AN00014 | LINUX all | The problem occurs the authconfig utility on AS 5.x and 6.x re-writes system-auth (and password-auth if exists) so UANB PAM hooks are lost. |
authconfig conflict with CM PAM hooks. | Introduce a UNAB PAM post-install script that allows ControlMinder to coexist with 'authconfig' modifications to PAM configuration files. The script merges authconfig changes into system-auth (and password-auth if exists) to be a link to system-auth-cm so UNAB PAM hooks are not stepped over by authconfig which will make its' changes in system-auth-ac (and password-auth-ac if exists). | Run 'authconfig --update' after installing CA ControlMinder. The system-auth (and password-auth if it exists) will no longer have ControlMinder PAM hooks. |
| 2 | 3 | UNAB | Fixes and issue where ControlMinder PAM installer does not update the file with pam_seos.so binaries. | AN00015 | LINUX all | The problem occurs the authconfig utility on AS 5.x and 6.x re-writes system-auth (and password-auth if exists) so UANB PAM hooks are lost. | authconfig conflict with UNAB PAM hooks. | Introduce a UNAB PAM post-install script that allows ControlMinder to coexist with 'authconfig' modifications to PAMconfiguration files. The script merges authconfig changes into system-auth (and password-auth if exists) to be a link to system-auth-cm so UNAB PAM hooks are not stepped over by authconfig which will make its' changes in system-auth-ac (and password-auth-ac if exists). | Run 'authconfig --update' after installing UNAB. system-auth (and password-auth if exists) will no longer have UNAB PAM hooks. |
| 3 | 2 | Unix endpoint user mode | Fixes an issue with ControlMinder where successful SSH user login entries are not present in seaudit. | AN00032 | Solaris | Issue is due to /usr/lib/ssh/non-fips/sshd being called as login program. New loginappls are required for /usr/lib/inet/proftpd /usr/lib/ssh/fips/sshd /usr/lib/ssh/non-fips/sshd. | auditing of logins to Solaris 11u1 | Add a new loginappl to the installation. | successful ssh and ftp logins are not audited on Solaris 11u1 |
| 4 | 2 | Unix endpoint kernel mode | Fixes a bug where executing a chroot command using a mounting point as its new root, SLES 11 SP2 responded with the error message: "BUG: unable to handle kernel paging request at 000000000000e990". Also, when the customer executes chroot /srv server instant reboots to root and execute chroot, even when logged in as root on console, /srv ends in full kernel panic however chroot /src/www gives the error message: chroot: failed to run command `/bin/bash': No such file or directory. |
AN00040 | LINUX all | The full_d_path() incorrectly uses vfsmount_lock_lock as the lock for vfsmount struct access for Linux. | This occurs on Linux kernel 3.0 or greater and the new root for the chroot command is a mounting point. | identify the correct lock for vfsmount struct access. | On an SLES 11 SP2 Linux system or any Linux kernel =^= 3.0: 1. Start CA ControlMinder. 2. Find a mounting point. 3. Execute "chroot mounting_point" to instantly panic the system. |
| 5 | 3 | Unix endpoint user mode | Fixes a ControlMinder issue where the client is able to deploy policies in verification mode without problems with 12.6SP1 but when they upgrade the agent to 12.6SP2, the policies are not deployed successfully. A policyfetcher request for a database backup was denied by seosd. | AN00045 | Unix all | A minor change in SP2 verification mode that will not allow it to continue if any errors are encountered. |
policy_verification is on. | 1. On the endpoint, set vi seos.ini policy_verification = yes. 2. On the DMS__ server, create a policy. 3. Assign the policy to this endpoint. |
|
| 6 | 3 | Win endpoint user mode | Fixes an issue in CA ControlMinder policy verification where, when a customer attaches an endpoint to a host group, policies are not installed. | AN00066 | Windows all | Two files (seos.errors and seos.audit) t remain in the database from the last policy verification were not removed from the database backup. | It is on Windows and it happens for the second policy deployment. There is no problem for the first deployment. | Apply an seosd.exe fi9x or turn off policy_verification. | in regedit, please set policy_verification = yes or 1. Please create 2 simple policies and then assign the two policies to a GHNODE. Please add an endpoint to the GHNODE and then please wait for the next cycle of policyfetcher in the endpoint; you'll see the error in policyfetcher.log. for example, let's say p1 and p2 are created. Please assign p1 and p2 to a GHNODE TestGrp. right after, please run AC=^er GHNODE TestGrp mem(endpoint). The two policies p1 and p2 will be fetched by the policyfetcher in the endpoint. Here is the error. 04:20:23@Mar 17 2013 - verification option: copy the database to C:\Program Files\CA\AccessControl\Data\deploy_check_db 04:20:23@Mar 17 2013 - verification option: failed to copy the database to C:\Program Files\CA\AccessControl\Data\deploy_check_db, rv = 631 |
| 7 | 3 | Unix endpoint user mode | Fixes a ControlMinder issue where the customer tried to run "sesudo rm -rf /tmp/test.txt". but the result is denied in warning mode and sudo rule has prohibited values list. Running the command from that list returns DENY despite resource in warning mode. | AN00074 | Unix all | sudo does not apply the warning mode when authorizing accesssudo resource and SUDO class enforces prohibited values in the waring mode. | sudo rule in waring mode | In the event of sudo rule warning mode, allow access to sudo resource and save the appropriate audit and the sudo command will allowed for resource in the warning mode. | 1. set sudo rules AC=^ er program /opt/CA/AccessControl/bin/sesudo defaccess(x) AC=^ nr SUDO rm data('/usr/bin/rm;-rf;') defaccess(n) warning 2. login as 'test' user and run % ./sesudo -list rm : /usr/bin/rm;-rf; $ touch /tmp/test $ ./sesudo rm -rf /tmp/test sesudo: You are not allowed to use '-rf' as parameter number 1. EXPECTED: allowed access and waring audit record =============================== Test also SUDO class in warning mode AC=^ so class(SUDO) flags+(W) |
| 8 | 2 | Win endpoint user mode | Fixes a problem with XUSER cretion where the XUSER is created only if the user that logs to the system is a local user of the Windows Server. The suer is not created the user belonsg to the same domain or a different domain of the Windows Server. |
AN00105 | Windows x64 | Logon Session Id' was already mapped to ACEE handle case when the user logged into the work station and does not create XUSER. | 'Logon Session Id' was already mapped to ACEE handle when user log in workstation. | Deployed fix (T4CC199.caz) which allows the user to be created as if the xgroup is previously defined and the user/group inclusion is automatic when loging in with a domain user. |
When the domain user HD00\c010000 log to the system in the audit we can see only this record 24 Sep 2012 15:40:02 P LOGIN HD00\c010000 1059 2 RE-FI01 Terminal Services (OS user) -------------------- After being logged in as a domain user, they are able to search for other users in the domain. 1. Remove XUSER/XGROUP and all FILE /GFILE rules 2. Logged in with user HD00\C010000 3. As you can see below, no XUSER has been defined. XUSER you can see below have been manually defined for other purposes: AC=^ f XUSER (localhost) HD00\EE15385 HD00\EE25522 HD00\EE26046 HD00\N501495 HD00\N555946 HD00\N990103 USACIQW00\testu |
| 9 | 2 | Unix endpoint kernel mode | This fixes an issue where the customer expereinces several interspaces of approximately 20 seconds in seosd.trace when executing a specific shell script resulting in a shell processing time of almost three minutes. |
AN00112 | LINUX all | A syscall pick up peer address that is neither PF_INET6 nor PF_INET. | Implement fix (T4CC214) to pick up peer address PF_INET6 and PF_INET only. | ||
| 10 | 2 | Unix endpoint user mode | Fixes an issue with CA ControlMinder 12.6 SP1 on the AIX environment where General messages from serevu on syslog have ERR category. | AN00113 | Unix all | seagent was not ready handshake which created a CRIT handshake failed message. | install CM with fips only | Imlpement fix (T4CC213) to delay startup of serevu 60 seconds before calling handshake with seagent to prevent CRIT handshake failed message. |
install CM with fips only set "serevu = yes" in seos.ini start CM and check syslog |
| 11 | 3 | Unix endpoint user mode | Fixes CA ControlMinder issue on Linux x64 where seversion gets Segmentation fault errors and seversion crashes if it is invoked for directory. |
AN00122 | LINUX x64 | Buffer overflow in seversion_search() caused by improper bytes read returned. | Implement fix (T5P7255) to bypass the path to directories and secure by checking current array index in loop. | 1. Install AC on LINUX x64 RH 5.9 - 6.4. 2. Invoke seversion -a /opt/CA/AccessControl/lib 3. Expected result Module Name: Version+(Min) Compilation Date ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~ ../lib/ N/A.N/A No Compilation Date Actual result: Segmentation fault (core dumped) |
|
| 12 | 3 | Win endpoint user mode | Fixes a CA ControlMinder issue where client is having an issue with console login. The client had ruleset for localhost terminal but the console login was denied. | AN00125 | Windows all | Caused by a previous test fix which for Console login after authorization in which one code path was used for a local console login and the thread is repeated through Terminal Service over the same rules so the second authorization is denied. | Implement fix (T5P7254) which supersedes the previous fixes and adds session type recognition to avoid redundant authorization in Terminal Service thread. | 1. Set defacc(none) in TERMINAL (_default) er terminal(_default) defacc(none). 2. Set rule allowing tAdministrator Login CONSOLE and RDP like authorize TERMINAL ("parji03.localdomain") access(READ WRITE) uid('WIN-N6SIV03V3BQ\Administrator') authorize TERMINAL ("WIN-N6SIV03V3BQ") access(READ WRITE) uid('WIN-N6SIV03V3BQ\Administrator') 3. Make console Login user Administrator. 4. Login is denied (D) while expectedresult is permitted (P), check in audit log. |
|
| 13 | 3 | Unix endpoint user mode | Customer requests CA ControlMinder enhancements to allow the sesudo utility to use settings of "echo_command" to check if warning message should be printed to stdout. | AN00131 | Unix all | The sesudo program does not check class warning mode. | Implement fixes(T3DB167 - AIX, T3DB168 - Solaris, T3DB169 - HPUX RISC, and T3DB170 - Linux i86 and x64) so if token "echo_command=no" warning is not printed. | Install default CA ControlMinder AC=^ er program /opt/CA/AccessControl/bin/sesudo defaccess(x) AC=^ nr SUDO rm data('/usr/bin/rm;-rf;') defaccess(n) warning $ touch /tmp/test $ sesudo rm -rf /tmp/test EXPECT: Command 'rm', (/usr/bin/rm), performed by xxx. --------- change in seos.ini [sesudo] echo_command=yes $ touch /tmp/test $ sesudo rm -rf /tmp/test EXPECT: *** Performing command: rm*-* Command is in WARNING status. (/usr/bin/rm) sesudo: You are not allowed to use '-rf' as parameter number 1. Command 'rm', (/usr/bin/rm). | |
| 14 | 2 | Unix endpoint user mode | Fixes CA ControlMinder issue where an Active Directory user is not able to log in when selinux is set to "enforce". | AN00132 | LINUX all | No attributes assigned to unab_t. | Add file_type attribute and fileattribute statement for unab_t. | run uxauth_selinux.sh -i -e | |
| 15 | 2 | Win endpoint user mode, Unix endpoint user mode | Fixes a CA ControlMinder PUPMAgent issue where the AgentManager crashes during startup. |
AN00146 | Windows all,Unix all | The VM image is not configurated properly. | Implement fix to reconfigure the VM image. | ||
| 16 | 3 | Win endpoint user mode | Fixes a CA ControlMinder issue where a customer, when upgrading from r12.0 SP1 to r12.6 SP1, can create * at PROGRAM class with auth command but cannot create PROGRAM class directly. | AN00160 | Windows all | The PACL command configuration allows an asterisk to be defined as a generic policy and defines an asterisk as a program name, which does not work as PACL. | Advise the customer not to specify an asterisk for PACL as having an asterisk a program name will result in a rejection. | 1. er FILE c:\temp\share\* owner(nobody) defacc(none) audit(a) 2. auth FILE c:\temp\share\* uid("Administrator") access(all) via(pgm(*)) Actuall result: auth command succeed. However, Administrator can't access c:\temp\share\* even the PACL exists Expected result: Can't add PACL with a asterisk |
|
| 17 | 3 | Unix endpoint user mode | Fixes a CA ControlMinder issue where a customer, when upgrading from r12.0 SP1 to r12.6 SP1, can create * at PROGRAM class with auth command but cannot create PROGRAM class directly. | AN00161 | Unix all | PACL command configuration allows an asterisk to be defined as a generic policy and defines an asterisk as a program name, which does not work as PACL. | Advised customer not to specify an asterisk for PACL as having an asterisk a program name will result in a rejection. | 1. er FILE c:\\temp\\share\\* owner(nobody) defacc(none) audit(a) 2. auth FILE c:\\temp\\share\\* uid("Administrator") access(all) via(pgm(*)) Actuall result: auth command succeed. However, Administrator can't access c:\\temp\\share\\* even the PACL exists Expected result: Can't add PACL with a asterisk |
|
| 18 | 3 | ENTM | Fixes a CA ControlMinder issue where users cannot complete password checkout processes and receive no results until timeout is reached (no error codes). | AN00166 see package AN00173 | Windows all, Unix all | When the endpoint is down, accountmanager tries to connect to the endpoint on every password change resulting in a delayed connection time which may cause the checkout account password to timeout and fail. | Implement Agent Manager fix (T537739.caz) to handle the timeout and long time processing during password reset. |
see package AN00173 | |
| 19 | 1 | Win endpoint user mode, Unix endpoint user mode | Fixes a CA ControlMinder issue where users cannot complete password checkout processes and receive no results until timeout is reached (no error codes). | AN00173 | Windows all, Unix all | When the endpoint is down, accountmanager tries to connect to the endpoint on every password change resulting in a delayed connection time which may cause the checkout account password to timeout and fail. | Implement Agent Manager fix (T537739.caz) to handle the timeout and long time processing during password reset. |
1. create sybase endpoint. 2. discover 1000 accounts. 3. create bulk password change to the discoverd accounts. 4. try to checkout an account from sybase endpoint. |
|
| 20 | 2 | Unix endpoint user mode | Fixes an issue where a CA ControlMinder Active Directory user canot log in when selinux is set to "enforce" mode and the "uxauth_selinux.sh -i -e" script produces error messages. | AN00175 | LINUX all | The type kerberos_password_port_t does not exist on 5.9. | Install UNAB SELinux policy Ifdef kerberos_password_port_t for -gt 5. | uxauth_selinux.sh -i -e | |
| 21 | 2 | ENTM | Fixes a CA ControlMinder issue where a customer trying to access endpoint management WebUI to resolve policy deviations recevies an error. | AN00176 | Solaris | The function fails to split the DIFF line into 4 fields as Full Name value has comma in it for example: -(Knieriem,Harold). | Implement fix (T51S002) to use delimiter as “, “ to split the diff lines without producing an error. | Change to policies to generate results of devcalc with diff line and comma seperated values. For example, when run selang, "env etrust;get devcalc" It should show some line like below get devcalc results: ======================= DATE, Wed Apr 3 15:21:58 2013 POLICYSTART, policy1#01 ... ... DIFF, (USER), (hk526g), (FULL_NAME), -(Knieriem,Harold) ... POLICYEND, policy1#01, 1 ========================= Above full name value has "Knieriem,Harold". Here value has comma(,). | |
| 22 | 2 | Unix endpoint kernel mode | Fixes a CA ControlMinder issue where, when a file rule changes involving a file covered by the GAC mask, the GAC table does not get flushed. | AN00179 | Unix all | GAC is effective only for FILE access so, EXEC or EXECARGS in seosd.trace are recorded even though GAC is enabled. | 1. Create base FILE rule and test user. # mkdir /tmp/GAC_test # chmod 777 /tmp/GAC_test # selang AC=^ nf /tmp/GAC_test/* owner(nobody) audit(all) defacc(all) AC=^ nu test00 password(password) comment("test user for GAC") AC=^ exit 2. confirm FILE rule is working correctly. # ssh -l test00 localhost Password: password $ echo GAC_TEST =^ /tmp/GAC_test/test00.txt $ cat /tmp/GAC_test/test00.txt $ more /tmp/GAC_test/test00.txt $ exit # seaudit -a -sd today we can observe FILE access log from test00 3. set up GAC.init # secons -s # cd /opt/CA/AccessControl/etc # echo '/tmp/GAC_test/*' =^ GAC.init # cat GAC.init # seload 4. confirm 2nd and after FILE accesses are not recorded in seos.audit file # ssh -l test00 localhost $ cat /tmp/GAC_test/test00.txt $ more /tmp/GAC_test/test00.txt $ cat /tmp/GAC_test/test00.txt $ exit # seaudit -a -sd today 5. change FILE rule, but GAC table is not flushed and looks to keep previous state. # selang AC=^ cf /tmp/GAC_test/* defacc(NONE) AC=^ exit # ssh -l test00 localhost $ cat /tmp/GAC_table/test00.txt Not denied! $ exit # seaudit -a -sd today No audit logs for "cat" on step 5. |
||
| 23 | 3 | ENTM | Fixes a CA ControlMinder Policy Management issue where the Unix Authentication Broker, Manage Host Login Aurhorization Host Search returns NT endpoints as well as UNIX endpoints when only only UNAB End Points should be returned. | AN00195 | All | A Host Search for all the hosts returns NT and UNIX endpoints because the same lookup code is used between Policy Management. |
After retrieving all the hosts, apply a filter on the Host Search results to return only UNAB End Points. | ENTM Policy Management - Unix Authentication Broker - Manage Host Login Aurhorization: Host Search returns NT endpoints as well as UNIX endpoints. it must return only UNAB End Points. Check all the three searches in UNAB Host Search. | |
| 24 | 2 | ENTM | Fixes an issue where CA ControlMinder PUPM Interface and Report times are inccorrect. | AN00200 | Windows all | The values for the attributes/fields Last Checkout Date, Last Checkout By are not added propely to the Privileged account and the date is blank | Deploy fix in 12.6 SP1 to add the correct values to the properties Last Checkout Date, Last Checkout By of the privileged accounts. | 1) Login into the ENTM UI with credentilas. 2) Go to Home--=^ My Accounts--=^ My Privileged Accounts 3) Go to show details of any privileged account from the list Here, Last Checkout Date, Last Checkout By filed showing blank. |
|
| 25 | 2 | ENTM | Fixes two ControlMinder issues Where an External User is defined as member of external group with "admin" and "auditor" rights and 1: The External User cannot connect to the endpoint with Access Control Endpoint Management until he is not in local ACDB and issue and 2: The External User cannot manage and audit endpoint with Access Control Endpoint Management after he was added in local ACDB manually. |
AN00201 | All | When the user is trying to login to the End Point Management UI, the showxuser, showuser, and showuser in NT commands are run to search for the user in the ControlMinder database and windows native environment. These commands will not find an external user not available in the system and the user will not be able to login. | Implemented RO60984 then applied fix T52X004 on the endpoint. These changes to the endpoint and server side introduce a new web service "getUserModeList ()" at the endpoint/web service side utilized to get the usermodes and create a dashboard for the logged in user. When the server side receives the user with this method, the retrieved rights are set in the user object allowing the user to login and showing the dashboard based on the rights. | 1. Create a user/group in domain and add the created user in the group. 2. Create a XGROUP at EndPoint and assign the relevant mode. 3. Authorize the terminal for the created XGROUP. 4. Try to Login into EndPoint Management, User is getting error index 0, Size 0. |
|
| 26 | 2 | ENTM | Fixes a ControlMinder issue where the user is not able to see the PUPM Audit Task log in the Audit section if the "Approved By" filter is applied. | AN00202 | All | The query does not return any results when searching for the Audit Tasks in Privileged Accounts because the unique ID is passed when the name of the user is stored in the databse. | Implement fix (T000057) and upload a file to change the code to pass the Friendly name of the approver if Enterprise Management is other than Active Directory. |
In Privileged Accounts-=^Audit -=^Audit Privileged Accounts. No results come out if put correct approver in Approved By filter. | |
| 27 | 2 | ENTM | Fixes a ControlMinder issue where a customer is unable to Upgrade policies with the Upgrade Policy admin task. | AN00204 | Windows all | The issue was intermittent and we were not able to recreate it but noted a java exception in the log indicating in some cases an attempt to access none existing index in an array. | Applied Code change/cumulative fix -2 RO57568 for r12.1SP6 to check access to array index number 1 when upgrading a policy. | Not reproducible, sometimes when trying to upgrade policy at ENMT UI getting an error ArrayIndexOutOfBoundsException: 1 | |
| 28 | 1 | Win endpoint user mode | Fixes the two following CA ControlMinder issues: Issue 1 - On connection from terminal with denied access, AccessControl forces logoff for a disconnected session instead leaving it as disconnected. Issue 2 - Alive RDP session for a user results in console login exit for the same user. |
AN00205 | Windows all | Issue 1 - OS sets type of disconnected session as CONSOLE, so the _IntilizeSeesion() recognizes the excluded session from authorization and does not add it to the disconnected sessions list used further used for detecting disconnected sessions for bypassing logoff. Issue 2 - The _UpdateSessionsList() processing the changed session state case sends the CONSOLE session to repeat authorization after the console session was already authorized. This forces the authorization matched terminal(_default) rule. | Issue 1 - Implemet fix (T5P7254) to add detecting session state and condition for checking on state DISCONNECTED for session type CONSOLE. Issue 2 - Add new fuction _SetSessionAuthorizedFlag() which sets an authorization flag for the console session. |
# Issue 1. 1. Set rules on AC endpont like: eu ("EP\ntroot") admin auditor owner(nobody) audit(FAILURE LOGINSUCCESS LOGINFAILURE) er TERMINAL ("EP") audit(ALL) defaccess(READ) owner('nobody') er TERMINAL ("A") audit(ALL) defaccess(READ) owner('nobody') er TERMINAL ("B") audit(ALL) defaccess(READ) owner('nobody') auth TERMINAL ("A") access(none) uid("EP\ntroot") auth TERMINAL ("B") access(R, W) uid("EP\ntroot") access(none) 2. Connect Administrator to the AC endpoint from the console, open the ‘Task Manager’ and observe the status of the RDP connection as “disconnected”. 3. Establish a RDP connection to the AC endpoint from host A as ntroot. 4. Disconnect the RDP session established from the hostA to AC endpoint - close window (x). 5. Open new RDP session from host B. As per the rules this RDP connection to the AC endpoint will fail 6. Expected status of observed session remains DISCONNECTED, but actually it's set "LOGOFF" ( closed) # Issue 2. 1. Create rules allowing RDP login from user from terminal B to endpoint A. er terminal(_default) none er terminal(B) owner(nobody) defaccess(R) auth terminal B uid("user") acc(A) auth terminal A uid("user") acc(A) 2. On host B open RPD connection to endpoint A for "user" 3. Make console login on host A for "user" 4. Console is forced logged off, while expected creating console session for the user. |
|
| 29 | 3 | Unix endpoint user mode | Fixes an issue where when, logging in/logging out of CA ControlMinder via GDM for root, Serevu creates an audit event warning for root, even with root being authorized for access. | AN00213 | LINUX all | The ControlMinder kernel detects the end of the gnome session and assumes it is a GDM logout event. On GDM, the logout kernel cleans the ACEE handler associated with the GDM session and ControlMIncer assigns acee=1 (root) handler for GDM when starting so the logout removes acee=1 making many root processes undefined. | root GDM logout | Implemet fixes (T52V056.tar.Z (for Linux X64) and T52V057.tar.Z (for Linux X32)) so seosd will assign a new ACEE for the LOGINAPPL root programs when starting. | 1. Login root via GDM (GUI console) 2. Login root other session via ssh 3. Start AC 4. Logout root GDM 5. in ssh session - 5.1 run "sewhoami" - EXPECTED root - 5.2 run secons -k 19 - EXPECTED few "gdm" processes have undefined user, other processes are not changed |
| 30 | 3 | Unix endpoint user mode | This fixes an issue where, after uninstalling CA ControlMinder, system-auth becomes a real file and not a not symbolic link. | AN00217 | LINUX all | Product uninstall overwrites the symbolic link and changes it to a real file. A check of the symbolic link is needed. |
pam conf is symbolic link | Implement a new function "Check_jump_on_new_linux_pam()" after conf_file=$1 line that that checks if a symbolic link is needed and restores the real PAM config as a symbolic link. | 1.cd /etc/pam.d 2.mv system-auth system-auth-ac 3.ln -s system-auth-ac system-auth 4.install CM 5.uninstall CM expected result: symbolic link system-auth remains actual result: system-auth is rea file |
| 31 | 2 | Unix endpoint user mode | Fixes an issue where CA ControlMinder directory is missing for 12.6 SP2. | AN00253 | Solaris | Unspecified error in the build scripts. | Fix the build scripts to ensure that the apisamples directory is installed with install_base. | ||
| 32 | 2 | Win endpoint user mode, Unix endpoint user mode | Fixes a CA ControlMinder issue where a customer wants to change the +reportagent password for multiple endpoints from a cental location. |
AN00274 | Windows all | In the ACMQ_Management static library, ACMQCredentialsManagment_pre() conveys value from property "OLD_PASSWD" instead "CLR_PASSWD" used for updating acmqclient.dat |
Replace the property "OLD_PASSWD" with "CLR_PASSWD" in function ACMQCredentialsManagment_pre(). | 1. Stop CM 2. selang -l AC=^ eu +reportagent password(secret) grace- nonative 3. Running reportagent in debug: ReportAgent.exe -debug 0 -task 1 generates error [ACMQ TIBCO ERROR]: tibemsConnectionFactory_CreateConnection failed on line: 878 with error: 6; additional info: Server = ssl://130.119.161.228:7243; User = +reportagent [ACMQ TIBCO ERROR]: TIBCO error string: '2013-05-08 12:18:07: Failed to connect to any server at: ssl://130.119.161.228:7243,ssl://130.119.161.228:7243 [Error: SSL://130.119.161.22 8:7243: url that returned this status = invalid name or password]' 4. Start CM 5. selang AC=^ eu +reportagent password(secret) grace- nonative 6. Stop CM 7. Running reportagent in debug: ReportAgent.exe -debug 0 -task 1 gives the same error. |
|
| 33 | 2 | ENTM | Resolves a CA ControlMinder issue where the customer recevies an error message (An error Occurred in the page.) when they open the Priviledged Accounts audit log in IE8. | AN00280 | Windows all | The javascript method document.writeln is written so that it is wiped out during the execution in IE. | n/a | call getElementById() method. | 1.Login in into ENTM 2.Goto Privileged Accounts-=^Audit then click on Search you will observe error("Error on page") on bottom left corner. |
| 34 | 3 | Unix endpoint user mode | Fixes a CA ControlMInder issue where APIs compiled on execution cause a floating point exception and LANGAPI fails to build/run on SLES 10. | AN00291 | LINUX x64 | The library version installed (12.6 SP1 libcawinext.so) was compiled with a newer compiler and would not run on older versions of Linux, specifically SLES 9 and 10 and Redhat 3 and 4. | Implement a fix that installs an older version of the library for these versions of Linux. | ||
| 35 | 3 | Unix endpoint user mode | Fixes and issue where a CA ControlMinder customer’s system crashed when loading SEOS_syscall. | AN00313 | Solaris | System Crash was due to loading the wrong SEOS_syscall kernel module and the kernel function accessed the wrong pointer. | Modify the scrip and set "OSMIC=c" so it will load the correct module, then run SEOS_load -u and SEOS_load again so it calls "getvar.sh" and sets the appropriate SEOS_syscall link. | ||
| 36 | 3 | ENTM | Fixes a CA ControlMinder issue where Privlieged Account Scope rules with "Contains" do no treturn the desired/expected results. | AN00315 | All | The query to fetch the results is not built correctly and appends extra "OR" condition with Null to fetch the results. | Implement code fix to build query without extra "OR" condition. | When we are setting the scope of a Privileged account in a Privileged Access Role, if we use "contains" key word, the scope is not being set properly. For Ex: We are doing the following : 1. Modify Privileged Access Role "BIA_Account_Request". 2. Go to Members tab, and set the Member Policie is set as below Member Rule : who are members of ( group "BIA_Requestor_User_group" ) Scope Rule : Privileged Account where ( Custom 1 contains "BIA_AccountRequest" ) 3. Submit We expect all the Privileged accounts with "Custom 1" attribute containing "BIA_AccountRequest" to be displayed to all the users in the group "BIA_Requestor_User_group". But, when we use "contains", it lists all the Privileged Accounts to those users. |
|
| 37 | 3 | ENTM | Fixes a CA ControlMinder issue where the uninstall entry for 12.6 GA CR1 is not removed after the ENTM upgrade is complete . | AN00344 | Windows all | Duplicate registry entries. | Add a check to identify if the first registry entry already exists and delete it when necessary. | ||
| 38 | 3 | ENTM | Fixes a CA ControlMinder issue where localized (Japanese) AccountManager Error message for "Failed to reset password" error. is garbled. |
AN00375 | Windows all | Error message code is not handled when in utf8 format from AccountManager. | n/a | Implement a fix to handle the message at the server level if it is in the utf8 format. | On Endpoint: 1. Configure native OS password policy. In this case, set minimum password length as 5. 2. Create new user and set password. Japanese ENTM UI: 3. Create new password policy that accept any passwords. 4. Create new Windows Agentless endpoint. 5. Create new account via "Create privileged Account". Specify account and endpoint as newly created ones on 2 and 4. Specify password policy as newly created one on 3. Specify password shorter than 5 characters length such as "test". 6. The error messgae will display(This error is expected because of password policy violation on endpoint OS.) Observe Garabled Error Message |
| 39 | 1 | Unix endpoint kernel mode | Fixes a ControlMinder issue where the customer system panicked with stack overflow when running Tripwire and CA ControlMinder. | AN00390 | Solaris | ControlMinder and Dtrace unhook out of order and, depending on which product starts first, can result in system panic or inability to unload SEOS_syscall. | AC and Dtrace hook and unhook out of order. | Solutions: 1. The minor fix for the SEOS_syscal unload problem is to reset the SEOSF_DISABLE_FAIL flag when AC has successfully enabled system call hooks. 2. The major fix is to check if Dtrace has been unhooked out of order when CA ControlMinder is trying to unhook. If so, restore the original function pointer stored in systrace_sysentand not the one in replace_sysc. This will prevent system panic. Workarounds: 1. Always start ControlMidcer before running any Dtrace sessions. 2. When stopping ControlMinder, ensure that all Dtrace sessions have been terminated. 3. If ControlMinder is stopped out of order, then do the following a. Restart ControlMinder. b. Make sure all Dtrace sessions are terminated c. Stop ControlMinder d. Restart ControlMinder e. Stop ControlMinder and unload SEOS_syscall. |
There are two issues in this problem. One will cause system panic and the other will prevent SEOS_syscall from unloading. To reproduce the panic: 0. Reboot. 1. Load SEOS_syscall only. 2. Run a Dtrace script. For example, dtrace -n syscall:::entry'/pid == 333/{ @syscalls[probefunc] = count(); }' where 333 is inetd's PID. 3. Start AC. 4. Terminate the Dtrace script. 5. Stop AC (not unloading SEOS_syscall). 6. Restart AC. 7. Re-run the Dtrace script. This will cause panic. To reproduce not able to unload SEOS_syscall: 0. Reboot. 1. Start AC. 2. Run a Dtrace script. (See above.) 3. Stop AC (not unloading SEOS_syscall). 4. Terminate the Dtrace script. 5. Restart AC. 6. Re-run the Dtrace script. 7. Terminate the Dtrace script. 8. Stop AC. 9. Unload SEOS_syscall. This will fail. |
| 40 | 3 | ENTM | This fixes and issue where a CA ControlMinder user cannot checkout passwords and receives no results when checking out a password until timeout is reached. | AN00397 | All | Wrong implementation 1. A user cannot retreive account password if its out of sync with the server. 2. Messages that are not handled by ENTM will not stay on the queue more then 10 minutes. |
Implement a fix for AgentManager which handles the time out and long time processing during password reset. | Before applying the fix: 1. Use windows account that change the password on check-in 3. Checkout the account 2. Shutdow AC 3. Check-in the account- Wait until the timeout arrived. 4. Start AC (now it should handle the changeaccount password message, but ENTM is not waiting for the response.) 5. Use "show password" and try to login with the password (it should fail as the password changed on the endpoint but not on the server) 6. with tibco tools chack that the message is staying on the enpoint_to_server queue for a long time.. (1 day) |
|
| 41 | 3 | Win endpoint user mode, Unix endpoint user mode | Fixes an issue where, when a CA ControlMInder Customer upgrades ENTM to SP1 using a different admin user, all the policies with different versions had the attribute 'creator' changed to the new admin user instead of the one used for the first installation which which produces incorrect audit information. |
AN00407 | Windows all | Missing properties in dbexport. | Implemented a fix to change – dbmgr –e to export the ON_BEHALF_OF property for the following classes : POLICY, GPOLICY, HNODE, GHNODE, DEPLOYMENT, GDEPLOYMENT. (in selang, the “Effective UID”) | 1. Install 125 SP5 server. 2. Create a policy. P1 3. in the UI, view policy p1, open the version history tab, check that the creator user is the ENTM user (i.e super admin) 4. upgrade to 126 SP1 5. in the UI, view policy p1, open the version history tab, the creator user is changed to the user who run the installation.. |
|
| 42 | 2 | Unix endpoint kernel mode | Provides a workaround to an issue where delays in refreshing httpd Web page occur when ControlMInder stream is active. | AN00412 | Solaris | Httpd refresh of We page | |||
| 43 | 2 | ENTM | Fixes an issue where the ControlMinder View Endpoint Date/Time format in the Last Failed Connection Date column is incorrect. | AN00415 | All | ContolMinder does not convert Valid Until and Start Date fields from UTC to browser time zone | Implement Code change (T5P0140) to: 1. Add support for formatting date fields to browser time zone. 2. Set offset time zone the tak session. 3. Valid until and start date- calculate validation after conversion the dates from UTC to client time zone. |
1. After a modify endpoint. The Last Successful Connection fields at Privileged Accounts-=^ Endpoints view endpoint select a specific endpoint showed as GMT time, now localized to browser time zone. 2. Privileged Accounts-=^ Endpoints view endpoint at at the table wilt the list of endpoints Last Failed Connection date field is not localized to browser time zone 3. When requesting for privileged account you get a table with list of accounts, the field ‘Last Failed Connection Date’ used to present as GMT time zone and with wrong format. 4.Privileged Accounts-=^Exceptions-=^ Delete Privileged Account Exception Start Date and Valid Until fields showed as GMT in addition the following issue 1. create a request for privileged account 2. wait with the approval for 2 hours 3. open the work item, at the State field getting wrong message "State: Reserved by user "[Ljava.lang.String;@1424cc" |
|
| 44 | 2 | ENTM | Fixes an issue where CA ControlMinder does not support scoping of privileged Account Request tasks. | AN00421 | All | The initial issue was related to an unsupported copy of custom tasks. | with this new code change, be able to copy a privileged Account Request task with a limitation that no other fields but these at the Event tab should be changed. Mandatory to keep the definition at TABS tab as the original task | Implement Code change (T5P013) to check the identity of the task in "privilegedAccountRequest" by the Tabs tag name (in the task) instead of theTask tag name. | 1. create a copy of privileged Account Request task 2. have more then 1 k of accounts 3. log-in with user whom have privileges to see the new created task 4. try to search accounts within the new created task having an inconsistent behavior, no result retrieves |
| 45 | 3 | UNAB | Enhancement to address a CA ControlMinder domain controller-UNAB loss and failed connection to uxauthd /opt/CA/uxauth/server. Error: 533. | AN00441 | LINUX x64 | Compatibility issue, ControlMinder (r12.55) and UNAB (r12.61) release out of sync. | Implement fix (T5C1015) to add a resolver flag to Kerberos DNS queries to suppresses IPv6 DNS queries (quad A) when IPv6 traffic is not enabled on the network interface, reducing the amount of DNS traffic From “A”-type DNS. | ||
| 46 | 3 | UNAB | CA ControlMinder enhancement to address Client log delays. | AN00478 | LINUX x64 | Possible UNAB login delay in DMZ3. | |||
| 47 | 2 | ENTM | Resolve a CA ControlMInder issue where a user with rights on a specific endpoint should only be able to see that endpoint and its users but, when he creates an account, he can see and select other endpoints. | AN00488 | Windows all | Scope rule defined in the role is considering in the code | Implement fixso that the defined scope role is considered while searching for the Endpoint during privileged account creation. | 1. create one role with tasks: view endpoint,view,create,modify,delete Privileged account, Show previous password, View password policies,view submitted taks. Member: where (Logon Name= x); Scope: privileged account where (endpoint name = y),Scope: Endpoint where (name = y). 2. Login with the account x 3. Create a new privileged account by choosing an unauthorized endpoint(otherthan y). |
|
| 48 | 1 | Unix endpoint kernel mode | Fixes a ControlMinder issue where the customer system panicked with stack overflow when running Tripwire and CA ControlMinder (also see AN00390). | AN00499 | Solaris | ControlMinder and Dtrace unhook out of order. Depending on which product starts first, and can result in system panic or inability to unload SEOS_syscall. | AC and Dtrace hook and unhook out of order. | Solutions: 1. The minor fix for the SEOS_syscal unload problem is to reset the SEOSF_DISABLE_FAIL flag when AC has successfully enabled system call hooks. 2. The major fix is to check if Dtrace has been unhooked out of order when CA ControlMinder is trying to unhook. If so, restore the original function pointer stored in systrace_sysentand not the one in replace_sysc. This will prevent system panic. Workarounds: 1. Always start ControlMidcer before running any Dtrace sessions. 2. When stopping ControlMinder, ensure that all Dtrace sessions have been terminated. 3. If ControlMinder is stopped out of order, then do the following a. Restart ControlMinder. b. Make sure all Dtrace sessions are terminated c. Stop ControlMinder d. Restart ControlMinder e. Stop ControlMinder and unload SEOS_syscall. |
Please refer to AC125SP50789 for more details on the first scenario. This is the second scenario that also causes system panic. To reproduce the panic: 0. Reboot. 1. Load SEOS_syscall only. 2. Run a Dtrace script. For example, dtrace -n syscall:::entry'/pid == 333/{ @syscalls[probefunc] = count(); }' where 333 is inetd's PID. 3. Start AC. 4. Terminate the Dtrace script. 5. Re-run the Dtrace script. This will cause panic. |
| 49 | 1 | ENTM | This fixes and issue where a CA ControlMinder user cannot checkout passwords and receives no results when checking out a password until timeout is reached. | AN00517 | All | 1. A user cannot retreive account password if its out of sync with the server. 2. Messages that are not handled by ENTM will not stay on the queue more then 10 minutes. |
Implement a fix for AgentManager which handles the time out and long time processing during password reset. | this fix handle UI performance issue when installing ENMT as Oracle as object store. need to have environment such as with over then 3M objects at object12 table over 1M objects at event12 table, usually this is the case after long period of time of ENMT ussage the reported problem was in general UI navigation and at.... 1. browsing to Privileges Accounts Audit page 2. commit search at Privileges Accounts Audit page 3. browsing to System Audit page 4. browsing to My Privileged Accounts page 5. Modify Scheduling Config item under System tab 6. Creating new user |
|
| 50 | 3 | Win endpoint user mode, Unix endpoint user mode | Fixes a CA ControlMinder issue where policyfetcher sometimes receives deployments from other hosts resulting in policies deployed on hosts to which the policy is not assigned. | AN00533 | Windows all, Unix all | Static PMD content causiing the PMD to not save a context per client and the results can be massed. | Implement a fix so that policyfetcher check that, after receiving DH deployments, checks that the deployment is related to the specific host (hnode_name property on the deployment object). | ||
| 51 | 4 | ENTM | Resolves a CA ControlMinder issue where a customer cannot change an account name in PUPM. While the UI indicates the name change was successful, the name remains unchanged on the endpoint. | AN00558 | Windows all | The boolean code variable 'isModified' returns a false value when an endpoint is modified. | Implement fixes (T000066 and T5P0128) to add an extra condition to check that the administrative account is updated when modifying an endpoint and ensures that the boolean code returns a true value. | 1. Login into ENTM UI with credentials. 2. Go to Privileged Accounts--=^ Endpoints--=^Modify Endpoint 3. Select an Endpoint to modify 4. Select the checkbox Use the following privileged account 5. Select the account which has login access and required privileges to the Endpoint machine i.e., Administrative account of another endpoint which has login access(same credentilals) to this endpoint. 6. Click OK and Submit the changes. The problem here is that when trying to change the account name into administrative account details of an endpoint, the change is not "commited". The gui informs that it went successfully but when getting back to the endpoint, the old account name is there. |
|
| 52 | 3 | Win endpoint user mode | Fixes an issue where after installing CA ControlMinder on Windows XP sp3, Class TERMINAL is not working and all users have access via the terminal. | AN00581 | Windows all | Terminal Services thread is not running on Windows XP machine with SP3 installation. Since Terminal Services thread is not running, there is no logon interception and no auding for this event Problem summary. |
Implemented fix (T4A7053) to remove _IsTerminalServicesEnabled() so VerifyVersionInfo() is not called. | ||
| 53 | 1 | ENTM | This fixes and issue where a CA ControlMinder user cannot checkout passwords and receives no results when checking out a password until timeout is reached. | AN00584 | All | Wrong implementation 1. A user cannot retreive account password if its out of sync with the server. 2. Messages that are not handled by ENTM will not stay on the queue more then 10 minutes. |
Implement a fix for AgentManager which handles the time out and long time processing during password reset. | Bulk password change with more than 5000 users | |
| 54 | 3 | ENTM | Fixes an issue where a CA ControlMinder customer receives a repeated Tibco message on the Linux Console after reboot. | AN00607 | Unix all | The ca-acrtmq script is directing Tibco messages to the linux console instead of the log file. | n/a | Redirect Tibco messages to logfile. | 1.Go to Linux ENTM machine 2. Run /etc/init.d/ca-acrtmq restart 3.Observe Tibco Messages continously on Linux Console |
| 55 | 3 | ENTM | Fixes an issue where a CA ControlMinder customer, using an Active Directory user store, tries to delegate another user task to approve or reject the users account request and they receive the following error in the UI: “The operation could not be performed because this workitem has been reassigned to other users, and is no longer available to you.” | AN00608 | Windows all | Condition fails because Delegators are compared with assignee uniqueName | n/a | Implemented a change to one of the group values so it compares with equalsIgnorecase method | 1.Create users(ex: requestor,approver,subapprover in AD machine) 2.Delegate a task to another user(Users and Groups-=^Delegations(approver-=^subapprover) 3.Login as a requestor user and send Privileged Account request. 4.Login as subapprover and click on request will observe below error: “The operation could not be performed because this workitem has been reassigned to other users, and is no longer available to you.” |
| 56 | 3 | Unix endpoint user mode | Fixs a CA ControlMInder issue where the PMD loses connection to the localhost. |
AN00612 | Unix all | Authorization failed due to a coding issue where the uid is missing for seagent exit login. | Please see reproduce steps. we have to run AC=^env pmd to reproduce the problem. | Workaround is to run "host localhost" again and reconnect to the database to get the uid in seagent exit. | 1. login as root or CM admin 2. AC=^env unix AC(UNIX)=^nu user01, AC(UNIX)=^ng TESTGRP AC(UNIX)=^join user01 group(TESTGRP) AC(UNIX)=^ env seos AC=^ exg TESTGRP admin AC=^ auth terminal hostname.ca.com xgid(TESTGRP) access(all) 3. login as user01 and then run selang 4. AC=^env pmd 5. AC=^env seos AC=^find user ----=^ You are not connected to any pmdb. This is the problem. We should not see the message above. |
| 57 | 3 | Unix endpoint user mode | Fixes a CA ControlMInder issue where the x86 and x64 version of the tar.Z files are in place and install_base could not figure out which one to pick. | AN00613 | Unix all | Both tar.Z files in place and both are good for the X64 system. | We have to run ./install_base without any parameters and we have to run it on a Linux X64 system. | For a X64 system, enter the parameter (./install_base _LINUX_X64_126.tar.Z) in the command line and do not let install_base guess for the tar ball. |
Please have _LINUX_126.tar.Z and _LINUX_X64_126.tar.Z in the same directory and then run "./install_base". Please do this on a Linux X64 system. Since both _LINUX_126.tar.Z and _LINUX_X64_126.tar.Z are good for the x64 system, install_base couldn't figure out the correct installation tar.Z file. |
| 58 | 1 | Unix endpoint kernel mode | Fixes an issue where CA ControlMinder fails to start and will hang until the product is disabled. | AN00626 | HPUX PA-RISC,HPUX IA64 | The CA ControlMinder interception code fails to handle *socket_addr and *socket_len passed as NULL into accept system call. | Handle the NULL pointer in the CA Access Control interception code and let the underlying system call function to handle it. | On a system set up with Control-M. 1. Start AC with SEOS_use_streams=no SEOS_network_intercept_type=2. 2. Start Control-M by executing start_all as Control-M admin. 3. After entering password, it will hang. To get out, stop AC and Control-M will start successfully. To check the status of Control-M, execute check_all. To stop Control-M execute stop_all. |
|
| 59 | 2 | ENTM | The capture snapshot failed . since the ppm_is_deleted in ppmprivilegedaccountexception table are no allow null | AN00627 | All | The column ppm_is_deleted in table ppmprivilegedaccountexception was marked as not allow null this cause a error when try to update the table . | Change the ppm_is_deleted in ppmprivilegedaccountexception table to allow null | 1. Create a capture snapshot 2. Execute capture snapshot |
|
| 60 | 2 | ENTM | Fixes a CA ControlMinder issue where the Capture snapshot failed to insert data to the table ppmprivilegedaccountexception. | AN00658 | All | The large size value of the ppmprivilegedaccountexceptionuser user Distingushed Name table size. | Implement fix (T50V017) in the SQL script to update the SQL commands in the ppmprivilegedaccountexception to allow user 256 columns for user Distingushed Name. | This will required a AD The USER DN must to be larger for 80 characters. 1. Create a capture snapshot 2. Execute capture snapshot |
|
| 61 | 4 | ENTM | Fixes an issue where a CA ControlMinder customer creates a host in the Endpoint Management UI but is unable to see the hostname. . | AN00668 | All | The user enters the range in Service/Port in the format 10-100 and the UI ignores this format as there is no treference to the 10-100 format. |
Add a reference in the code to handle 10-100 format. | 1. log into endpoint management GUI 2. navigate to Resources-=^Remote Access 3. click hosts on the left pane 4. click create host and give name i.e. HostA 5. add accessor under authorize tab i.e enable the port between 10 to 100 (10-100) 6. save the hosts. 7. click hosts item in left pane, in right pane, put the hosts name HostA and click go. 8. click "view" or hyperlink under the hosts name HostA to show more detail. 9. click "authorize" table. the accessor created on steps #5 was gone. if use selang command sr host *, we can see the accessor created are still there. |
|
| 62 | 3 | ENTM | Fixes an issue where CA ControlMInder Password Policy resets do not run at the time specifed in the UI but runs the day before they are scheulded (for example policy resets scheduled to run on Wednewday run on Tuesday). | AN00672 | All | The cron job should be stored at quartz table. | Implement code change to the store password policy cron job at quartz table with the appropriate server time zone so the job will run as scheduled. | 1. set ENMT server with pacific US time zone (GMT -5) 2. create password policy and schedule it to run every MON at 22:00. 3. the job will be run at SUN instead of MON |
|
| 63 | 3 | ENTM | Fixes a CA ControlMInder issue where the customer application server explainiation text is displayed in English on a Japanese installation. |
AN00689 | Unix all | Endpoint Management Setup was not localized and strings were not loaded from external files but were in the project resources. | Implement fix to export all strings from EndPoint Management project to external resources and have the localization team translate EndPoint ManagementResem_en.properties accordingly. | ||
| 64 | 1 | Unix endpoint kernel mode | Fixes a CA ContrlMinder issue where the customer Linux system panicked when unloading SEOS_syscall kernel module. | AN00711 | LINUX all | When SEOS_procserver_free() is called to release the procserver table, goes through the array and calls SEOS_procserver_free_list() for each chain. If the table has been released then the pointer will be NULL. Attempting to release again will cause system panic because it could not handle NULL pointer properly. | Unclear how cleanup function is called more than once. | Implement fixes (T540216 and T3E7165 or T3E7166) to address the unload issue and to add a check in EOS_procserver_fini() to see if it is already released. | |
| 65 | 2 | Unix endpoint kernel mode | Fixes a CA ControlMInder issue where after, an upgrade from 12.5 SP5 to 12.6 SP2 with Selinux enabled on the server (an Oracle Linux host), the server continuously reboots after being restarted. |
AN00714 | LINUX all | Linux kernel introduced a new internal lock to replace an existing lock. The full_d_path() incorrectly uses vfsmount_lock_lock as the lock for vfsmount struct access for Linux kernel 2.6.39 or greater. |
This occurs on Linux kernel 2.6.39 or greater and the new root for the chroot command is a mounting point. | Identify the correct lock for vfsmount struct access. | On an OEL 6.3 with UEK system or any Linux kernel =^= 2.6.39: 1. Start AC. 2. Find a mounting point. 3. Execute "chroot mounting_point". This will panic the system instantly. |
| 66 | 3 | Unix endpoint user mode | Fixes a CA ControlMinder issue where a user changes their password using sepass and gets a bad argument error from the NIS server.This error is a false positive as the password is updated correctly in the NIS master. | AN00726 | Unix all | NIS Server setup or configuration issue. | We'll have to set up a NIS master server and then run sepass on a NIS client to change a user's password. | Implemet fixes (T52V064.tar.Z for Linux X64 and T52V065.tar.Z for Linux X86) to apply a new binary sepass. | Please try to run sepass on a NIS environment. We may not be able to reproduce the problem. it could be a setup problem in the NIS environment. |
| 67 | 3 | Win endpoint user mode | Fixes an issue where a CA ContolMinder customer recieves an error messge when they define specialpgm for the program path which contains Japanese characters. |
AN00739 | Windows all | Need to call stat() function for multibyte characters with UNICODE string. | Convert path to UNICODE and run stat() function | ||
| 68 | 3 | ENTM | Fixes an issue where a CA ControlMInder customer requests and approves privileged account access but the privileged account is not listed in My Privileged Account. The account appears only after adding a group that the requester is a member of to member policy Break Glass roles. | AN00758 | Windows all | ControlMInder checks the BreakGlass Member Rule then Sets the RegularAccounts but when the break glass exception throws, the RegularAccount is not set. | NA | Implement fix to catch the break glass exception and search for regular accounts. | 1. login as SAM user sy pupm1 2. check some privileged accounts are listed in [My Privileged Accounts] If no accounts are there, request for some accounts and get it approved 3. Log out of ENTM 4. Login to ENTM as superadmin 5. change member policy of "Break Glass" privileged access role before change (default): Member Rule (all) Scope Rules Privileged Account where ( Account Name ≠(Not equal to) "*" ) after change: Member Rule where ( Login ID = "superadmin" ) Scope Rules Privileged Account where ( Account Name ≠(Not equal to) "*" ) 6. Log out of ENTM 7. login as SAM user sy pupm1 4. check [My Privileged Accounts] again Then, no privileged accounts are listed in [My Privileged Accounts]. |
| 69 | 3 | Unix endpoint user mode | Fixes a CA ConrtolMinder UNIX environment issue where there is no LOGOUT log created when root logs in to a console and logs off. |
AN00761 | Unix all | Serevu is creating an audit event warning for root even with root authorized for access. | We'll have to login to the console and then start up CM. | Implement fix to create a new SEOS_syscall for the client. | Please order a Linux image from LOD and then run Client VMSphere (I believe you need to talk to LOD to set it up.). We'll have to login to the console for the test. 1. logs in to the console, and then oper up a terminal session and then start up CM. 2. logs off from the console. 3. please telnet/ssh to the box from a remote session. 4. please run "seaudit -a", if you don't see the LOGOUT record for the console login, then it is a problem. Please note that it will take about 2 minutes for the LOGOUT to generated. you'll have to wait for a while and then run "seaudit -a" to look for the LOGOUT record. |
| 70 | 1 | ENTM | Fixes an issue where the CA ControlMInder ENTM UI login is very slow with users sometimes unable to login. A restart of the JBoss service improves the problem but it reoccurs after a few days. . |
AN00763 | All | The system reaches the connection resource limit due to Login application account status queries to the Enterprise Management server about evey ten seconds. | Configure the default time expression to change the database account validate status check interval from 10 seconds to one minute. | Need to launch 200 RDP sessions and keep them active for 24 Hrs and monitor the behavior. Here is the plan for testing: 1. Create an ENTM setup with one LB. 2. Create 5 Windows Endpoints and discover 100 privileged accounts from each of the endpoint. So total 500 privileged accounts. 3. Create 1 RDP Login application and associate it with all the accounts for auto login. 4. Apply the testfix on primary ENTM setup. 5. Run the automated scripts using “SWAT” tool to simulate RDP logins. Try first 200 users RDP request from Primary ENTM URL and other 50 users request from LB ENTM URL and keep on scaling the RDP logins till 500. |
|
| 71 | 3 | ENTM | CA ControlMinder enhancement to resolve missing Host Name field in the UARM BreakGlass reports. |
AN00772 | All | Justifications are delivered only to only to BreakGlassApprovedEvent and not to all event schemas sent to the UAR server | Implement fix to create UAR events related to the Break Glass events with comments and justification. |
1. Create BreakGlassEvent functionality 2. Add a comments and justification to the specific BreakGlass event 3. You should see the comments and justification in the UAR server |
|
| 72 | 3 | ENTM | Fixes an issue where CA ControlMInder Endpoint ouptut of the Endpoint name in japanese is garbled when creating windows agentless endpoint with wrong password. |
AN00780 | All | JBoss is sending the request message in the MBCS format when the AgentManager is expecting UTF8 format. | Implement code change to send the request in UTF8 format. | ||
| 73 | 1 | Unix endpoint user mode | Fixes a CA ControlMinder customer issue where kblaudit does not log activities for several days.The logs are created after a ControlMinder services restart, but the issue returns in a few days. |
AN00793 | Unix all | kblaudit log issue where seosd did not recognize KBLAuditMgr and KBLAuditMgr fails to rename kbl audit. |
Implement a change so when the rename of kbl.audit file to backup file fails, KBL audit Mgr is killed and KBL operation resumes without any problem and the KBL audit is not lost. | ||
| 74 | 3 | ENTM | Fixes an issue where CA ControlMInder customer cannot send e-mails whenn using EMAIL hyphens (-) and underscores (_) after at symbo l (@ ). | AN00798 | Windows all | MailValidation regex was not accepting hyphen and underscore following an at symbol. | n/a | Implement fix to add hyphen and underscore to MailValidation regex code. | 1.Login into ENTM UI 2.Go to Users and Groups -=^ Modify User 3.Select Any User 4.Modify Email like [email protected] or emailid@ca_itc.com And 5.Submit then observe below error: Invalid email address 'Email' |
| 75 | 3 | Unix endpoint user mode | Fixes a CA ControlMInder issue where a customer recieves a "System call notloaded" error message when using seapass to change passwords. | AN00802 | Unix all | sepass and sesu are not working because the wrapper (script) calls se_loadtest ans aren't detecting that Access Control is running. | We have to test it on Aix. This problem occurs on Aix only. | Run the latest wrapper script andf use a differnt method to check if CM is running. | On Aix, please run the scripts in /opt/CA/AccessControl/samples/wrappers. Even CM is up and running, the script will still give you an error saying "System call not loaded.". |
| 76 | 4 | ENTM | Fixes a a CA ControlMinder issue where the Endpoint Management USER/GROUP REPOSITORY list displays mutliple/duplicate domains. | AN00811 | All | Each domain entry is listed in both the trusting domain and the Trusted domain list so all trusted and trusting list are clubbed together and shown in menu list, it appears as duplication. | In Class SearchManagedBean, the method findTrustedDomainNames() gets the domain list by calling method getTrustedDomains. The return list is checked to to ensure all domain names are unique which prevents duplicate entries. | In Active Directory, make sure you have multiple domains. Keep each domain's relationship as trusted and trusting with other domains. | |
| 77 | 3 | ENTM | Fixes a CA ControlMinder issue where a customer sees a punctuation mark at the end of the message after they click the "approve" button for a privilege account request. | AN00817 | Windows all | Punctuation mark is due to addition of the mark in property file. | NA | Remove the mark from the property file. | 1. Login to ENTM as superadmin with credentials. 2. Create Endpoint,Discover one or more accounts. 3. Create one SAM user 4. Logout from ENTM 5. Login to ENTM as SAM user with credentials 6. Request for one privileged account and logout from ENTM 7. Login to ENTM as superadmin with credentials. 8. Approve the account by clicking on "Approve" button After clicking on "Approve" button against privilege account request, they see a punctuation in the end of the message. When we configure mail with privilege account information they see a punctuation in the end of the subject of the mail |
| 78 | 3 | ENTM | Fixes a CA ControlMInder issue where the the Enterprise Management UI Active Directory user store cannot delete a group with a double byte name. . |
AN00827 | Windows all | The Create Group and Delete Group tasks exist in the Active Directory user store System Manager Admin Role. | n/a | Workaround is to deleted the Create Group and Delete Group tasks from System Manager Admin Role. | 1.Login into ENTM UI 2.Go to Users and Groups-=^Groups 3.Will observe Create Group and Delete Group |
| 79 | 3 | Unix endpoint user mode | Fixes a CA ControlMInder issue where the customer sees an audit record in the UI console instead the hostname/IP of the acessor. |
AN00830 | Unix all | Peer address null is returned by ProcServer_get_peer_addr() without attempt to fetch process remote address from the kernel. | Add fetching process remote address from the kernel in ProcServer_get_peer_addr(). | 1. Verify vsftpd is running ps -ef | grep vsftpd 2. Connect FTP to CM endpoint. 3. Check produced LOGIN audit record is 07 Jul 2013 19:56:49 P LOGIN root 59 2 console VFTP instead expected: 07 Jul 2013 20:09:43 P LOGIN root 59 2 130.119.179.77 VFTP 07 Jul 2013 20:10:29 P LOGIN root 59 2 ismelx33.ca.com VFTP |
|
| 80 | 2 | Unix endpoint user mode | Fixes a CA ControlMinde issue on Linux whereserevu does not detect failed login when configured to use the OS failed log file | AN00838 | Unix all | The OS method that serevu uses does not work on LINUX OS. | |||
| 81 | 3 | ENTM | Fixes an issue where CA ControlMInder Endpoint ouptut of the Endpoint name in japanese is garbled when creating windows agentless endpoint with wrong password. | AN00869 | All | JBoss is sending the request message in the MBCS format when the AgentManager is expecting UTF8 format. | Implement code change to send the request in UTF8 format. | Take 12.7 GA + T51S007(fix) Japanese ENTM machine. 1)Try creating endpoint name in japanese for windows agentless and ssh endpoint type 2) Give invalid password to get the endpoint and error description in GUI. You will see endpoint name comes as junk and error description in japanese language. |
|
| 82 | 3 | ENTM | Fixes a CA ControlMinder issue where, while creating Endpoint for an SSH device with sudo_connector_conf.xml, an error is generated while the task is pending. | AN00874 | All | Changes for the file sudo_connector_conf.xml are misplaced in item value of "echo LOGINGU $?" in section oGetUSers. | Implement fix (T51S008) to place changes in item value of "cat /etc/passwd ...." | 1. ENTM WEB UI login with superadmin 2. Click "Privileged Accounts" -=^ "Endpoints" to create Endpoint of type ssh endpoint type. Use Configuration File: sudo_connector_conf.xml 3. click "Submit" Then message "Task has been submitted. Please wait..." is displayed and wait for a while Then "Task pending" is displayed. 4. After some time, browse "Home" -=^ "Self Manager" -=^ "View My Submitted Tasks" to check task status. Click "Search" Then you can find "Create Endpoint" task got failed status. |
|
| 83 | 3 | ENTM | Fixes a CA ControlMinder issue where, when a customer creates a Windows Agentless Endpoint using a pre-defined adminsitrative account, View Endpoint displays “last failed connection” though the connection was successful. | AN00879 | All | An error in the code case "Last Failed Connection Date" set on the endpoint, when using a predefined account as the endpoint administrator. | This happens only when creating an endpoint using a predefined account. | Implement a change in the Last Failed Connection code so the "Last Failed Connection Date” does not appear when the operation is successful. | You need to have an windows endpoint (bob_endpoint) that is a member of AD. on this endpoint add an account (bob) that is a member in the AD to the administrators group. (so he can manage this endpoint) 1. Create AD endpoint 2. Discover bob account. 3. Create a windows agentless endpoint for bob_endpoint. use bob (pre defined account)as the administrative account. ("Use the following privileged account:" option). 4. check that the endpoint successfully created. 5. in the "View Endpoint" screen, check that "Last Failed Connection Date" is not marked for this endpoint. (before the fix, the endpoint creation success but its marked with "Last Failed Connection Date". |
| 84 | 3 | Unix endpoint user mode | Fixes an issue where CA ControlMInder seosd is down after a user attempts to filter 200 lines of TRACE messages in audit.cfg. | AN00913 | Unix all | The lines in audit.cfg exceed the filtering limit in the TRACE code. | in audit.cfg, the filter is for TRACE only and the number of lines has to be more than 200 lines. | Implement fixes (T243983.tar.Z forLinux x86, T243984.tar.Z for Linux x64, and T243985 for Solaris) to Increase the filtering limit to 1000. | Create a file audit.cfg with 201 lines (more than 200 lines.) TRACE;FILE;*;*;user1;*;*;* TRACE;FILE;*;*;user2;*;*;* ... Please save the file in /opt/CA/AccessControl/etc. start up AccessControl, you'll see the core dump. if you don't see it, please run "selang", then you'll see the error. seosd keep restarting. |
| 85 | 3 | UNAB | Fixes an issue where CA ControlMInder users cannot use sudo su while UNAB is running and recieve an error. | AN00930 | Unix all | Failure of pam_uxauth causes Login failure and locked account even though the authentication component was succeessful. |
Implement Fix (T5C1017.tar.Z) to change the uxauth.ini token setting so the pam_exit_on_deny token in uxauth.ini is no (pam_exit_on_deny=no). |
||
| 86 | 3 | Unix endpoint user mode | Fixes a CA ControlMInder issue where epass produces an error when the user enters the password of a user they are changing. | AN00933 | Unix all | Coding error. | we'll have to run sepass user01 to change another user's password. Not user itself's password. | A new sepass is required to correct the problem. | sepass user01 Please Enter your password: it works even we enter user01's password. |
| 87 | 2 | Unix endpoint kernel mode | Fixes an issue where CA ControlMInder fails to load SEOS_syscall on X64 Linux system running with 2.4 kernel. | AN01023 | LINUX x64 | CA ControlMInder Kernel Extension SEOS_load error on RHEL 3. | Install AC on X64 RHEL 3.8 (for example). Execute SEOS_load and it will fail. | ||
| 88 | 2 | Unix endpoint kernel mode | install_base and postinstall script create incorrect links for SEOS_syscall on 64-bit Solaris 8 or 9 running in a branded zone. | AN01024 | Solaris | OSMIC was used in creating SEOS_syscall link for Solaris 8 and 9. | This only occurs when installing AC on 64-bit Solaris 8 or 9 in a branded zone. | Add additional check for Solaris 8 or 9. | On a 64-bit Solaris system that supports zones. 1. Do native installation in the global zone. 2. Unload SEOS_syscall. 3. Set SEOS_use_ioctl to 1. 4. Reload SEOS_syscall. 5. Go to the branded zone. 6. Do either native installation or legacy installation using install_base. The installation will fail when trying to link SEOS_syscall to either SEOS_syscall.28Z.64 or SEOS_syscall.29Z.64. |
| 89 | 2 | Win endpoint kernel mode | Fixes a CA ControlMInder issue where a customer encounters restrictions when attempting to control TCP class. | AN01100 | Windows all | The "restrictions(days(AnyDay) time(0100:1000))" do not work in the TCP inbound connection due to the activated DAYTIMERES option. | See description | Implement fix (T5P7280) to correct the driver code. | |
| 90 | 3 | Unix endpoint user mode | Fixes an issue where a CA ControlMnder customer gets an error message when they run seaudit to a specific backup audit file by shell script but there is no error when they run the same seaudit command manually. |
AN01111 | Unix all | Customer seaudit file is corrupt. | Add an optional "-debug" for the output debug error messages related to audit log processing. | On Solaris 10 corrupted audit records induce: 1. core dump on # seaudit -a -fn /work/tmp_install/21472886/seos.audit.bak.13-Jul-2013-00:00:00 -sd 12-JUL-2013 -st 11:50 2. endless loop on # seaudit -tr -fn /work/tmp_install/21472886/seos.audit.bak.13-Jul-2013-00:00:00 -sd 12-JUL-2013 -st 17:02 |
|
| 91 | 2 | Win endpoint user mode | Fixes a CA ControlMinder issue where customer login is delayed following installation and configuration of the Network Load Balancer (NLB). . |
AN01169 | Windows all | Memory corruption in seosd.exe memory for memory allocated for TS session. . |
Reallocate memory addressed by originalObjectName to the size that matches the predefined szOName buffer size to prevent writing to memory after the end of the heap buffer. | Repeat RDP connect/disconnect from remote host to AC endpoint authorized through TERMINAL rules. The memory corruption occured on system having not typical network configuration using NetBIOS over TCP/IP for name resolution having specifications in hosts file like "IP NETBIOSNAME" which do not include FQDN of remote machine. Testing on hosts having common network settings did not detect the issue. | |
| 92 | 2 | Unix endpoint kernel mode | Fixes a CA ControlMinder issue where a user with Korn Shell as login shell cannot telnet or ftp into an X86_64 Solaris system when ContolMInder is not running and SEOS_syscall kernel module is not loaded. | AN01175 | Solaris | The SEOS_syscall entry is out of sync with SEOS_syscall. | See Invest.notes. | Remove handling of name_to_sysnum in S68SEOS and K28SEOS to prevent the SEOS_syscall entry from being inserted prematurely. | 1. Install AC. 2. Optionally start AC and shut down AC. 3. Reboot system with or without AC kernel loaded. 4. Don't start AC during or after booting. 5. Try to telnet to the system using a user account that has Korn Shell as its default shell. 6. Connection will be rejected. |
| 93 | 2 | ENTM | Fixes an issue where a CA ConrtolMinder customer approves a privileged account request by a group member and the approval event is not shown in the SAM audit log Event History. . |
AN01195 | Windows all | The Event details stored in runtimestatusdetail12 table are not fired. | Implement fix (T52X010) for code changes to include the event which stores the details to runtimestatusdetail12 table to show the details in the Enterprise Management audit screen. |
Event History 1. TASKSESSION An instance of workflow process "SingleStepApproval" with id "1 32:WPDS" was created to handle this event. The event will not proceed until it is completed. 2013-07-26 14:05:32.747 2. WORKFLOW A workflow work item "Approval" with id "0 4 50:WPDS" was created, and assigned to these users: superadmin (Super Admin), test1 (test 1) 2013-07-26 14:05:32.933 3. WORKFLOW Workflow work item "Approval" with id "1 4 50:WPDS" had action "Approve the work item and proceed to the next approver" performed on it by test1 (test 1). 2013-07-26 14:05:53.34 4. WORKFLOW The workflow process associated with this event allowed the event to proceed. 2013-07-26 14:06:13.413 [Step] 1. Create a group and add more than two users. Users and Groups -=^ Groups 2. Change the "Privileged Account Request" admin task approver to the group. Users and Groups -=^ Tasks -=^ Modify Admin Task: Privileged Account Request click Event tab -=^ select privilegedAccountRequest Workflow Process: SingleStepApproval Primary Approver Participant Resolver: Group Members ==^ Click "Add Groups" and select the created group 3. Request a privileged account and approve it by a group member. ==^ (case a) Check the check box under "Select All" and click approve button. ==^ (case b) Click the task name and click approve button in the next screen. 4. Check "Audit Privileged Accounts", Privileged Account Request task. 5. Click "Create Privileged Account Request Event (not started yet)" under "Included Events". 6. Check "Event History" and above event #3 is missing in case a. |
|
| 94 | 2 | ENTM | Fixes a CA ControlMInder issue where an account is not automatically checked in after a user exits the account and the expiration time has passed. | AN01200 | All | There is no reschedule mechanisim when the check-in event elapsed and the session is still open. | Implement a code change to change the Reschedule check-in event job if it fails to check in due to existing open session. | 1. Create SAM privileged account which is set to be Exclusive Session and Check out Expiration set to 10 minutes 2. User check-out the account and get a password to this SAM user Account 3. User RDP to the machine by the given password (not using log in-application) and doesn't close the RDP session 4. When the 10 minutes elapsed we raise a check-in event which fails due to Open Session (so far seems to be good) This is the message we get: ….has 1 open session(s). Terminate (or log-off) its session prior to checkout or check-in operation |
|
| 95 | 2 | ENTM | Fixes a CA ControlMinder Privileged Account request issue where the user sees an error message when they switch from the Approvers tab to the Privileged Account tab within the request page. | AN01233 | Windows all | ControlMinder is trying to refer an object in a “approve_privileged_account_request_profile.jsp” from session object which is not available in the session. | Implement fix (T52X008) to choose the value from a Java Class method instead of from session which will populate the attribute required and render the page. | Person must have SITEMINDER integrated environment to test this issue 1. Request for a privilged account 2. Login as approver and select the request 3. Switch from the Approvers tab to the Privileged Account tab Expected Result: It should show the details provided while requesting for the account Actual Result: Null Pointer Exception |
|
| 96 | 2 | Unix endpoint user mode | Fixes a CA ConrtolMinder issue where a customer can see other Watchdog processes when using issec Command. |
AN01328 | Unix all | A none third party/non-ControlMinder process called watchdog was shown in issec output as a ControlMinder process. | Make sure no processes called watchdog are running so that they are not shown by Issecd as ControlMInder processes. | ||
| 97 | 3 | Unix endpoint user mode | Fixes an issue where the CA ControlMInder selang experiences a core dump when specific text strings are entered. | AN01349 | Unix all | Core dump is caused when handle_objs_r() calls free() to free a memory allocated by strdup() in cp_up2_r() and handle_objs_r() changes the memory pointer so the free() call fails. | trailing blanks. | Implement code changes to save the memory address and save the memory pointer for the free call. | |