PAMSC(EP) r14.1: "Enhanced PROCESS Class" does not work

Document ID : KB000130085
Last Modified Date : 27/03/2019
Show Technical Document Details
PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1.
He checked behavior with following guide with strace comand.
For example, he tried following steps:

1.  define rule for top command.
  nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a) 
  auth PROCESS /usr/bin/top uid(root) access(attach) 
2. start /usr/bin/top
3. login as root on another terminal.
4. find process ID for the top
5. strace -rfT -p "PID for top"

But he cannot control process and there is no audit log.
OS: RHEL 7.5 
Prod: CA Privileged Access Manager r14.1 for Endpoint 
strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ).
So, PAMSC cannot intercept attached process event and control it.

Please use check with gdb -p PID.