PAMSC(EP) r14.1: "Enhanced PROCESS Class" does not work

Document ID : KB000130085
Last Modified Date : 27/03/2019
Show Technical Document Details
Question:
PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1.
He checked behavior with following guide with strace comand.

https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/reference/selang-reference-guide/classes-in-the-ac-environment/process-class https://docops.ca.com/ca-privileged-access-manager-server-control/14-1/en/administrating/endpoint-administration-for-unix/protect-process-being-attached-by-other-processes
For example, he tried following steps:

1.  define rule for top command.
  nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a) 
  auth PROCESS /usr/bin/top uid(root) access(attach) 
2. start /usr/bin/top
3. login as root on another terminal.
4. find process ID for the top
5. strace -rfT -p "PID for top"

But he cannot control process and there is no audit log.
 
Environment:
OS: RHEL 7.5 
Prod: CA Privileged Access Manager r14.1 for Endpoint 
Answer:
strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ).
So, PAMSC cannot intercept attached process event and control it.

Please use check with gdb -p PID.