PAMSC user would like to know 'Extended PROCESS class' which is enhanced at PAMSC r14.1.
He checked behavior with following guide with strace comand.
For example, he tried following steps:
1. define rule for top command.
nr PROCESS /usr/bin/top owner(nobody) defacc(n) audit(a)
auth PROCESS /usr/bin/top uid(root) access(attach)
2. start /usr/bin/top
3. login as root on another terminal.
4. find process ID for the top
5. strace -rfT -p "PID for top"
But he cannot control process and there is no audit log.
OS: RHEL 7.5
Prod: CA Privileged Access Manager r14.1 for Endpoint
strace command does not call process attach system call(ptrace(PTRACE_ATTACH, ...) ).
So, PAMSC cannot intercept attached process event and control it.
Please use check with gdb -p PID.