Socket Filter Agent 2.7 on AIX 6.1 and AIX 7.1 are not blocking SSH access to the blacklisted hosts

Document ID : KB000006333
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Socket Filter Agent 2.7 installed on AIX 6.1 and AIX 7.1 are not blocking SSH access to the blacklisted hosts specified in the socket filter list. Whitelist is working accordingly.

Environment:
CA Privileged Access Manager: 2.7Socket Filter Agent: 2.7Target Servers: AIX 6.1, AIX 7.1
Cause:

SFA is marking the hosts in the filter list as invalid filter IP and ignores them:

<6>gksfd: 2017-04-06 19:33:43 >>> device information:
<6>gksfd: 2017-04-06 19:33:43 device: ip(xxx.xxx.xx.xx) port(22) policy(b)
<4>gksfd: 2017-04-06 19:33:43 make_struct: ignore invalid filter ip (10.xxx.xx.xxx/23 22)
<4>gksfd: 2017-04-06 19:33:43 make_struct: ignore invalid filter ip (10.xxx.xxx.xxx/23 22)
<6>gksfd: 2017-04-06 19:33:43 >>> filter information: 0 filters.


Working use case, the filters should be recognized:

<6>gksfd: 2017-04-06 19:54:19 >>> device information:
<6>gksfd: 2017-04-06 19:54:19 device: ip(xxx.xx.xx.xx) port(22) policy(b)
<6>gksfd: 2017-04-06 19:54:19 >>> filter information: 2 filters.

Resolution:

SFA blocks the blacklist hosts as we remove the netmask associated with the host IP address.


SFA 2.7 installers for AIX 6.1 and AIX 7.1 are revised to address the issue.

Additional Information:

Troubleshooting SFA issues:

  •     SFA is installed with Windows default Administrator account or UNIX root account
  •     SFA is installed on supported Operating System (https://support.ca.com/phpdocs/7/9526/9526-PAM-platformsupportmatrix.pdf)
  •     Communication between target host and SFA on target host over port 8550 (default port for SFA) and 443 are not blocked
  •     Ensure that SFA daemon is running (/etc/rc.d/init.d/gksfd start)
  •     Check the gksfd.log (/var/tmp/gksfd.log)
  •     Associate the socket filter to the user-device policy
  •     On UNIX and Linux targets, SFA only filters non-root users. Ensure that you login to the target UNIX host with non-root user to test the access control according to the filter list and the non-root user is not specified with SECURE_USER in gksfd.cfg file