Why is KBL audit not capturing my KBL events ?

Document ID : KB000128022
Last Modified Date : 26/02/2019
Show Technical Document Details
Introduction:
One of the ways to monitor a group of enterprise (OS) users with PAM is to define an enterprise group for the OS group they belong to. For instance, if I have users abc, def and xyj belonging to OS group staff, in selang it would be possible to create an enterprise group staff with audit flags

nxg staff owner(root) audit(all, interactive)

When one of this users logs in, PAM will recognize it as an OS user and since it belongs to XGROUP staff, it will be monitored with KBL, since interactive is specified.

Sometimes, tough, this does not work. The user logs in, but nothing is actually recorded in the KBL audit
Question:
Why can't I see any recorded KBL sessions for my user even if it belongs to a group for which KBL audit is enabled in PAM SC ?
Environment:
PIM and PAM SC all versions
The present document explains this use case for UNIX/Linux, but likewise a Windows PAM SC/PIM environment will have the same behaviour and the settings will have to be modified in the Windows registry under the PAM SC keys.
Answer:
A likely cause for this may be that your PAM SC installation is configured not to recognize OS users. There is a setting in seos.ini, osuser_enabled, whereby if set to no the OS users will not be recognized by PAM SC 

If this is so, when you log in into the system as one of the users that should be monitored by being member of the corresponding group (e.g ssh abc@myhost.com) and you run sewhoami -a as that user, you will see that the user is listed as _undefined, and the User type as logical

KBL cannot audit the _undefined user as well as the logical user type.

You need to
  1. Stop PAM SC (secons -sk)
  2. Edit seos.ini (usually under /opt/CA/PAMSC), look for the osuser_enabled setting and set it to yes
  3. Restart PAM SC (seload)