|
|
|
This section describes known issues for CA Access Control for UNIX.
Valid on Linux 64-bit Server
Install Ncurses 32-bit before installing CAWIN on Linux 64-bit servers.
Valid on Linux
When creating an AC for PUPM endpoint type on Linux, verify that the CA Access Control Administrator user name is defined as a fully qualified name. For example, computer-name\user-name, or entmcomputer\root.
Valid on Linux x64
The CAWIN installation fails when installed on a minimal Linux x64 installation. The installation fails because of a missing 32 bit library.
Note: CAWIN is part of CA Access Control installation. CAWIN related error messages are logged in the CA Access Control installation log file.
To workaround this issue, install the 32 bit ncurses RPM package with the libncurses.co file. Verify that the package version is not below version 5.0. For example:
ncurses-devel-5.7-3.20090208.el6.i686.rpm
Valid on VMware vCenter 4.0 u2
When CA Access Control is installed on VMware vCenter version 4.0 u2, the following occurs when the serevu daemon is running:
To work around this issue, do the following:
/etc/pam.d/
account required pam_per_user.so /etc/pam.d/login.map auth required pam_per_user.so /etc/pam.d/login.map password required pam_per_user.so /etc/pam.d/login.map session required pam_per_user.so /etc/pam.d/login.map
password sufficient pam_seos.so auth optional pam_seos.so account optional pam_seos.so session optional pam_seos.so
password sufficient pam_seos.so auth optional pam_seos.so account optional pam_seos.so session optional pam_seos.so
Valid on RedHat Linux Advanced Server 6
On RedHat Linux Advanced Server 6, SSH user log ins are not audited by CA Access Control because the SElinux default policy does not allow SSHD to access the /proc file system.
To workaround this issue, run the /opt/CA/AccessControl /lbin/sshd_policy.sh script to load a SElinux policy module to allow access to /proc.
Valid on Linux
Currently, you cannot configure a JBoss JDBC password consumer on LInux.
Valid on AIX
If the PAM_login flag is not enabled, CA Access Control cannot detect the Active Directory user account correctly.
To work around this problem, enable the PAM_login flag in the log in program (LOGINAPPL) you set. Verify that seosd daemon accepts log in requests from PAM modules by setting the PamPassUserInfo token to 1 in seos.ini under the [pam_seos] section.
Valid for Keyboard Logger
CA Access Control does not record user sessions when a user logs in with a shell that is not defined in /etc/shells.
When PAM is activated, segrace is not called automatically for a grace login to FTP and SSH services.
To work around this issue on FTP, change the value of the LOGINFLAGS property to nograce in the LOGINAPPL record for the FTP service.
To work around this issue on SSH, do not call segrace from PAM. Instead, call segrace from the user or operating system startup script.
Valid on HPUX, and AIX
If UNAB is installed on the CA Access Control endpoint, CA Access Control PAM does not invoke the 'sepass' utility to reset the account password when the user password grace period expires.
This problem affects login applications that use loginflags(pamlogin), for example, SSH login, rlogin, FTP, and Telnet. SSH login is not recognized as a login action by CA Access Control on HPUX and AIX. To work around this problem, use loginflags(none) for SSH login applications.
CA Access Control on Solaris does not bypass network events (bypass type PBN of SPECIALPGM records) for processes that start before CA Access Control starts.
File access check on a stat system call with the STAT_intercept token set to “1” is not supported on AIX systems.
| Copyright © 2012 CA. All rights reserved. |
|