Previous Topic: Windows Endpoint Known IssuesNext Topic: UNAB Known Issues


UNIX Endpoint Known Issues

This section describes known issues for CA ControlMinder for UNIX.

CAWIN Installation Requires Ncurses

Valid on Linux 64-bit Server

Install Ncurses 32-bit before installing CAWIN on Linux 64-bit servers.

Failed Login Events Not Audited When serevu Daemon Running

Valid on VMware vCenter 4.0 u2

When CA ControlMinder is installed on VMware vCenter version 4.0 u2, the following occurs when the serevu daemon is running:

To work around this issue, do the following:

  1. Stop all CA ControlMinder daemons.
  2. Navigate to the following directory:
    /etc/pam.d/
    
  3. Edit the system-auth file to remove all references to pam_seos.so. For example:
    account required pam_per_user.so /etc/pam.d/login.map
    auth required pam_per_user.so /etc/pam.d/login.map
    password required pam_per_user.so /etc/pam.d/login.map
    session required pam_per_user.so /etc/pam.d/login.map
    
  4. Edit the system-auth-generic file to add reference to pam_seos.so. For example:
    password  sufficient  pam_seos.so
    auth       optional     pam_seos.so
    account    optional     pam_seos.so
    session    optional     pam_seos.so
    
  5. Edit the system-auth-local file to add references to pam_seos.so. For example:
    password  sufficient  pam_seos.so
    auth       optional     pam_seos.so
    account    optional     pam_seos.so
    session    optional     pam_seos.so
    
  6. Save and close the files.
  7. Start CA ControlMinder daemons.
Cannot Configure JBoss JDBC Password Consumer on Linux

Valid on Linux

Currently, you cannot configure a JBoss JDBC password consumer on LInux.

Log in to CA ControlMinder Requires PAM_Login Flag Enabled

Valid on AIX

If the PAM_login flag is not enabled, CA ControlMinder cannot detect the Active Directory user account correctly.

To work around this problem, enable the PAM_login flag in the log in program (LOGINAPPL) you set. Verify that seosd daemon accepts log in requests from PAM modules by setting the PamPassUserInfo token to 1 in seos.ini under the [pam_seos] section.

You can use the following command to set the login flags:

er LOGINAPPL SSH loginflags(pamlogin)
User Sessions Are Not Logged when Default Shell Is Not Defined in /etc/shells

Valid for Keyboard Logger

CA ControlMinder does not record user sessions when a user logs in with a shell that is not defined in /etc/shells.

When PAM is Active segrace Is Not Called for FTP and SSH Grace Login

When PAM is activated, segrace is not called automatically for a grace login to FTP and SSH services.

To work around this issue on FTP, change the value of the LOGINFLAGS property to nograce in the LOGINAPPL record for the FTP service.

To work around this issue on SSH, do not call segrace from PAM. Instead, call segrace from the user or operating system startup script.

CA ControlMinder Does Not Reset Passwords Once the Grace Period Expires

Valid on HPUX, and AIX

If UNAB is installed on the CA ControlMinder endpoint, CA ControlMinder PAM does not invoke the 'sepass' utility to reset the account password when the user password grace period expires.

This problem affects login applications that use loginflags(pamlogin), for example, SSH login, rlogin, FTP, and Telnet. SSH login is not recognized as a login action by CA ControlMinder on HPUX and AIX. To work around this problem, use loginflags(none) for SSH login applications.

Run the following command to set the token:

er LOGINAPPL SSH loginflags(none)
Solaris Network Event Bypass Does Not Work for Some Processes

CA ControlMinder on Solaris does not bypass network events (bypass type PBN of SPECIALPGM records) for processes that start before CA ControlMinder starts.

Stat Interception Calls Not Supported on AIX Systems

File access check on a stat system call with the STAT_intercept token set to “1” is not supported on AIX systems.