secons Utility Manage CA Privileged Access Manager Server Control Shutdown on UNIX
Valid on UNIX
capamsc141
Valid on UNIX
The secons utility shuts down
PAM Server Control
and the associated daemons. You can also use this utility to find out which processes are still executing PAM Server Control
code.Only users who are defined as ADMIN or OPERATOR can shut down
PAM Server Control
. To shut down PAM Server Control
on remote computers, you must be defined as ADMIN or OPERATOR on those remote computers.This command has the following format:
secons [-s [hosts | ghosts]] \
[-S [{selogrd | selogrcd | serevu}]] \[-sc] [-scl] [-sk]
- -s [hosts|ghosts]Shuts down thePAM Server Controldaemons on the defined, space-separated, list of remote hosts. If you do not specify any hosts,PAM Server Controlshuts down on the local host.You can define a group of hosts by entering the name of aghostrecord. If you use this option from a remote terminal, the utility requests password verification. You also need admin privileges on both the remote and local computers, and write permission to the local computer on the remote host database.
- -S [{selogrd | selogrcd | serevu}]If you do not define a daemon, terminates thePAM Server Controldaemons and attempts to terminate active daemons selogrd, selogrcd, and serevu. If the selogrd, selogrcd, or serevu tokens in the [daemons] section of seos.ini file are set toyes, termination request is sent to the runningPAM Server Controlmain daemon or a termination signal is sent to the specified daemon if the product is already down.If you define a daemon, secons does not terminate thePAM Server Controldaemons. If the appropriate token in the [daemons] section of seos.ini file is set toyes, it sends the termination request to the runningPAM Server Controlmain daemon or it sends the termination signal to that daemon ifPAM Server Controlis down.
- -sc[l]Displays processes that are still executingPAM Server Controlcode.You cannot unloadPAM Server Controlif an application, which is loaded on top ofPAM Server Control, has an open system call (syscall) that is hooked byPAM Server Control. Once you know which processes are still executingPAM Server Controlcode, you can shut down these processes and can unload thePAM Server Controlkernel module. You can then use UNIX exits to automatically shut down these processes before unloading the kernel and then restart them after the kernel unloaded.The-scoutput displays as a two-column table with the system call number in the first column, and the process identifier in the second column.The-scloption also displays parent process ID (PPID), UID, time, and program name information for the processes that are still executingPAM Server Controlcode. The time information lets you find out how long the process hasPAM Server Controlhooked. If the time is relatively short, the hook is likely to be a temporary one.You can also run this whilePAM Server Controlis running to help you predict what causes unload issues in advance. However, sometimes, such as the accept command,PAM Server Controlcode removes the hook during unload. This means that some of the active hooks you see whilePAM Server Controlis running may not actually affect unloading.Note:By default,PAM Server Controlmonitors system calls that it intercepts. Set the syscall_monitor token in the seos.ini file to 0 (disabled) if you donotwantPAM Server Controlto monitor system calls.
- -skShuts down allPAM Server Controldaemons and prepares thePAM Server Controlkernel extension to be unloaded.
Example: Shut Down
PAM Server Control
- To shut down thePAM Server Controldaemon, enter:secons -s
- To shut down thePAM Server Controldaemon on remote hosts HOST1 and HOST2, enter:secons -s HOST1 HOST
Example: Display Information for Processes that are Still Executing
PAM Server Control
Code- To display basic information about processes that are still executingPAM Server Controlcode:secons -scThe output that you receive looks similar to the following:CA PAMSC secons vX.X.X.xxx - Console utilityCopyright (c) YYYY CA. All rights reserved.Active system calls:syscall 5 - PID: 27477
- To display more information about processes that are still executingPAM Server Controlcode:secons -sclThe output you receive looks similar to the following:CA PAMSC secons vX.X.X.xxx - Console utilityCopyright (c) YYYY CA. All rights reserved.Active system calls:-Syscall 102 - PID: 2105 PPID: 1 UID: 0 TIME: 4d-4h PROGRAM NAME: /usr/sbin/vsftpdSyscall 5 - PID: 24269 PPID: 4289 UID: 0 TIME: 2d-21h PROGRAM NAME: /bin/bashA dash (-) at the beginning of the output line means thatPAM Server Controlassesses that this hook is not likely to cause you issues when unloading. When you use this command,PAM Server Controlalso adds lines to the audit log that records whether the unloadingPAM Server Controlis likely to succeed. For example, the following audit record is created when you run secons -scl and there is at least one blocking system call that is likely to preventPAM Server Controlfrom unloading:10 Nov YYYY 05:47:22 F CHECK root Scan 339 0 SEOS_syscall unload