secons Utility Manage CA Privileged Access Manager Server Control Shutdown on UNIX
Valid on UNIX
capamsc141
Valid on UNIX
The secons utility shuts down
Privileged Access Manager
and the associated daemons. You can also use this utility to find out which processes are still executing Privileged Access Manager
code.Only users who are defined as ADMIN or OPERATOR can shut down
Privileged Access Manager
. To shut down Privileged Access Manager
on remote computers, you must be defined as ADMIN or OPERATOR on those remote computers.This command has the following format:
secons [-s [hosts | ghosts]] \
[-S [{selogrd | selogrcd | serevu}]] \[-sc] [-scl] [-sk]
- -s [hosts|ghosts]Shuts down thePrivileged Access Managerdaemons on the defined, space-separated, list of remote hosts. If you do not specify any hosts,Privileged Access Managershuts down on the local host.You can define a group of hosts by entering the name of aghostrecord. If you use this option from a remote terminal, the utility requests password verification. You also need admin privileges on both the remote and local computers, and write permission to the local computer on the remote host database.
- -S [{selogrd | selogrcd | serevu}]If you do not define a daemon, terminates thePrivileged Access Managerdaemons and attempts to terminate active daemons selogrd, selogrcd, and serevu. If the selogrd, selogrcd, or serevu tokens in the [daemons] section of seos.ini file are set toyes, termination request is sent to the runningPrivileged Access Managermain daemon or a termination signal is sent to the specified daemon if the product is already down.If you define a daemon, secons does not terminate thePrivileged Access Managerdaemons. If the appropriate token in the [daemons] section of seos.ini file is set toyes, it sends the termination request to the runningPrivileged Access Managermain daemon or it sends the termination signal to that daemon ifPrivileged Access Manageris down.
- -sc[l]Displays processes that are still executingPrivileged Access Managercode.You cannot unloadPrivileged Access Managerif an application, which is loaded on top ofPrivileged Access Manager, has an open system call (syscall) that is hooked byPrivileged Access Manager. Once you know which processes are still executingPrivileged Access Managercode, you can shut down these processes and can unload thePrivileged Access Managerkernel module. You can then use UNIX exits to automatically shut down these processes before unloading the kernel and then restart them after the kernel unloaded.The-scoutput displays as a two-column table with the system call number in the first column, and the process identifier in the second column.The-scloption also displays parent process ID (PPID), UID, time, and program name information for the processes that are still executingPrivileged Access Managercode. The time information lets you find out how long the process hasPrivileged Access Managerhooked. If the time is relatively short, the hook is likely to be a temporary one.You can also run this whilePrivileged Access Manageris running to help you predict what causes unload issues in advance. However, sometimes, such as the accept command,Privileged Access Managercode removes the hook during unload. This means that some of the active hooks you see whilePrivileged Access Manageris running may not actually affect unloading.Note:By default,Privileged Access Managermonitors system calls that it intercepts. Set the syscall_monitor token in the seos.ini file to 0 (disabled) if you donotwantPrivileged Access Managerto monitor system calls.
- -skShuts down allPrivileged Access Managerdaemons and prepares thePrivileged Access Managerkernel extension to be unloaded.
Example: Shut Down
Privileged Access Manager
- To shut down thePrivileged Access Managerdaemon, enter:secons -s
- To shut down thePrivileged Access Managerdaemon on remote hosts HOST1 and HOST2, enter:secons -s HOST1 HOST
Example: Display Information for Processes that are Still Executing
Privileged Access Manager
Code- To display basic information about processes that are still executingPrivileged Access Managercode:secons -scThe output that you receive looks similar to the following:CA PAMSC secons vX.X.X.xxx - Console utilityCopyright (c) YYYY CA. All rights reserved.Active system calls:syscall 5 - PID: 27477
- To display more information about processes that are still executingPrivileged Access Managercode:secons -sclThe output you receive looks similar to the following:CA PAMSC secons vX.X.X.xxx - Console utilityCopyright (c) YYYY CA. All rights reserved.Active system calls:-Syscall 102 - PID: 2105 PPID: 1 UID: 0 TIME: 4d-4h PROGRAM NAME: /usr/sbin/vsftpdSyscall 5 - PID: 24269 PPID: 4289 UID: 0 TIME: 2d-21h PROGRAM NAME: /bin/bashA dash (-) at the beginning of the output line means thatPrivileged Access Managerassesses that this hook is not likely to cause you issues when unloading. When you use this command,Privileged Access Manageralso adds lines to the audit log that records whether the unloadingPrivileged Access Manageris likely to succeed. For example, the following audit record is created when you run secons -scl and there is at least one blocking system call that is likely to preventPrivileged Access Managerfrom unloading:10 Nov YYYY 05:47:22 F CHECK root Scan 339 0 SEOS_syscall unload