Previous Topic: How to Perform System MaintenanceNext Topic: Filtering Trace Records


Monitoring Access Control Activity

The CA ControlMinder trace is a real-time log that can show every action taken by CA ControlMinder. Trace records are accumulated in ACInstallDir\log\seosd.trace (where ACInstallDir is the directory where you installed CA ControlMinder).

Or they are accumulated in whatever file you specify as the trace_file value in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\AccessControl\SeOSD\

Although you can filter the records from the trace file, the trace mechanism is designed for system monitoring and not for security auditing.

By default, CA ControlMinder only generates trace messages during CA ControlMinder initialization. Once CA ControlMinder is initialized, it stops the trace mechanism and trace messages are not generated.

Trace Record Filters

CA ControlMinder generates two types of trace records:

Trace records are written to the seos.trace file, and can be filtered using the trcfilter.ini file.

If you set a user to be traceable, each time a trace record is written for that user, a matching audit record is written to the seos.audit file. Audit records are filtered by the audit.cfg file.

Note: Audit records generated by trace events are not cached, and always go through the full enforcement flow.

The following selang command sets a user to be traceable:

editusr userName audit(trace)

To view trace or audit records, use the seaudit utility.

More information:

How Auditing Works for Interception Events