Previous Topic: Resource Access EventNext Topic: Inbound Network Connection Event


Untrust Message Event

Untrust events describe warning messages that the CA ControlMinder Watchdog generates for events.

Audit records in this event have the following format:

Date Time Status Class Module Details MessageID/errno File
Date

Identifies the date the event occurred.

Format: DD MMM YYYY

Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.

Time

Identifies the time the event occurred.

Format: HH:MM:SS

Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.

Status

Indicates untrust occurred.

Value: U (Untrust)

Class

Identifies the CA ControlMinder class that the resource that triggered the watchdog message belongs to.

Values: PROGRAM or SECFILE

Module Name

Displays the name of the CA ControlMinder Watchdog.

Value: seoswd

Details

Indicates why the untrust event occurred.

Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the untrust reason code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the untrust reason code. For a complete list of password quality codes, run seaudit -t.

Message ID

(UNIX only) Indicates the reason CA ControlMinder untrusted the PROGRAM or SECFILE.

Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the status code and does not show in a detailed output or in CA ControlMinder Endpoint Management. To understand what the status code means, run seaudit -Stat untrust_code. This field displays only if the authorization stage code is 1. In all other cases, the errno field displays instead.

errno

Indicates the return value of the errno variable (the error code for the error condition).

Values: can be one of:

0—No error. This value is returned only if the authorization stage code is 1. In this case, the errno field is not displayed and the Message ID field displays instead.

errno—A non-zero integer that is the error.

Note: To find out the meaning for the error, on UNIX, see /usr/include/errno.h or /usr/include/sys/errno.h file on the local computer. On Windows, enter the following command on the local computer: net helpmsg errno

File

Identifies the full pathname of the protected resource that triggered the Watchdog message.

Example: Untrust Message Event Message

The following audit record was taken from a detailed seaudit output.

18 Nov 2008 14:01:18 U PROGRAM      seoswd                 1 11776 /tmp/testsuid
Event type: Untrust message
Class: PROGRAM
Module name: seoswd
Message ID: 11776
Date: 18 Nov 2008
Time: 14:01
File: /tmp/testsuid
Details: Stat information changed on file system
Audit flags: AC database user

This audit record indicates that on November 15th 2008 the Watchdog marked the program /tmp/testsuid as untrusted (U). The program was untrusted because the file status information was modified (untrust reason code 1—File information changed on file system).

Example: Use seaudit -Stat to See Why a Program Was Untrusted (UNIX)

The following seaudit -Stat output shows you how you can get more detailed information about the Watchdog message ID that an audit record mentions.

# seaudit -Stat 11776
CA ControlMinder seaudit v12.01.00.45 - Audit log lister
Copyright (c) 2008 CA. All rights reserved.

The MODE of the file was changed
The INODE of the file was changed
The SIZE of the file was changed
The MTIME of the file was changed

Running the seaduit -Stat command with the message ID, displays a list of changes to the file. In this example, the MODE, INODE, SIZE, and MTIME of the file changed. As a result CA ControlMinder marked this file as an untrusted file.

More information:

Reason Codes That Specify Why a Record Was Created

Authorization Stage Codes for Untrust Message Events