Untrust events describe warning messages that the CA ControlMinder Watchdog generates for events.
Audit records in this event have the following format:
Date Time Status Class Module Details MessageID/errno File
Identifies the date the event occurred.
Format: DD MMM YYYY
Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.
Identifies the time the event occurred.
Format: HH:MM:SS
Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.
Indicates untrust occurred.
Value: U (Untrust)
Identifies the CA ControlMinder class that the resource that triggered the watchdog message belongs to.
Values: PROGRAM or SECFILE
Displays the name of the CA ControlMinder Watchdog.
Value: seoswd
Indicates why the untrust event occurred.
Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the untrust reason code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the untrust reason code. For a complete list of password quality codes, run seaudit -t.
(UNIX only) Indicates the reason CA ControlMinder untrusted the PROGRAM or SECFILE.
Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the status code and does not show in a detailed output or in CA ControlMinder Endpoint Management. To understand what the status code means, run seaudit -Stat untrust_code. This field displays only if the authorization stage code is 1. In all other cases, the errno field displays instead.
Indicates the return value of the errno variable (the error code for the error condition).
Values: can be one of:
0—No error. This value is returned only if the authorization stage code is 1. In this case, the errno field is not displayed and the Message ID field displays instead.
errno—A non-zero integer that is the error.
Note: To find out the meaning for the error, on UNIX, see /usr/include/errno.h or /usr/include/sys/errno.h file on the local computer. On Windows, enter the following command on the local computer: net helpmsg errno
Identifies the full pathname of the protected resource that triggered the Watchdog message.
Example: Untrust Message Event Message
The following audit record was taken from a detailed seaudit output.
18 Nov 2008 14:01:18 U PROGRAM seoswd 1 11776 /tmp/testsuid Event type: Untrust message Class: PROGRAM Module name: seoswd Message ID: 11776 Date: 18 Nov 2008 Time: 14:01 File: /tmp/testsuid Details: Stat information changed on file system Audit flags: AC database user
This audit record indicates that on November 15th 2008 the Watchdog marked the program /tmp/testsuid as untrusted (U). The program was untrusted because the file status information was modified (untrust reason code 1—File information changed on file system).
Example: Use seaudit -Stat to See Why a Program Was Untrusted (UNIX)
The following seaudit -Stat output shows you how you can get more detailed information about the Watchdog message ID that an audit record mentions.
# seaudit -Stat 11776 CA ControlMinder seaudit v12.01.00.45 - Audit log lister Copyright (c) 2008 CA. All rights reserved. The MODE of the file was changed The INODE of the file was changed The SIZE of the file was changed The MTIME of the file was changed
Running the seaduit -Stat command with the message ID, displays a list of changes to the file. In this example, the MODE, INODE, SIZE, and MTIME of the file changed. As a result CA ControlMinder marked this file as an untrusted file.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|