Previous Topic: Outbound Network Connection EventNext Topic: Startup Event


Security Database Administration Event

Security database administration events describe actions performed by a CA ControlMinder administrator or a sub-administrator with appropriate privileges that were intercepted by CA ControlMinder.

Audit records in the event have the following format:

Date Time Status Event Class Admin Details Reason Object Terminal Command AuditFlags
Date

Identifies the date the event occurred.

Format: DD MMM YYYY

Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.

Time

Identifies the time the event occurred.

Format: HH:MM:SS

Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.

Status

Indicates the return code for the event.

Values: Can be one of:

Event Type

Identifies the type of event this record belongs to.

Note: CA ControlMinder Endpoint Management refers to this field simply as Event.

Class

Identifies the class that the resource being administered belongs to.

Administrator

Identifies the name of the administrative user that executed the selang command.

Details

Indicates at which stage CA ControlMinder decided what action to take for this event.

Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.

Reason

Indicates the reason that CA ControlMinder wrote an audit record.

Note: This field does not display in a detailed seaudit output or in CA ControlMinder Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.

Object

Identifies the name of the resource that is being administrated.

Terminal

Identifies the name of the terminal that the accessor used to connect to the host.

Note: If the command originated from a parent policy model, this field displays the fully qualified PMD name.

Command

Displays the selang command that the user executed.

Audit Flags

Indicates whether the accessor is internal (CA ControlMinder database user) or an enterprise user.

Note: If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.

Command type

Identifies the type of the database administration command that this event describes.

Values can be one of:

Example: Security Database Administration Event Message

The following audit record was taken from a detailed seaudit output.

05 Nov 2008 15:45:12 S UPDATE       FILE       DOMAIN_NAME\computer 305  0 dfdok      computer.com cr file dfdok defacc(r)
Event type: Security database administration
Command type: Modify resource
Status: Successful
Administrator: DOMAIN_NAME\computer
Class: FILE
Object: dfdok
Terminal: computer.com
Date: 05 Nov 2008
Time: 15:45
Details: Command successful for ADMIN user.
Command: cr file dfdok defacc(r)
Audit flags: AC database user

This audit record indicates that on November 5th 2008, CA ControlMinder denied access from an administrator attempting to update a file by executing the command cr file dfdok defacc(r) on the protected host logging from the terminal computer.com (authorization stage code 305—Command allowed for ADMIN user).

More information:

Reason Codes That Specify Why a Record Was Created