Security database administration events describe actions performed by a CA ControlMinder administrator or a sub-administrator with appropriate privileges that were intercepted by CA ControlMinder.
Audit records in the event have the following format:
Date Time Status Event Class Admin Details Reason Object Terminal Command AuditFlags
Identifies the date the event occurred.
Format: DD MMM YYYY
Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.
Identifies the time the event occurred.
Format: HH:MM:SS
Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.
Indicates the return code for the event.
Values: Can be one of:
Identifies the type of event this record belongs to.
Note: CA ControlMinder Endpoint Management refers to this field simply as Event.
Identifies the class that the resource being administered belongs to.
Identifies the name of the administrative user that executed the selang command.
Indicates at which stage CA ControlMinder decided what action to take for this event.
Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
Indicates the reason that CA ControlMinder wrote an audit record.
Note: This field does not display in a detailed seaudit output or in CA ControlMinder Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
Identifies the name of the resource that is being administrated.
Identifies the name of the terminal that the accessor used to connect to the host.
Note: If the command originated from a parent policy model, this field displays the fully qualified PMD name.
Displays the selang command that the user executed.
Indicates whether the accessor is internal (CA ControlMinder database user) or an enterprise user.
Note: If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Identifies the type of the database administration command that this event describes.
Values can be one of:
Example: Security Database Administration Event Message
The following audit record was taken from a detailed seaudit output.
05 Nov 2008 15:45:12 S UPDATE FILE DOMAIN_NAME\computer 305 0 dfdok computer.com cr file dfdok defacc(r) Event type: Security database administration Command type: Modify resource Status: Successful Administrator: DOMAIN_NAME\computer Class: FILE Object: dfdok Terminal: computer.com Date: 05 Nov 2008 Time: 15:45 Details: Command successful for ADMIN user. Command: cr file dfdok defacc(r) Audit flags: AC database user
This audit record indicates that on November 5th 2008, CA ControlMinder denied access from an administrator attempting to update a file by executing the command cr file dfdok defacc(r) on the protected host logging from the terminal computer.com (authorization stage code 305—Command allowed for ADMIN user).
Copyright © 2013 CA Technologies.
All rights reserved.
|
|