CA ControlMinder shutdown events describe shutdown processes performed by an administrator or sub-administrator user with privileges to shutdown the system.
Audit records in this event have the following format:
Date Time M Event UserName SessionID Details Service AuditFlags
Identifies the date the event occurred.
Format: DD MMM YYYY
Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.
Identifies the time the event occurred.
Format: HH:MM:SS
Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.
Identifies the type of event this record belongs to.
Note: CA ControlMinder Endpoint Management refers to this field simply as Event.
Identifies the name of the accessor that performed the action that triggered this event.
Identifies the accessor's session ID.
Note: By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command.
Indicates at which stage CA ControlMinder decided what action to take for this event.
Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
Identifies the name of the CA ControlMinder daemon (UNIX) or service (Windows) that was shut down.
Value: seosd (the CA ControlMinder Engine).
Indicates whether the accessor is internal (CA ControlMinder database user) or an enterprise user.
Note: If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Shutdown Event Message on UNIX
The following audit record was taken from a detailed seaudit output.
24 Sep 2008 15:40:46 M SHUTDOWN root 452 seosd Event type: Daemon shutdown User name: root Daemon: seosd Date: 24 Sep 2008 Time: 15:40:46 Details: User is ADMIN or SPECIAL User Logon Session ID: 48da26ce:00000142 Audit flags: CA ControlMinder database user
This audit record indicates that on September 24rd 2008, the user root who was attempting to shutdown CA ControlMinder was permitted to do so because the user has the ADMIN attribute (authorization stage code 452—User is ADMIN or SPECIAL).
Example: Shutdown Event Message on Windows
The following audit record was taken from a detailed seaudit output.
23 Dec 2008 12:56:20 D SHUTDOWN tst002 460 seosd Event type: Engine service shutdown User name: tst002 Engine service: seosd Date: 10 Feb 2009 Time: 12:56 Details: User is not allowed to shutdown CA ControlMinder
User Logon Session ID: 00000000:04c240d5 Audit flags: AC database user
This audit record indicates that on December 23rd 2008, the CA ControlMinder shut down was denied because the user tst002 is not allowed to shutdown CA ControlMinder (authorization stage code 460—User is not allowed to shutdown CA ControlMinder).
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|