SDK Guide › LogRoute API › SEOS_AUDITLOGIN

SEOS_AUDITLOGIN

The SEOS_AUDITLOGIN record may be submitted to the audit log file when:

• A user logs in, attempts to log in, or logs out
• serevu disables or enables a user
• A user fails to log in after a certain number of attempts
• seosd detects an attack on the network

If the access and use of a resource are being monitored, audit records are also submitted to the audit log. Logout audit records are submitted to the log file only if a login record was also submitted.

char szUserName[ ]

Name of user logging in (ASCII‑Z string).

char szTerminal[ ]

Name of terminal or network host from which user is logging in (ASCII‑Z string).

int LogCode

Reason this audit log record was added to the file. There are several possible reasons for CA ControlMinder to record a login attempt.

int stage

Stage in the authorization algorithm when the decision was made to grant or deny access. The LogRoute API includes a listing of these stage codes in the header file seauthstages.h.

uid_t uid

User's UNIX or Windows user ID.

char szProg[ ]

Name of the program attempting to perform the login.

Login Event Codes

The SEOS_AUDITLOGIN record is used to audit login attempts, logouts, auditing and serevu login attempts, and NAP detection by seosd. Login audit records are submitted to the log for the following reasons:

SEOS_AUTH_PASS

The user was allowed to log in.

SEOS_AUTH_DENY

The user was denied login access.

SEOS_AUTH_CHECK

An error in the database was found.

Logout audit records are submitted to the log file only if a login record was also submitted. That is, the user's audit mode includes the auditing of successful logins, or the terminal from which the user logged in has an audit mode that includes the auditing of successful accesses. Logout records are assigned the stage code SEOS_LOGOUT_RES.

When serevu detects attempts to log in, the following reason codes apply:

SEOS_LOGATP_RES

Detected attempt to break password.

SEOS_LOGDIS_RES

The specified user account was disabled by serevu because of too many login attempts.

SEOS_LOGENA_RES

The specified user account was reactivated by serevu after being disabled for the configured time period.

In all cases, the stage code assigned to login records written by serevu is SEOS_LOG_SEREVU.

SEOS_AUDITGENR

The SEOS_AUDITGENR record can be submitted to the audit log file when a user accesses, or attempts to access, a general resource.

char szUserName[ ]

Name of user attempting to gain access (ASCII‑Z string).

char szResClass[ ]

Class of resource being accessed (ASCII‑Z string).

char szResource[ ]

Name of resource being accessed (ASCII‑Z string).

int logReason

Reason this audit log record was added to the file. Either the user or the resource involved has been flagged for auditing. Possible reasons are listed in the table in Return Codes in this chapter. In UNIX, the LogRoute API also includes a listing of these reasons in the header file seauthstages.h. In Windows, you can find this information in the following directory of your system drive:

ACDir\include

int stage

Stage in the authorization algorithm when the decision was made to grant or deny access. The LogRoute API includes a listing of these stage codes in the header file seauthstages.h.

SEOS_ACCS access

User's level of access to the resource.

Note: The seostype.h file lists the available access types.

uid_t uid

User's UNIX or Windows user ID.

char szProg[ ]

Name of the program that attempted to gain access to the resource (ASCII‑Z string).

char szTerm[ ]

Name of terminal or network host from which user logged in (ASCII‑Z string).

More information:

SEOS_ACCS Structure

SEOS_AUDITWDWARN

The SEOS_AUDITWDWARN record can be submitted to the audit log file when the Watchdog (seoswd) finds an integrity problem in a trusted program or a secured file.

char szClass[ ]

Class name of resource being audited (ASCII‑Z string). This can be PROGRAM or SECFILE.

char szPath[ ]

Full path name of the program or secure file being audited (ASCII‑Z string).

int errno

System errno value that may have triggered this audit.

int logReason

Reason this audit log record was added to the file. Possible reasons are listed in the table in Return Codes in this chapter. In UNIX, the LogRoute API also includes a listing of these reasons in the header file seauthstages.h. In Windows, you can find this information in the following directory of your system drive:

ACDir\include

int stage

Stage in the authorization algorithm when the decision was made to grant or deny access. The LogRoute API includes a listing of these stage codes in the header file seauthstages.h.

SEOS_AUDITINWARN

The SEOS_AUDITINWARN record can be submitted to the audit log file when a remote host attempts access to the local host and that remote host has been flagged for auditing.

char address[20]

Internet address of the remote host attempting access. This is currently the 4‑byte address of TCP.

char af_type

AF number. Currently, only AF_INET (2).

long port

Port number to which access was attempted.

long proto

Protocol code. Currently 0.

char szProg[ ]

Name of the program in the local host that was trying to accept the access request.

int logReason

Reason this audit log record was added to the file. Possible reasons are listed in the table in Return Codes in this chapter. In UNIX, the LogRoute API also includes a listing of these reasons in the header file seauthstages.h. In Windows, you can find this information in the following directory of your system drive:

ACDir\include

int stage

Stage in the authorization algorithm when the decision was made to grant or deny access. The LogRoute API includes a listing of these stage codes in the header file seauthstages.h.