Trace messages on user events describe an attempt to open, run, or use a protected resource.
Audit records in this event have the following format for Windows:
Date Time Status Event UserName SessionID RealUID RealUsername Class Resource Details AuditFlags Trace
Audit records in this event have the following format for UNIX:
Date Time Status Event UserName SessionID EffectiveUsername RealUsername Class Resource Details AuditFlags Trace
Identifies the date the event occurred.
Format: DD MMM YYYY
Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.
Identifies the time the event occurred.
Format: HH:MM:SS
Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.
Indicates the return code for the event.
Values: Can be one of:
Note: In a detailed seaudit output this field displays the trace information.
Identifies the type of event this record belongs to.
Note: CA ControlMinder Endpoint Management refers to this field simply as Event.
Identifies the name of the accessor that performed the action that triggered this event.
Identifies the accessor's session ID.
Identifies the user ID of the user who invoked the process.
Note: (UNIX) This field does not appear in non-detailed seaudit output.
Identifies the name of the user performing the traced action.
(UNIX only) Indicates the ID of the native OS effective user ID.
Note: This field does not appear in non-detailed seaudit output.
Identifies the name of the native OS effective user that triggered this event. This is different from the user name if the user substitutes (surrogates) to a different user or runs a setuid program.
Identifies the class that the resource being accessed belongs to.
Identifies the name of the actual resource that is being accessed or updated.
Indicates at which stage CA ControlMinder decided what action to take for this event.
Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
Displays the trace detail information including the class, resource, and action that was performed on that resource or the result of that action.
Indicates whether the accessor is internal (CA ControlMinder database user) or an enterprise user.
Note: If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Trace Message On a User Event Message on UNIX
The following audit record was taken from a detailed seaudit output.
03 Nov 2008 10:38:47 P TRACE root 490daddd:00000140 john root FILE /home/jon/file.txt 55 FILE > Result: 'P' [stage=55 gstag=55 ACEEH=8 rv=0(/home/john/file.txt Event type: Trace message on a user Date: 03 Nov 2008 Time: 10:38 Details: Resource ACL check Trace information: FILE > Result: 'P' [stage=55 gstag=55 ACEEH=8 rv=0(/home/john/file.txt Class: FILE Resource: /home/admin/file.txt User name: root Real user ID: 108 Real user name: john Effective user ID: 108 Effective user name: root User Logon Session ID: 490daddd:00000140 Audit flags: AC database user
This audit record indicates that on November 3rd 2008, a trace message was logged due to an administrator attempt to access a resource belonging to a FILE class. The administrator was permitted to access according to the ACL of the accessed resource (authorization stage code 55—Resource ACL check).
Example: Trace Message On a User Event Message on Windows
The following audit record was taken from a detailed seaudit output.
10 Nov 2008 10:14:53 P TRACE MACHINE\Administrator 00000000:172ef9ef MACHINE\john MACHINE\john WINSERVICE _default 1059 WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6 rv=0x0 (WebClient)] Why? Default record universal access check Event type: Trace message on a user Date: 10 Nov 2008 Time: 10:14 Details: Default record universal access check Trace information: WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6 rv=0x0 (WebClient)] Why? Default record universal access check Class: WINSERVICE Resource: _default User name: MACHINE\Administrator Real user name: MACHINE\john User Logon Session ID: 00000000:172ef9ef Audit flags: AC database user
This audit record indicates that on November 10th 2008, a trace message was triggered due to an administrator attempting to access the resource _default belonging to the WINSERVICE class. The administrator was permitted access because of a record universal access check (authorization stage code 1059—Default record universal access check).
Copyright © 2013 CA Technologies.
All rights reserved.
|
|