Trace Message On a User

Reference Guide › Audit Log Records › Audit Event Types › Trace Message On a User

Trace Message On a User

Trace messages on user events describe an attempt to open, run, or use a protected resource.

Audit records in this event have the following format for Windows:

Date Time Status Event UserName SessionID RealUID RealUsername Class Resource Details AuditFlags Trace

Audit records in this event have the following format for UNIX:

Date Time Status Event UserName SessionID EffectiveUsername RealUsername Class Resource Details AuditFlags Trace

Date

Identifies the date the event occurred.

Format: DD MMM YYYY

Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.

Time

Identifies the time the event occurred.

Format: HH:MM:SS

Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.

Status

Indicates the return code for the event.

Values: Can be one of:

D (Denied)—Denied the event because of insufficient authorization.
P (Permitted)—Permitted the event.
W (Warning)—Permitted the event because Warning mode is set although the access request violates an access rule.

Note: In a detailed seaudit output this field displays the trace information.

Event Type

Identifies the type of event this record belongs to.

Note: CA ControlMinder Endpoint Management refers to this field simply as Event.

User Name

Identifies the name of the accessor that performed the action that triggered this event.

User Logon Session ID

Identifies the accessor's session ID.

Real User ID

Identifies the user ID of the user who invoked the process.

Note: (UNIX) This field does not appear in non-detailed seaudit output.

Real user name

Identifies the name of the user performing the traced action.

Effective user ID

(UNIX only) Indicates the ID of the native OS effective user ID.

Note: This field does not appear in non-detailed seaudit output.

Effective User Name

Identifies the name of the native OS effective user that triggered this event. This is different from the user name if the user substitutes (surrogates) to a different user or runs a setuid program.

Class

Identifies the class that the resource being accessed belongs to.

Resource

Identifies the name of the actual resource that is being accessed or updated.

Details

Indicates at which stage CA ControlMinder decided what action to take for this event.

Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.

Trace information

Displays the trace detail information including the class, resource, and action that was performed on that resource or the result of that action.

Audit Flags

Indicates whether the accessor is internal (CA ControlMinder database user) or an enterprise user.

Note: If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.

Example: Trace Message On a User Event Message on UNIX

The following audit record was taken from a detailed seaudit output.

03 Nov 2008 10:38:47 P TRACE        root         490daddd:00000140 john         root         FILE         /home/jon/file.txt   55  FILE    > Result: 'P' [stage=55 gstag=55 ACEEH=8   rv=0(/home/john/file.txt
Event type: Trace message on a user
Date: 03 Nov 2008
Time: 10:38
Details: Resource ACL check
Trace information: FILE    > Result: 'P' [stage=55 gstag=55 ACEEH=8    rv=0(/home/john/file.txt
Class: FILE
Resource: /home/admin/file.txt
User name: root
Real user ID: 108
Real user name: john
Effective user ID: 108
Effective user name: root
User Logon Session ID: 490daddd:00000140
Audit flags: AC database user

This audit record indicates that on November 3rd 2008, a trace message was logged due to an administrator attempt to access a resource belonging to a FILE class. The administrator was permitted to access according to the ACL of the accessed resource (authorization stage code 55—Resource ACL check).

Example: Trace Message On a User Event Message on Windows

The following audit record was taken from a detailed seaudit output.

10 Nov 2008 10:14:53 P TRACE        MACHINE\Administrator 00000000:172ef9ef MACHINE\john MACHINE\john WINSERVICE   _default     1059  WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6    rv=0x0 (WebClient)]                         Why?  Default record universal access check
Event type: Trace message on a user
Date: 10 Nov 2008
Time: 10:14
Details: Default record universal access check
Trace information: WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6    rv=0x0 (WebClient)]                        Why?  Default record universal access check
Class: WINSERVICE
Resource: _default
User name: MACHINE\Administrator
Real user name: MACHINE\john
User Logon Session ID: 00000000:172ef9ef
Audit flags: AC database user

This audit record indicates that on November 10th 2008, a trace message was triggered due to an administrator attempting to access the resource _default belonging to the WINSERVICE class. The administrator was permitted access because of a record universal access check (authorization stage code 1059—Default record universal access check).

More information:

Reason Codes That Specify Why a Record Was Created

Authorization Stage Codes for Trace Message On a User