Login Event
Login events describe an attempt to log in to or a protected host.
capamsc141
Login events describe an attempt to log in to
PAM Server Control
or a PAM Server Control
protected host.Audit records in this event have the following format:
Date Time Status Event UserName SessionID Details Reason Terminal Program AuditFlags
- DateIdentifies the date the event occurred.Format:DD MMM YYYYPAM Server ControlEndpoint Management formats the date display according to your computer's settings.
- TimeIdentifies the time the event occurred.Format:HH:MM:SSPAM Server ControlEndpoint Management formats the time display according to your computer's settings.
- StatusIndicates the return code for the event.Values:Can be one of:
- D (Denied)Denied the event because of insufficient authorization.
- P (Permitted)Permitted the event.
- W (Warning)Permitted the event because Warning mode is set although the access request violates an access rule.
- EventIdentifies the type of event this record belongs to.PAM Server ControlEndpoint Management refers to this field simply asEvent.
- UserNameIdentifies the name of the accessor that performed the action that triggered this event.
- SessionIDIdentifies the accessor's session ID.By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command.
- DetailsIndicates at which stagePAM Server Controldecided what action to take for this event.The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or inPAM Server ControlEndpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
- ReasonIndicates the reason thatPAM Server Controlwrote an audit record.This field does not display in a detailed seaudit output or inPAM Server ControlEndpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
- TerminalIdentifies the name of the terminal that the accessor used to connect to the host.
- ProgramIdentifies the name of the program that triggered the event. That is, the program that the accessor used to try to log in. ForPAM Server Controladministration login, this is the module that logged in (selang, Web Service, and so on).
- AuditFlagsIndicates whether the accessor is internal (PAM Server Controldatabase user) or an enterprise user.If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Login Event Message
The following audit record was taken from a detailed seaudit output.
28 Oct 2008 12:15:01 P LOGIN root 49047159:0000034b 59 2 _CRONJOB_ SBIN_CRON Event: Login event Status: Permitted UserName: root Terminal: _CRONJOB_ Program: SBIN_CRON Date: 28 Oct 2008 Time: 12:15 Details: Resource UACC check SessionID: 49047159:0000034b AuditFlags: AC database user
This audit record indicates that on October 28th 2008, at 12:15:01 user root logged in to the protected host from terminal _CRONJOB_ and ran a SBIN_CRON program.
PAM Server Control
permitted the operation because the resource's default access permissions permit this action (authorization stage code 59Resource UACC check). The product logged this event because the accessor's audit mode specifies that this event should be logged (reason code 2User audit mode requires logging).