Outbound Network Connection Event

Outbound network connection events indicate outbound traffic to the protected host. Outbound network events are audited in two forms (according to the class activation in the local database). Both audit event types contain identical information but in different view. For example, one audit event contains HOST as the class name while the other event displays TCP as the class name.
capamsc141
Outbound network connection events indicate outbound traffic to the protected host. Outbound network events are audited in two forms (according to the class activation in the local database). Both audit event types contain identical information but in different view. For example, one audit event contains HOST as the class name while the other event displays TCP as the class name.
Audit records in this event have the following format:
DateTimeStatusClassServiceUserNameDetailsReasonHostProgramTerminal AuditFlags
  • Date
    Identifies the date the event occurred.
    Format:
    DD MMM YYYY
     
    PAM Server Control
    Endpoint Management formats the date display according to your computer's settings.
  • Time
    Identifies the time the event occurred.
    Format:
    HH:MM:SS
     
    PAM Server Control
    Endpoint Management formats the time display according to your computer's settings.
  • Status
    Indicates the return code for the event.
    Values:
    Can be one of:
    • D (Denied)Denied the event because of insufficient authorization.
    • P (Permitted)Permitted the event.
    • W (Warning)Permitted the event because Warning mode is set although the access request violates an access rule.
  • Class
    Identifies the name of the class.
  • Service
    Identifies the name of the service that the connection used.
  • User Name
    Identifies the name of the accessor that performed the action that triggered this event.
  • Details
    Indicates at which stage 
    PAM Server Control
    decided what action to take for this event.
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    PAM Server Control
    Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Reason
    Indicates the reason that 
    PAM Server Control
    wrote an audit record.
    This field does not display in a detailed seaudit output or in 
    PAM Server Control
    Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
  • Host name
    Identifies the name of the target host.
  • Program
    Identifies the name of the program that triggered the event.
  • Terminal
    Identifies the name of the terminal that the accessor used to connect to the host.
  • User Logon Session ID
    Identifies the accessor's session ID.
    By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command. The user logon session ID field is added only to events that were generated as a result of TCP or CONNECT class definitions.
  • Audit Flags
    Indicates whether the accessor is internal (
    PAM Server Control
    database user) or an enterprise user.
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Outbound Network Connection Event Message
The following audit record was taken from a detailed seaudit output.
21 Jan 2009 15:37:43 D TCP telnet root 408 2 computer.org /usr/bin/telnet computer.com Event type: Outbound network connection Status: Denied Host name: computer.org Service:telnet Program: /usr/bin/telnet User name: Administrator Terminal: computer.com User name: root Date: 21 Jan 2009 Time: 15:37:43 Details: Default access of TCP service User Logon Session ID: 4977248c:0000012a5248 Audit flags: AC database user
This audit record indicates that on January 21st, 2009, the administrator opened an outgoing connection from the terminal computer.org to the computer named computer.com via the telnet service.
PAM Server Control
denied this operation because of the defaccess property of the TCP record. (authorization stage code 408Default of TCP service). 
PAM Server Control
logged this event because the AUDIT_MODE property for the accessor matches the record's result. (reason code 2User audit mode requires logging).