Resource Access Event

Resource access events describe access attempts to resources, for example, FILE, TERMINAL, PROGRAM, and more. The audit record data in this event can appear in other records, for example, a LOGIN event when an accessor attempts to access a TERMINAL resource. Although the event record in this case is of the LOGIN type, the audit record data that appears in the record is one of the Resource Access Event messages.
capamsc141
Resource access events describe access attempts to resources, for example, FILE, TERMINAL, PROGRAM, and more. The audit record data in this event can appear in other records, for example, a LOGIN event when an accessor attempts to access a TERMINAL resource. Although the event record in this case is of the LOGIN type, the audit record data that appears in the record is one of the Resource Access Event messages.
Audit records in this event have the following format:
Date Time Status Class UserName SessionID Access Details Reason Resource Program Terminal EffectiveUserName AuditFlags
In UNIX or Linux, the
AuditFlags
parameter precedes the
EffectiveUserName
parameter
  • Date
    Identifies the date the event occurred.
    Format:
    DD MMM YYYY
     
    PAM Server Control
    Endpoint Management formats the date display according to your computer's settings.
  • Time
    Identifies the time the event occurred.
    Format:
    HH:MM:SS
     
    PAM Server Control
    Endpoint Management formats the time display according to your computer's settings.
  • Status
    Indicates the return code for the event.
    Values:
    Can be one of:
    • D (Denied)Denied the event because of insufficient authorization.
    • P (Permitted)Permitted the event.
    • W (Warning)Permitted the event because Warning mode is set although the access request violates an access rule.
    • N (Notify)Permitted the event and notifies that an attempt to access a permitted resource occurred.
    • F (Failed)Permitted, but the Operating System command failed.
  • Class
    Identifies the class that the resource being accessed belongs to.
  • User Name
    Identifies the name of the accessor that performed the action that triggered this event.
  • User Logon Session ID
    Identifies the accessor's session ID.
    By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command.
  • Access
    Identifies the type of attempted access that triggered this event.
    Example:
    Read
    Access values depend on the class the intercepted resource belongs to. For more information on the access authority for each class, see the
    selang Reference Guide
    .
  • Details
    Indicates at which stage 
    PAM Server Control
    decided what action to take for this event.
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    PAM Server Control
    Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Reason
    Indicates the reason that 
    PAM Server Control
    wrote an audit record.
    This field does not display in a detailed seaudit output or in 
    PAM Server Control
    Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
  • Resource
    Identifies the name of the actual resource that is being accessed or updated.
  • Program
    Identifies the name of the program that triggered the event. That is, the program that the accessor used to try to access the resource.
  • Terminal
    Identifies the name of the terminal that the accessor used to connect to the host. (UNIX and Windows.)
  • Effective User Name
    Identifies the name of the native OS effective user that triggered this event. This is different from the user name if the user substitutes (surrogates) to a different user or runs a setuid program.
  • Audit Flags
    Indicates whether the accessor is internal (
    PAM Server Control
    database user) or an enterprise user.
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Resource Access Event Message
The following audit record is taken from a detailed seaudit output.
18 Nov 2008 15:23:56 D FILE admabc 4922ae61:00000132 Read 69 3 /tmp/one /usr/local/bin/tcsh localhost admabc Event type: Resource access Status: Denied Class: FILE Resource: /tmp/one Access: Read User name: admabc Terminal: localhost Program: /usr/local/bin/tcsh Date: 18 Nov 2008 Time: 15:23 Details: No Step that allowed access User Logon Session ID: 4922ae61:00000132 Audit flags: AC database user Effective user name: admabc
This audit record indicates that on November 18th 2008, at 15:23:56 the user admabc used UNIX tcsh shell program from the local computer to try and read the protected /tmp/one file resource. 
PAM Server Control
denied the operation because there are no rules in the database that authorize this type of access (authorization stage code 69No step that allowed access). 
PAM Server Control
logged this event because the resource's audit mode specifies that this event should be logged (reason code 3Resource audit mode required logging).