Trace Message On a User

Trace messages on user events describe an attempt to open, run, or use a protected resource.
capamsc141
Trace messages on user events describe an attempt to open, run, or use a protected resource.
Audit records in this event have the following format for Windows:
Date Time Status Event UserNameSessionID RealUID RealUsername Class Resource DetailsAuditFlags Trace
Audit records in this event have the following format for UNIX:
Date Time Status Event UserNameSessionID EffectiveUsername RealUsername Class Resource DetailsAuditFlags Trace
  • Date
    Identifies the date the event occurred.
    Format:
    DD MMM YYYY
     
    PAM Server Control
    Endpoint Management formats the date display according to your computer's settings.
  • Time
    Identifies the time the event occurred.
    Format:
    HH:MM:SS
     
    PAM Server Control
    Endpoint Management formats the time display according to your computer's settings.
  • Status
    Indicates the return code for the event.
    Values:
    Can be one of:
    • D (Denied)Denied the event because of insufficient authorization.
    • P (Permitted)Permitted the event.
    • W (Warning)Permitted the event because Warning mode is set although the access request violates an access rule.
    In a detailed seaudit output this field displays the trace information.
  • Event Type
    Identifies the type of event this record belongs to.
     
    PAM Server Control
    Endpoint Management refers to this field simply as
    Event
    .
  • User Name
    Identifies the name of the accessor that performed the action that triggered this event.
  • User Logon Session ID
    Identifies the accessor's session ID.
  • Real User ID
    Identifies the user ID of the user who invoked the process.
    Note:
    (UNIX) This field does not appear in non-detailed seaudit output.
  • Real user name
    Identifies the name of the user performing the traced action.
  • Effective user ID
    (UNIX only) Indicates the ID of the native OS effective user ID.
    Note:
    This field does not appear in non-detailed seaudit output.
  • Effective User Name
    Identifies the name of the native OS effective user that triggered this event. This is different from the user name if the user substitutes (surrogates) to a different user or runs a setuid program.
  • Class
    Identifies the class that the resource being accessed belongs to.
  • Resource
    Identifies the name of the actual resource that is being accessed or updated.
  • Details
    Indicates at which stage 
    PAM Server Control
    decided what action to take for this event.
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    PAM Server Control
    Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Trace information
    Displays the trace detail information including the class, resource, and action that was performed on that resource or the result of that action.
  • Audit Flags
    Indicates whether the accessor is internal (
    PAM Server Control
    database user) or an enterprise user.
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Trace Message On a User Event Message on UNIX
The following audit record was taken from a detailed seaudit output.
03 Nov 2008 10:38:47 P TRACE root 490daddd:00000140 john root FILE /home/jon/file.txt 55 FILE > Result: 'P' [stage=55 gstag=55 ACEEH=8 rv=0(/home/john/file.txt Event type: Trace message on a user Date: 03 Nov 2008 Time: 10:38 Details: Resource ACL check Trace information: FILE > Result: 'P' [stage=55 gstag=55 ACEEH=8 rv=0(/home/john/file.txt Class: FILE Resource: /home/admin/file.txt User name: root Real user ID: 108 Real user name: john Effective user ID: 108 Effective user name: root User Logon Session ID: 490daddd:00000140 Audit flags: AC database user
This audit record indicates that on November 3rd 2008, a trace message was logged due to an administrator attempt to access a resource belonging to a FILE class. The administrator was permitted to access according to the ACL of the accessed resource (authorization stage code 55Resource ACL check).
Example: Trace Message On a User Event Message on Windows
The following audit record was taken from a detailed seaudit output.
10 Nov 2008 10:14:53 P TRACE MACHINE\Administrator 00000000:172ef9ef MACHINE\john MACHINE\john WINSERVICE _default 1059 WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6 rv=0x0 (WebClient)] Why? Default record universal access check Event type: Trace message on a user Date: 10 Nov 2008 Time: 10:14 Details: Default record universal access check Trace information: WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6 rv=0x0 (WebClient)] Why? Default record universal access check Class: WINSERVICE Resource: _default User name: MACHINE\Administrator Real user name: MACHINE\john User Logon Session ID: 00000000:172ef9ef Audit flags:AC database user
This audit record indicates that on November 10th 2008, a trace message was triggered due to an administrator attempting to access the resource _default belonging to the WINSERVICE class. The administrator was permitted access because of a record universal access check (authorization stage code 1059Default record universal access check).