Trace Message On a User
Trace messages on user events describe an attempt to open, run, or use a protected resource.
capamsc141
Trace messages on user events describe an attempt to open, run, or use a protected resource.
Audit records in this event have the following format for Windows:
Date Time Status Event UserNameSessionID RealUID RealUsername Class Resource DetailsAuditFlags Trace
Audit records in this event have the following format for UNIX:
Date Time Status Event UserNameSessionID EffectiveUsername RealUsername Class Resource DetailsAuditFlags Trace
- DateIdentifies the date the event occurred.Format:DD MMM YYYYPAM Server ControlEndpoint Management formats the date display according to your computer's settings.
- TimeIdentifies the time the event occurred.Format:HH:MM:SSPAM Server ControlEndpoint Management formats the time display according to your computer's settings.
- StatusIndicates the return code for the event.Values:Can be one of:
- D (Denied)Denied the event because of insufficient authorization.
- P (Permitted)Permitted the event.
- W (Warning)Permitted the event because Warning mode is set although the access request violates an access rule.
In a detailed seaudit output this field displays the trace information. - Event TypeIdentifies the type of event this record belongs to.PAM Server ControlEndpoint Management refers to this field simply asEvent.
- User NameIdentifies the name of the accessor that performed the action that triggered this event.
- User Logon Session IDIdentifies the accessor's session ID.
- Real User IDIdentifies the user ID of the user who invoked the process.Note:(UNIX) This field does not appear in non-detailed seaudit output.
- Real user nameIdentifies the name of the user performing the traced action.
- Effective user ID(UNIX only) Indicates the ID of the native OS effective user ID.Note:This field does not appear in non-detailed seaudit output.
- Effective User NameIdentifies the name of the native OS effective user that triggered this event. This is different from the user name if the user substitutes (surrogates) to a different user or runs a setuid program.
- ClassIdentifies the class that the resource being accessed belongs to.
- ResourceIdentifies the name of the actual resource that is being accessed or updated.
- DetailsIndicates at which stagePAM Server Controldecided what action to take for this event.The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or inPAM Server ControlEndpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
- Trace informationDisplays the trace detail information including the class, resource, and action that was performed on that resource or the result of that action.
- Audit FlagsIndicates whether the accessor is internal (PAM Server Controldatabase user) or an enterprise user.If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Trace Message On a User Event Message on UNIX
The following audit record was taken from a detailed seaudit output.
03 Nov 2008 10:38:47 P TRACE root 490daddd:00000140 john root FILE /home/jon/file.txt 55 FILE > Result: 'P' [stage=55 gstag=55 ACEEH=8 rv=0(/home/john/file.txt Event type: Trace message on a user Date: 03 Nov 2008 Time: 10:38 Details: Resource ACL check Trace information: FILE > Result: 'P' [stage=55 gstag=55 ACEEH=8 rv=0(/home/john/file.txt Class: FILE Resource: /home/admin/file.txt User name: root Real user ID: 108 Real user name: john Effective user ID: 108 Effective user name: root User Logon Session ID: 490daddd:00000140 Audit flags: AC database user
This audit record indicates that on November 3rd 2008, a trace message was logged due to an administrator attempt to access a resource belonging to a FILE class. The administrator was permitted to access according to the ACL of the accessed resource (authorization stage code 55Resource ACL check).
Example: Trace Message On a User Event Message on Windows
The following audit record was taken from a detailed seaudit output.
10 Nov 2008 10:14:53 P TRACE MACHINE\Administrator 00000000:172ef9ef MACHINE\john MACHINE\john WINSERVICE _default 1059 WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6 rv=0x0 (WebClient)] Why? Default record universal access check Event type: Trace message on a user Date: 10 Nov 2008 Time: 10:14 Details: Default record universal access check Trace information: WINSERVICE > (C:\WINDOWS\system32\services.exe) Result: 'P' [stage=1059 gstag=1059 ACEEH=6 rv=0x0 (WebClient)] Why? Default record universal access check Class: WINSERVICE Resource: _default User name: MACHINE\Administrator Real user name: MACHINE\john User Logon Session ID: 00000000:172ef9ef Audit flags:AC database user
This audit record indicates that on November 10th 2008, a trace message was triggered due to an administrator attempting to access the resource _default belonging to the WINSERVICE class. The administrator was permitted access because of a record universal access check (authorization stage code 1059Default record universal access check).