Untrust Message Event

Untrust events describe warning messages that the  Watchdog generates for events.
capamsc141
Untrust events describe warning messages that the 
PAM Server Control
Watchdog generates for events.
Audit records in this event have the following format:
Date Time Status Class Module Details MessageID/errno File
  • Date
    Identifies the date that the event occurred.
    Format:
    DD MMM YYYY
    Note:
     
    PAM Server Control
    Endpoint Management formats the date display according to your computer settings.
  • Time
    Identifies the time that the event occurred.
    Format:
    HH:MM:SS
    Note:
     
    PAM Server Control
    Endpoint Management formats the time display according to your computer settings.
  • Status
    Indicates untrust occurred.
    Value:
    U (Untrust)
  • Class
    Identifies the 
    PAM Server Control
    class that the resource that triggered the Watchdog message belongs to.
    Values:
    PROGRAM or SECFILE
  • Module Name
    Displays the name of the 
    PAM Server Control
    Watchdog.
    Value:
    seoswd
  • Details
    Indicates why the untrust event occurred.
    Note:
    The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the untrust reason code. In a detailed output or in
    PAM Server Control
    Endpoint Management, the audit record displays the message that is associated with the untrust reason code. For a complete list of password quality codes, run seaudit -t.
  • Message ID
    (UNIX only) Indicates the reason 
    PAM Server Control
    untrusted the PROGRAM or SECFILE.
    Note:
    The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the status code and does not show in a detailed output or in 
    PAM Server Control
    Endpoint Management. To understand the status code, run seaudit -Stat
    untrust_code
    . This field displays only if the authorization stage code is 1. In all other cases, the errno field displays instead.
  • errno
    Indicates the return value of the errno variable (the error code for the error condition).
    Values:
    can be one of:
    0
    No error. This value is returned only if the authorization stage code is 1. In this case, the errno field is not displayed and the Message ID field displays instead.
    errno
    A non-zero integer that is the error.
    Note:
    To find out the meaning for the error, on UNIX, see /usr/include/errno.h or /usr/include/sys/errno.h file on the local computer. On Windows, enter the following command on the local computer: net helpmsg
    errno
  • File
    Identifies the full pathname of the protected resource that triggered the Watchdog message.
Example: Untrust Message Event Message
The following audit record was taken from a detailed seaudit output.
18 Nov YYYY 14:01:18 U PROGRAM      seoswd                 1 11776 /tmp/testsuid
Event type: Untrust message
Class: PROGRAM
Module name: seoswd
Message ID: 11776
Date: 18 Nov YYYY
Time: 14:01
File: /tmp/testsuid
Details: Stat information changed on file system
Audit flags: AC database user
This audit record indicates that on November 15 of the specified year, the Watchdog marked the program /tmp/testsuid as untrusted (U). The program was untrusted because the file status information was modified (untrust reason code 1File information changed on file system).
Example: Use seaudit -Stat to See Why a Program Was Untrusted (UNIX)
The following seaudit -Stat output shows you how you can get more detailed information about the Watchdog message ID that an audit record mentions.
# seaudit -Stat 11776
CA PAMSC seaudit v12.01.00.45 - Audit log lister
Copyright (c) YYYY CA. All rights reserved.
 
The MODE of the file was changed
The INODE of the file was changed
The SIZE of the file was changed
The MTIME of the file was changed
Running the seaduit -Stat command with the message ID, displays a list of changes to the file. In this example, the MODE, INODE, SIZE, and MTIME of the file changed. As a result 
PAM Server Control
marked this file as an untrusted file.