Security Database Administration Event

Security database administration events describe actions performed by a  administrator or a sub-administrator with appropriate privileges that were intercepted by the product.
capamsc141
Security database administration events describe actions performed by a 
Privileged Access Manager
administrator or a sub-administrator with appropriate privileges that were intercepted by the product.
Audit records in the event have the following format:
Date Time Status Event Class Admin Details Reason Object TerminalCommand AuditFlags
  • Date
    Identifies the date the event occurred.
    Format:
    DD MMM YYYY
    Privileged Access Manager
    Endpoint Management formats the date display according to your computer's settings.
  • Time
    Identifies the time the event occurred.
    Format:
    HH:MM:SS
     
    Privileged Access Manager
    Endpoint Management formats the time display according to your computer's settings.
  • Status
    Indicates the return code for the event.
    Values:
    Can be one of:
    • D (Denied)Denied the event because of insufficient authorization.
    • S (Success)Permitted the event.
    • F (Failed)Failed the event.
  • Event Type
    Identifies the type of event this record belongs to.
     
    Privileged Access Manager
    Endpoint Management refers to this field simply as
    Event
    .
  • Class
    Identifies the class that the resource being administered belongs to.
  • Administrator
    Identifies the name of the administrative user that executed the selang command.
  • Details
    Indicates at which stage 
    Privileged Access Manager
    decided what action to take for this event.
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    Privileged Access Manager
    Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Reason
    Indicates the reason that 
    Privileged Access Manager
    wrote an audit record.
    This field does not display in a detailed seaudit output or in 
    Privileged Access Manager
    Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
  • Object
    Identifies the name of the resource that is being administrated.
  • Terminal
    Identifies the name of the terminal that the accessor used to connect to the host.
    If the command originated from a parent policy model, this field displays the fully qualified PMD name.
  • Command
    Displays the selang command that the user executed.
  • Audit Flags
    Indicates whether the accessor is internal (
    Privileged Access Manager
    database user) or an enterprise user.
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
  • Command type
    Identifies the type of the database administration command that this event describes.
    Values can be one of:
    • Add user: 
      For newusr command
    • Add group: 
      For newgrp command
    • Add resource: 
      For newres or newfile commands
    • Modify user: 
      For chusr command
    • Modify group: 
      For chgrp command
    • Modify group membership: 
      For join command
    • Modify resource: 
      For chres command
    • Modify resource access: 
      For authorize command
    • Remove user: 
      For rmusr command
    • Remove group: 
      For rmgrp command
    • Remove resource: 
      For rmres or rmfile commands
    • Set options: 
      For setoptions command
    • Add/Modify user: 
      For editusr command
    • Add/Modify group: 
      For editgrp command
    • Add/Modify resource: 
      For editres or editfile commands
    • Administrative command: 
      For other commands
Example: Security Database Administration Event Message
The following audit record was taken from a detailed seaudit output.
05 Nov 2008 15:45:12 S UPDATE FILE DOMAIN_NAME\computer 305 0 dfdok computer.com cr file dfdok defacc(r) Event type: Security database administration Command type: Modify resource Status: Successful Administrator: DOMAIN_NAME\computer Class: FILE Object: dfdok Terminal: computer.com Date: 05 Nov 2008 Time: 15:45 Details: Command successful for ADMIN user. Command: cr file dfdok defacc(r) Audit flags: AC database user
This audit record indicates that on November 5th 2008, 
Privileged Access Manager
denied access from an administrator attempting to update a file by executing the command cr file dfdok defacc(r) on the protected host logging from the terminal computer.com (authorization stage code 305Command allowed for ADMIN user).