Security Database Administration Event
Security database administration events describe actions performed by a administrator or a sub-administrator with appropriate privileges that were intercepted by the product.
capamsc141
Security database administration events describe actions performed by a
Privileged Access Manager
administrator or a sub-administrator with appropriate privileges that were intercepted by the product.Audit records in the event have the following format:
Date Time Status Event Class Admin Details Reason Object TerminalCommand AuditFlags
- DateIdentifies the date the event occurred.Format:DD MMM YYYYPrivileged Access ManagerEndpoint Management formats the date display according to your computer's settings.
- TimeIdentifies the time the event occurred.Format:HH:MM:SSPrivileged Access ManagerEndpoint Management formats the time display according to your computer's settings.
- StatusIndicates the return code for the event.Values:Can be one of:
- D (Denied)Denied the event because of insufficient authorization.
- S (Success)Permitted the event.
- F (Failed)Failed the event.
- Event TypeIdentifies the type of event this record belongs to.Privileged Access ManagerEndpoint Management refers to this field simply asEvent.
- ClassIdentifies the class that the resource being administered belongs to.
- AdministratorIdentifies the name of the administrative user that executed the selang command.
- DetailsIndicates at which stagePrivileged Access Managerdecided what action to take for this event.The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or inPrivileged Access ManagerEndpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
- ReasonIndicates the reason thatPrivileged Access Managerwrote an audit record.This field does not display in a detailed seaudit output or inPrivileged Access ManagerEndpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
- ObjectIdentifies the name of the resource that is being administrated.
- TerminalIdentifies the name of the terminal that the accessor used to connect to the host.If the command originated from a parent policy model, this field displays the fully qualified PMD name.
- CommandDisplays the selang command that the user executed.
- Audit FlagsIndicates whether the accessor is internal (Privileged Access Managerdatabase user) or an enterprise user.If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
- Command typeIdentifies the type of the database administration command that this event describes.Values can be one of:
- Add user:For newusr command
- Add group:For newgrp command
- Add resource:For newres or newfile commands
- Modify user:For chusr command
- Modify group:For chgrp command
- Modify group membership:For join command
- Modify resource:For chres command
- Modify resource access:For authorize command
- Remove user:For rmusr command
- Remove group:For rmgrp command
- Remove resource:For rmres or rmfile commands
- Set options:For setoptions command
- Add/Modify user:For editusr command
- Add/Modify group:For editgrp command
- Add/Modify resource:For editres or editfile commands
- Administrative command:For other commands
Example: Security Database Administration Event Message
The following audit record was taken from a detailed seaudit output.
05 Nov 2008 15:45:12 S UPDATE FILE DOMAIN_NAME\computer 305 0 dfdok computer.com cr file dfdok defacc(r) Event type: Security database administration Command type: Modify resource Status: Successful Administrator: DOMAIN_NAME\computer Class: FILE Object: dfdok Terminal: computer.com Date: 05 Nov 2008 Time: 15:45 Details: Command successful for ADMIN user. Command: cr file dfdok defacc(r) Audit flags: AC database user
This audit record indicates that on November 5th 2008,
Privileged Access Manager
denied access from an administrator attempting to update a file by executing the command cr file dfdok defacc(r) on the protected host logging from the terminal computer.com (authorization stage code 305Command allowed for ADMIN user).