Untrust Message Event
Untrust events describe warning messages that the Watchdog generates for events.
capamsc141
Untrust events describe warning messages that the
Privileged Access Manager
Watchdog generates for events.Audit records in this event have the following format:
Date Time Status Class Module Details MessageID/errno File
- DateIdentifies the date that the event occurred.Format:DD MMM YYYYNote:Privileged Access ManagerEndpoint Management formats the date display according to your computer settings.
- TimeIdentifies the time that the event occurred.Format:HH:MM:SSNote:Privileged Access ManagerEndpoint Management formats the time display according to your computer settings.
- StatusIndicates untrust occurred.Value:U (Untrust)
- ClassIdentifies thePrivileged Access Managerclass that the resource that triggered the Watchdog message belongs to.Values:PROGRAM or SECFILE
- Module NameDisplays the name of thePrivileged Access ManagerWatchdog.Value:seoswd
- DetailsIndicates why the untrust event occurred.Note:The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the untrust reason code. In a detailed output or inPrivileged Access ManagerEndpoint Management, the audit record displays the message that is associated with the untrust reason code. For a complete list of password quality codes, run seaudit -t.
- Message ID(UNIX only) Indicates the reasonPrivileged Access Manageruntrusted the PROGRAM or SECFILE.Note:The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the status code and does not show in a detailed output or inPrivileged Access ManagerEndpoint Management. To understand the status code, run seaudit -Statuntrust_code. This field displays only if the authorization stage code is 1. In all other cases, the errno field displays instead.
- errnoIndicates the return value of the errno variable (the error code for the error condition).Values:can be one of:0No error. This value is returned only if the authorization stage code is 1. In this case, the errno field is not displayed and the Message ID field displays instead.errnoA non-zero integer that is the error.Note:To find out the meaning for the error, on UNIX, see /usr/include/errno.h or /usr/include/sys/errno.h file on the local computer. On Windows, enter the following command on the local computer: net helpmsgerrno
- FileIdentifies the full pathname of the protected resource that triggered the Watchdog message.
Example: Untrust Message Event Message
The following audit record was taken from a detailed seaudit output.
18 Nov YYYY 14:01:18 U PROGRAM seoswd 1 11776 /tmp/testsuidEvent type: Untrust messageClass: PROGRAMModule name: seoswdMessage ID: 11776Date: 18 Nov YYYYTime: 14:01File: /tmp/testsuidDetails: Stat information changed on file systemAudit flags: AC database user
This audit record indicates that on November 15 of the specified year, the Watchdog marked the program /tmp/testsuid as untrusted (U). The program was untrusted because the file status information was modified (untrust reason code 1File information changed on file system).
Example: Use seaudit -Stat to See Why a Program Was Untrusted (UNIX)
The following seaudit -Stat output shows you how you can get more detailed information about the Watchdog message ID that an audit record mentions.
# seaudit -Stat 11776CA PAMSC seaudit v12.01.00.45 - Audit log listerCopyright (c) YYYY CA. All rights reserved.The MODE of the file was changedThe INODE of the file was changedThe SIZE of the file was changedThe MTIME of the file was changed
Running the seaduit -Stat command with the message ID, displays a list of changes to the file. In this example, the MODE, INODE, SIZE, and MTIME of the file changed. As a result
Privileged Access Manager
marked this file as an untrusted file.