Auditing
TDM Professional supports auditing security events and exporting these events to a file. Logging is enabled using the Security logging policy option.
Logs are exported using the menu option Export security logs.
Security Events
Event tag |
Description |
Details |
|---|---|---|
|
Indicates that a file was pulled from the device
via the adb daemon, for example via
adb pull |
file |
|
Indicates that a file was pushed from the device
via the adb daemon, for example via
adb push |
file |
|
Indicates that an ADB interactive shell was
opened via “adb shell”
|
|
|
Indicates that a shell command was issued over
ADB via
adb shell <command> |
cmd |
|
Indicates that an app process was started. |
process,startTime,appUid,appPid,seInfo,apkSha256Hash |
|
Indicates that a new root certificate has been
installed into system’s trusted credential
storage.
|
result,subject,userId |
|
Indicates that a root certificate has been
removed from the system’s trusted credential
storage.
|
result,subject,userId |
|
Indicates that the admin has set policy to
disable camera.
|
adminPkgName,adminUid,targetUid,isDisabled |
|
Indicates a failure to validate X.509v3
certificate.
|
|
|
Indicates that cryptographic functionality self
test has completed.
|
|
|
Indicates that a cryptographic key was destroyed.
|
result,alias,requestingPid |
|
Indicates that a cryptographic key was generated.
|
result,alias,requestingPid |
|
Indicates that a cryptographic key was imported.
|
result,alias,requestingPid |
|
Indicates a failed cryptographic key integrity check. |
alias,ownerAppUid |
|
Indicates that an admin has set disabled keyguard
features.
|
adminPkgName,adminUserId,targetUserId,disabledKeyguardFeatures, |
|
Indicates that keyguard has been dismissed. This
event is only logged if the device has a secure
keyguard. It is logged regardless of how keyguard
is dismissed, including via PIN/pattern/password,
biometrics or via a trust agent.
|
|
|
Indicates that there has been an authentication
attempt to dismiss the keyguard.
|
attempt,wasStrongMethod |
|
Indicates that the device has been locked,
either by the user or by a timeout.
|
|
|
Indicates start-up of audit logging. |
|
|
Indicates shutdown of audit logging. |
|
|
Indicates that the audit log buffer has reached 90%
of its capacity.
|
|
|
Indicates that an admin has set a maximum
number of failed password attempts before
wiping data.
|
adminPkgName,adminUid,targetUid,maxPasswordAttempts |
|
Indicates that an admin has set a maximum
screen lock timeout.
|
adminPkgName,adminUid,targetUid,screenLockTimeoutMs |
|
Indicates that removable media has been
mounted on the device
|
mountPoint,volumeLabel |
|
Indicates that removable media was unmounted
from the device.
|
mountPoint,volumeLabel |
|
Indicates that the Android OS has shutdown. |
|
|
Indicates that the Android OS has started. |
verifiedBootState,dmVerityMode |
|
Indicates that a user has just changed their
lockscreen password.
|
passwordComplexity,targetUid |
|
Indicates that an admin has set a requirement
for password complexity.
|
adminPkgName,adminUid,targetUid,minPasswordLength,passwordQualityConstraint,minNumberLetters,minNumberNonLetters,minNumberDigits,minNumberUppercase,minNumberLowercase,minNumberSymbol |
|
Indicates that an admin has set a password
complexity requirement, using the platform’s
pre-defined complexity levels.
|
adminPkgName,adminUid,targetUid,passwordComplexity |
|
Indicates that an admin has set a password
expiration timeout.
|
adminPkgName,adminUid,targetUid,passwordExpirationMs |
|
Indicates that an admin has set a password
history length.
|
adminPkgName,adminUid,targetUid,passwordHistoryLength |
|
Indicates that an admin remotely locked the
device or profile.
|
adminPkgName,adminUid,targetUid |
|
Indicates that an admin has set a user
restriction.
|
adminPkgName,adminUid,userRestriction |
|
Indicates that an admin has removed a user
restriction.
|
adminPkgName,adminUid,userRestriction |
|
Indicates a failure to wipe device or user data. |