A program was being blocked from being executed while PIM/PAMSC was running. Using the seretrust command showed it had become untrusted. What seaudit records would identify when the program was untrusted and the reason why?

Privileged Identity Manager 12.8
PAM Server Control 14.x

When a program has been altered, PIM/PAMSC will untrust it and prevent it from being executed. To determine why this has happened, use the seaudit utility to list the event and look up the watchdog code. In the seaudit output, untrust events contain "U PROGRAM" in the line.

EXAMPLE:
# seaudit -a | grep 'U PROGRAM'
30 Jun 2015 11:24:56 U PROGRAM      seoswd                 1 8704 /bin/su                
30 Jun 2015 11:25:36 U PROGRAM      seoswd                 1 8192 /opt/CA/AccessControl/bin/sebuildla

The audit code for any untrust event will be 1 and the seoswd code will be next to it. In the examples above, the seoswd codes are 8704 and 8192. To look up the meaning of the seoswd codes, use seaudit with the -St or -Stat option.

EXAMPLE:
# seaudit -St 8192
The INODE of the file was changed
# seaudit -St 8704
The INODE of the file was changed
The MTIME of the file was changed

In this example, the INODE of each file was changed. In addition, the MTIME of /bin/su was changed.