When a program has been altered, PIM will untrust it and prevent it from being run. To determine why this has happened, use the seaudit utility to list the event and look up the watchdog code. In the seaudit output, untrust events contain "U PROGRAM" in the line.
# seaudit -a | grep 'U PROGRAM'
30 Jun 2015 11:24:56 U PROGRAM seoswd 1 8704 /bin/su
30 Jun 2015 11:25:36 U PROGRAM seoswd 1 8192 /opt/CA/AccessControl/bin/sebuildla
The audit code for any untrust event will be 1 and the seoswd code will be next to it. In the examples above, the seoswd codes are 8704 and 8192. To look up the meaning of the seoswd codes, use seaudit with the -St or -Stat option.
# seaudit -St 8192
The INODE of the file was changed
# seaudit -St 8704
The MTIME of the file was changed
In this example, the INODE of each file was changed. In addition, the MTIME of /bin/su was changed.