Endpoint Administration Guide for Windows › Monitoring and Auditing › The Auditing Process › How Auditing Works for Interception Events

How Auditing Works for Interception Events

An interception event is an event that CA ControlMinder encounters for the first time and for which no authorization information or audit information exists in the kernel cache.

To log audit records, CA ControlMinder performs the following actions and causes these effects for an interception event:

• In No Enforcement mode, events are not intercepted or audited.
• In Full Enforcement mode, CA ControlMinder does the following:
  1. The authorization engine places an audit item based on the authorization result in the audit queue and in the audit cache.

     CA ControlMinder writes an audit item only if the audit property for the resource or accessor is set to audit the resulting event and the audit filter file is not set to filter this event.

  2. The authorization engine returns an informative answer on the authorization result and the audit related information to the kernel.
• In Audit Only mode, CA ControlMinder does not process the request for authorization. Audit information is always written, regardless of the audit property of the resource and user.

  CA ControlMinder writes an audit item only if the audit filter file is not set to filter this event. The authorization result in this mode is always P (permitted).

Note: Intercepted login events (TERMINAL class), and audit records generated by user traces, are not cached; the authorization engine always writes audit records for these events.