Endpoint Administration Guide for Windows › Monitoring and Auditing › What CA ControlMinder Audits

What CA ControlMinder Audits

For security auditing, CA ControlMinder keeps audit records for intercepted events according to the audit rules defined in the database and the enforcement mode it operates in. The records in the audit log accumulate according to these audit rules.

Full auditing provides audit records for all intercepted events of any of the following:

• File access (FILE class)
• Program execution (PROGRAM class)
• Registry access (REGKEY and REGVAL classes).
• Impersonation control (SURROGATE class)
• Network control (CONNECT, TCP, HOST, GHOST, HOSTNET, and HOSTNP classes)
• Log in (TERMINAL class)

  Note: Intercepted login events are not cached; they always follow the auditing process for interception events.

• Service protection (WINSERVICE class)
• Password verification failure (PASSWORD class)
• Process termination (PROCESS class)

The decision whether to log an event depends on the CA ControlMinder interception mode.