Endpoint Administration Guide for Windows › Monitoring and Auditing › Events Interception › Types of Intercepted Events

Types of Intercepted Events

CA ControlMinder intercepts two types of events:

• Interception Events An interception event is an event that CA ControlMinder encounters for the first time and for which no authorization information or audit information exists in the kernel cache.

  Information from an interception event is cached as part of the process for future use by an audit event.

• Audit Events An audit event is an event for which the kernel cache has enough information to process for auditing purposes; it is also known as a cached intercepted event. An audit event is the result of an interception event being cached.

Interception Modes

Based on the interception mode, CA ControlMinder intercepts, checks for authorization, and logs audit records of access request events. CA ControlMinder has the following modes of interception:

• Full Enforcement mode Full Enforcement mode is the normal operation mode for CA ControlMinder. In this mode, CA ControlMinder intercepts events and enforces the access rules written to the database.
• Audit Only mode Audit Only mode records all intercepted events without checking or enforcing access rules.
• No Interception mode No Interception mode disables CA ControlMinder event interception. In this mode, CA ControlMinder does not intercept events or enforce access rules.

Note: Warning mode Warning Mode is a property that you can apply to a resource, and an option that you can apply to a class. If Warning mode is applied to a resource or a class and an access violates an access rule, CA ControlMinder writes an audit log entry with the return code W, but permits the access to the resource. If a class is in Warning mode, all the resources in that class are in Warning mode. is not an interception mode; it works in Full Enforcement mode only and is designed for short term use during implementation.