For security auditing, CA ControlMinder keeps audit records for intercepted events according to the audit rules defined in the database and the enforcement mode it operates in. The records in the audit log accumulate according to these audit rules.
Full auditing provides audit records for all intercepted events of any of the following:
Note: Intercepted login events are not cached; they always follow the auditing process for interception events.
The decision whether to log an event depends on the CA ControlMinder interception mode.
Login interception on Windows is supported only by CA ControlMinder sub-authentication method.
You cannot set login interception through the kernel. As a result, you should consider the following:
For example, if you would like to protect or audit login events made by domain users on a file server, which is part of the Windows domain but is not a DC, the CA ControlMinder login policy needs to be defined on the DC and not on the target file server. This is because when a domain user accesses the shared file directory, a login authorization occurs on the DC, not the file server.
You can implement this through either the Policy Model mechanism, where all DCs are subscribers to a PMDB, or by adding all DCs into a host group and deploying a common policy using advanced policy management.
That said, it is possible that, for example, the user's property Last access time value will be different between DCs because CA ControlMinder sub-authentication was triggered on one of the DCs, not on all of them.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|