Previous Topic: Setting Audit Policies in WindowsNext Topic: How Auditing Works for Audit Events


The Auditing Process

To configure CA ControlMinder for your auditing requirements, you must first understand how auditing works. Auditing lets you keep track of access requests (events) that CA ControlMinder intercepted. You can use this data to meet with compliance requirements, to analyze and refine your access rules for your security requirements, or to monitor access requests.

The process CA ControlMinder follows to record audit events in the log depends on the type of event it intercepts:

Note: CA ControlMinder intercepts an event only if the appropriate class is active, and the database contains a rule anticipating this event.

How Auditing Works for Interception Events

An interception event is an event that CA ControlMinder encounters for the first time and for which no authorization information or audit information exists in the kernel cache.

To log audit records, CA ControlMinder performs the following actions and causes these effects for an interception event:

The diagram describes how auditing works for interception events

Note: Intercepted login events (TERMINAL class), and audit records generated by user traces, are not cached; the authorization engine always writes audit records for these events.