Previous Topic: How Auditing Works for Audit EventsNext Topic: Cache Reset


Kernel and Audit Caches

The kernel cache contains data about previously intercepted events. The kernel identifies such cached intercepted events (audit events) and sends them to CA ControlMinder for processing. Essentially, CA ControlMinder uses the kernel cache to intercept events that follow the same pattern as a previously intercepted event.

The audit cache contains data that lets CA ControlMinder reconstruct reoccurring audit records and send them to the audit queue without needing to follow the authorization process. This means that intercepted events, for which enough information already exists in the cache (audit events), are processed quickly and added to the audit queue. The authorization engine provides the data that is stored in the kernel and audit caches from the result of the initial event it intercepted (the interception event).