CA ControlMinder keeps audit records for events of access denial and access grants according to the audit rules defined in the database. The decision whether to log a certain event is based on the following rules:
Only a system auditor, a user to whom the AUDITOR attribute is assigned, can perform auditing tasks such as changing the auditing attribute that is assigned to users and resources.
If a resource is in warning mode, any access that violates access rules for the resource results in a warning mode audit record, which states that CA ControlMinder permitted access to the resource.
The audit records constitute a file called the audit log (seos.audit). The location for the audit log is specified in the registry, as is the location for the error log.
The audit log (and also the error log) is specified under the following registry key:
HKEY_LOCAL_MACHINE\Software\ComputerAssociates\AccessControl\logmgr
The audit log is a binary file and cannot be edited or changed. However, you can use CA ControlMinder Endpoint Management to view recorded events, to filter out events by time restrictions or event type, and so forth. (You can also use the seaudit utility to accomplish these same tasks.)
Consider archiving (backing up) old audit logs and error logs to let you scan the events at a later date.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|