Advanced monitoring

The Centrify Audit & Monitoring Service captures input and output for audited users and commands and then uses this information to provide a history of executed commands.

However, you may want to gather additional information about which users and what programs are accessing or modifying production systems. For example, you may want to know when any user runs a highly privileged program, even if the user runs it from a script or by modifying system configuration files. You can use advanced monitoring to capture these kinds of activities.

One of the big differences in advanced monitoring is that you can track when any user performs a particular activity, not just an audited user.

Advanced monitoring uses the Linux system auditing tools to capture the following user and program activity:

Use case Where to review the user activity Are audit trail events generated for this activity?

When any user executes a particular program, not just audited users.

  • Audit Analyzer
  • Linux agent syslog
  • Monitored Execution report
  • Monitored Execution List

yes

When any user (not just audited users) attempts to modify system configuration files in monitored directories specified by an administrator.

  • Audit Analyzer
  • Linux agent syslog
  • File Monitor report

yes

Which programs are executed in an audited session, regardless of how the program is invoked-- whether it’s run by way of a script, the use of a command alias, and so forth.

  • Audit Analyzer
  • Detailed Execution report

no - there would be too many events for the information to be useful.