Agent components on audited UNIX computers

To enable auditing for Linux and UNIX computers, you must install the Centrify Agent for *NIX on the computers you want to audit and make sure the computers are joined to an Active Directory domain. Joining a domain is required to ensure that authentication and authorization services are provided by Active Directory. To enable auditing on a computer, the Centrify Agent for *NIX includes the following components:

  • dad—the core auditing service that collects the audit data and either sends it to a collector or spools it locally until a collector is available.
  • cdash—the UNIX shell wrapper that intercepts all user traffic and sends it to the dad process.
  • dacontrol, dainfo, dareload, and other command-line programs that enable you to manage agent operations from a login shell.
  • dax—the audit service that records graphical user interface sessions on xWindows computers. Consult the release notes for which xWindows versions are supported.

If you're auditing only shell sessions on a UNIX computer: after you enable auditing on a computer, the agent captures all output (stdout), error messages (stderr), and user input (stdin) except for passwords. By default, the agent captures user input even if a user runs commands with echo turned off. For example, if a user logs on, then runs echo off before typing the sudo command, the auditing service captures the sudo entry as part of the user’s session.

If you're auditing xWindows sessions: the agent captures all windows that a user opens and which user interface items the user interacts with. For web browser applications, the agent captures the title of the web page but not any activity within the web page.