Configuring selective auditing

By default, the agent captures activity for all users on audited computers, but you can limit auditing to specified users. If you are using authentication and privilege elevation, you can control auditing by configuring role definitions with different audit requirements then assigning those role definitions to different sets of Active Directory users.

If you are using the Centrify Audit & Monitoring Service without access management:

  • You can use group policies to specify which Windows users to audit and which Windows users should not be audited.

    For information about configuring group policies to customize auditing, see the Group Policy Guide.

  • For UNIX users, you can use the dash.user.skiplist configuration parameter to specify the UNIX user accounts and Active Directory UNIX names that you don’t want to audit.

    For more information about setting the dash.user.skiplist parameter, see the comments in the /etc/centrifyda/centrifyda.conf file. For information about all of the configuration parameters available to customize auditing, see the Configuration and Tuning Reference Guide.

To control auditing by using group policies:

  1. Open the Group Policy Management console.
  2. Expand the forest and domains to select the Default Domain Policy object.
  3. Right-click, then click Edit to open Group Policy Management Editor.
  4. Expand Computer Configuration > Policies > Centrify Audit Settings, then select Windows Agent Settings.
  5. Select the Audited user list policy and change the policy setting from Not Configured to Enabled, then click Add if you want to identify specific users to audit.

    When you enable this group policy, only the users you specify in the policy are audited. If this policy is not configured, all users are audited.

  6. Select the Non-audited user list policy and change the policy setting from Not Configured to Enabled, then click Add if you want to identify specific users that should not be audited.

    When you enable this group policy, only the users you specify are not audited. If this policy is not configured, all users are audited. If you enable both the Audited user list and the Non-audited user list policies, the users you include in the Non-audited user list take precedence over the Audited user list.

The following table details the effect of choosing to enable the Audited user list policy, the Non-audited user list policy, or a combination of both policies.

Non-audited user list Audited user list How the setting affects auditing

Not configured

Not configured

No users are defined for either policy, so all users accessing audited computers are audited.

Not configured

Enabled

Only the users you specify in the Audited user list policy are audited.

If you do not specify any users when you enable this policy, no users are audited.

Enabled

Not configured

Only the users you specify in the Non-audited user list are exempt from auditing.

If you enable this policy but do not specify any users, no users are exempt from auditing. All users are audited.

Enabled

Enabled

If both policies are enabled, the non-audited user takes precedence over the audited list of users.

If a user is specified in the audited list, that user is explicitly audited.

If a user is specified in the non-audited list, that user is explicitly not audited.

If the same user is specified in both lists or no users are specified for either policy, no users are audited because the non-audited user takes precedence.