Capturing detailed and summary information for user sessions

After you deploy the auditing infrastructure, you can capture detailed information about user activity and the events that occurred on the computers you choose to audit. On those computers, an agent starts recording user activity when a user selects an audited role or starts a login shell locally, using a remote shell, or through a virtual network connection such as Citrix or VNC.

Each record of continuous user activity is called a session. A session ends when the user logs out, disconnects, or is inactive long enough to lock the desktop. If the user reconnects or unlocks the desktop, the agent resumes recording the user’s activity as a new session. When users start a new session on an audited computer, they can be notified that their session is being audited but they cannot turn off auditing except by logging off, so you have a complete record of what happened, includes an audit trail of the actions a user has taken.

You can choose whether to record only summaries of user activity or a full visual record of user activity.

Sessions include different kinds of information depending on the audited system's operating system:

  • Windows: When auditing Windows computers, each session is a video capture of everything that takes place on the desktop, including the applications opened, text that was entered, and the results that were displayed.
  • Linux: When auditing Linux computers, the agent records shell activity, such as the commands a user runs or the changes made to key files and data. On some versions of Linux computers, actions performed using a display manager, such as GNOME or KDE, are also recorded. Consult the Centrify release notes for supported platform details.

In addition to capturing detailed information about user activity, sessions provide a summary of actions taken so that you can scan the applications opened or commands executed for potentially interesting or damaging actions without playing back a complete session. After you select a session of interest in the Audit Analyzer, the console displays an indexed list of actions taken in the order in which they occurred. You can then select any entry in the list to start viewing the session beginning with that action. For example, if a user opened an application that stores credit card information, you can scan the list of actions for that event and begin reviewing what happened in the session from the time the user opened that particular application.

If users change their account permissions to take any action with elevated privileges, the change is recorded as an audit trail event. You can also search for these events to find sessions of interest.