Enabling Linux desktop auditing

In addition to shell auditing, for some Linux systems you can also enable desktop auditing. When desktop auditing is enabled, the user's entire screen is continuously monitored to record all graphical interactions. More specifically, desktop auditing captures the following:

  • The application name and window title when the user switches the focus to that application. For example, if a user opens a web browser or a terminal window.
  • Changes to the application window title that currently has focus. For example, if a user opens a web browser and goes to a new web page, desktop auditing records the title of a web page.

The supported platforms for Linux desktop auditing are as follows:

  • RHEL 6, 7, and 8 with GNOME v3
  • CentOS 6, 7, and 8 with GNOME v3

Linux sessions must be running X as the primary display manager (not Wayland).

Linux desktop auditing requires shell session auditing.

To enable desktop auditing on a Linux computer:

  1. Log on as a user with root privileges.
  2. Run dacontrol with the -x option or the --desktop-audit option:
    dacontrol -x
    dacontrol --desktop-audit

    To enable both shell and desktop auditing at the same time, use both the -e and -x options:

    dacontrol -e -x
  3. Run dainfo to verify that desktop auditing has been enabled.

    For example, the relevant information from the dainfo command looks like this:

    Pinging adclient: 	adclient is available
    Daemon status:		Online
    Current installation: 'DirectAudit' (configured locally)
    Current collector: test.acme.com:5063:HOST/test.acme.com@acme.com
    DirectAudit NSS module: Active
    DirectAudit desktop auditing: Enabled
    User (root) audited status: Yes

    When you enable auditing, the desktop auditing module shows as Enabled. You can also see if auditing is enabled or not for a system in the Audit Manager console.