Enabling Linux desktop auditing
In addition to shell auditing, for some Linux systems you can also enable desktop auditing. When desktop auditing is enabled, the user's entire screen is continuously monitored to record all graphical interactions. More specifically, desktop auditing captures the following:
- The application name and window title when the user switches the focus to that application. For example, if a user opens a web browser or a terminal window.
- Changes to the application window title that currently has focus. For example, if a user opens a web browser and goes to a new web page, desktop auditing records the title of a web page.
The supported platforms for Linux desktop auditing are as follows:
- RHEL 6, 7, and 8 with GNOME v3
- CentOS 6, 7, and 8 with GNOME v3
Linux sessions must be running X as the primary display manager (not Wayland).
Linux desktop auditing requires shell session auditing.
To enable desktop auditing on a Linux computer:
- Log on as a user with
-xoption or the --desktop-audit option:
To enable both shell and desktop auditing at the same time, use both the -e and -x options:
dacontrol -e -x
dainfoto verify that desktop auditing has been enabled.
For example, the relevant information from the
dainfocommand looks like this:
Pinging adclient: adclient is available Daemon status: Online Current installation: 'DirectAudit' (configured locally) Current collector: test.acme.com:5063:HOSTfirstname.lastname@example.org DirectAudit NSS module: Active ... DirectAudit desktop auditing: Enabled User (root) audited status: Yes
When you enable auditing, the desktop auditing module shows as Enabled. You can also see if auditing is enabled or not for a system in the Audit Manager console.