Common Settings

Use the group policies under Common Settings to configure basic operations for the auditing service.

Installation

Use the Installation group policy to specify which installation agents and collectors are part of. By enabling the Installation group policy, you can prevent local administrators from configuring a computer to be part of an unauthorized installation.

Note:   After applying the settings through the "Centrify Auditing and Monitoring Service Settings" group policy, you must restart the target agent machine(s) for the policy to take effect.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab of the dialog box, select Enabled.
  3. Click Browse to select the installation you want to secure, then click OK.

See the Auditing Administrator’s Guide for more information about installing and managing installations of the auditing infrastructure.

Set maximum missed status update tolerance

Use the Set maximum missed status update tolerance group policy to specify how many times the auditing agent will fail to connect to a collector before sending a notification that the agent is not joined to a collector. The interval between attempts is 5 minutes.

This group policy modifies the agent.max.missed.update.tolerance setting in the agent configuration file.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. Click Edit.
  3. Select Enabled.
  4. Enter the value.

    For example, enter 3 if you would like the agent to notify you after 3 failed attempts to join a collector.

  5. Click OK.

If this group policy is Disabled or Not Configured the default value is 4.

This group policy can be used with the DirectAudit Daemon Settings group policy which allows you to specify the amount of time, in seconds, that the agent waits during each connection attempt before it determines that it cannot connect to a collector.

Set the preferred Audit Store

Use this group policy to specify the preferred audit store that auditing will use in the event that your UNIX or Linux computer has IP addresses that match the criteria for multiple audit stores.

If you have this type of installation and you do not enable this policy and specify the preferred audit store, the collector may not connect to the correct audit store.

This group policy modifies the parameter preferred.audit.store in the agent configuration file.

Set video capture auditing of user activity

Use the Set video capture auditing of user activity group policy to specify any agents for which you want to change the video capture settings. This setting can be useful in cases where the user output should not be recorded because of security audit rules. For example, if you have enabled video capture auditing for your entire auditing installation, you can disable video capture for one or more specific agents.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab of the Properties dialog box, select Enabled.
  3. In the Set video capture auditing section, select one of the following options:
    • Enable Video Audit: Select this option to turn on video capture. This setting overrides your installation-wide video capture setting.
    • Disable Video Audit: Select this option to turn off video capture. This setting overrides your installation-wide video capture setting.

    • Use Installation-Wide Setting: Select this option to make sure that this agent uses the same setting as what you have set for the entire auditing installation.

  4. Click OK to save the change.

Use the host name specified by the agent

Enable this group policy to display the real host name of audited computers in the Audited Systems node in Audit Manager instead of the host name resolved by the collector through DNS.

This configuration parameter is useful in configurations where the DNS servers used by the collectors cannot reliably resolve host names from IP addresses. The most common scenarios that might require you to use this configuration parameter are when the agents are in a virtual environment using network address translation (NAT) or in a perimeter network outside of a firewall.

If this group policy is enabled, the host name for the agent is determined by the agent. If this group policy is not enabled, the collector determines the agent’s host name based on its IP address. If this group policy is not configured, this setting will be disabled by default.

This group policy modifies the agent.send.hostname setting in the auditing configuration file.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. Click the Edit policy setting link above the policy’s Description.
  3. Select Enabled.
  4. Click OK.