DirectAudit advanced monitoring

Use the following group policies to generate advanced monitoring for program and process execution on audited machines.

Enabling these group policies will allow you to generate reports that monitor programs and process that are run individually, as part of a script, or within other commands.

You can also configure a file monitor report which details user interaction with sensitive files.

Note:   You must first enable the group policy, Enable advanced monitoring to enable any of the other Advanced Monitoring policies.

Enable advanced monitoring

Use this group policy to enable Advanced Monitoring.

If this policy is Not configured, by default, Advanced Monitoring is not enabled.

Set monitor of program execution for audit sessions

Use this group policy to enable recording for all programs executed in an audited session. You can export these monitoring events when reviewing a session and they are also recorded in the Detailed Execution reports.

If this policy is Not configured, by default, this feature is not enabled.

This group policy modifies the event.execution.monitor parameter in the agent configuration file.

Set monitored programs list

Use this group policy to specify a list of programs that will generate an audit trail event when executed by users.

If you enable this policy, all users executing the listed programs will generate an audit trail event, whether they are audited or not, unless the user is specified in Set skip users for monitored program executions.

Note that all commands must be specified with full paths.

If this policy is set to Disabled or Not configured, by default, no executed programs will generate an audit trail event for any user.

This policy modifies the event.monitor.commands parameter in the agent configuration file.

Set monitoring of system configuration files

Use this group policy to enable monitoring of changes made to the system configuration files in the following directory trees:

  • /etc
  • /var/centrify
  • /var/centrifyda
  • /var/centrifydc

By default, if this policy is set to Not configured, or if you enable this policy, all changes made to these system configuration files will be monitored.

Set processes that are skipped for system configuration file monitoring

Use this group policy to specify programs that modify configuration files which you do not want to be monitored when Set monitoring of system configuration files is enabled.

When you enable this policy, you can specify a list of trusted programs that can modify any system configuration files or directories without causing an audit trail event.

If this policy is Not configured, /usr/sbin/daspool is skipped by default, along with all adclient and dad processes and subprocesses.

Set skip users for monitored program executions

Use this group policy to specify a list of users who can run programs and commands without generating an audit trail event.

Users listed in this policy can run commands without generating an audit trail, even if those commands are listed in Set monitored programs list.

If this policy is Disabled or Not configured, by default, all users will generate an audit trail event when executing monitored commands.

This policy modifies the event.monitor.commands.user.skiplist parameter in the agent configuration file.

Set users that will be skipped for program execution monitoring

Use this group policy to specify a list of audited users that will not generate an audit trail event record, for use in Detailed Execution reports, when they execute programs listed in Set monitored programs list when it is enabled.

If this policy is Not configured, by default, no users are added to this list.

Set users who will be skipped for system configuration file monitoring

Use this group policy to specify a list of users who can modify any system configuration file and directory without generating an audit trail event when Set monitoring of system configuration files is enabled.

If this policy is set to Not configured, by default, only root is added to this list.

This policy modifies the event.file.monitor.user.skiplist parameter in the agent configuration file.