DirectAudit Daemon Settings
Use the group policies under DirectAudit Daemon Settings to control operations for the auditing service.
Set allow to dump core
Use this group policy to specify whether the dad
process is allowed to dump core. If this group policy is enabled, the dad
process is allowed to dump core. If this group policy is disabled or not configured, the dad
process is not allowed to dump core.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab of the Properties dialog box, select Enabled.
- Click OK to save settings in this policy.
This group policy modifies the dad.dumpcore
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set audit level of ignored user
Use this group policy to specify the audit level of users who are on the ignored user list. Values that you can set in this policy are:
0
— Audit if possible.1
— Do not audit.
If this group policy is disabled or not configured, a default value of 0
is used, meaning that the audit level is “audit if possible.” If you enable this group policy is enabled, you can specify a value of 0
or 1
.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Set the ignored user audit level to
0
or1
. - Click OK to save settings in this policy.
This group policy modifies the user.ignore.audit.level
setting in the /etc/centrifyda/centrifyda.conf
configuration file.
Set cache live time
Use this group policy to specify the length of time entries should remain valid in the name service cache. You can specify the maximum number of seconds cached query result should be available in the cache. This policy is applicable only if the Set cache the query results
policy is enabled.
If this group policy is disabled or not configured, a default value of 600
seconds is used. If this group policy is enabled, you can specify the number of seconds.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds that cached information remains valid.
- Click OK to save settings in this policy.
For example, to increase the number of seconds that query results are available in the cache on an audited computer, enable this policy and specify a value of your choice that is greater than 600 seconds.
This group policy modifies the cache.time.to.live
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set cache the query results
Use this group policy to specify whether the dad
process caches name service query results about users and groups.
- If this group policy is disabled, query results are not saved and must be retrieved whenever they are needed.
- If this group policy is enabled or not configured, the
dad
process stores query results—for example, from user lookup requests—in memory for better performance. - If this group policy is enabled, you can use the
Set max cache size
andSet cache live time
policies to control the number and duration of entries in the cache. - If this group policy is enabled, you can also use the
daflush
command to clear the cache manually when you want to ensure you get updated information. For example, if you remove the UNIX Login role for an Active Directory user, some information for that user might remain in the cache and be returned when you run a command such asgetent passwd
. You can rundaflush
to ensure that the user is removed completely from the local computer cache, including the auditing name service cache.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Click OK to save settings in this policy.
This group policy modifies the cache.enable
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set check NSS configuration file timeout
Use this group policy to specify how frequently (in seconds) the dad
process checks the /etc/nsswitch.conf
file for changes.
If this group policy is disabled or not configured, a default value of 60 seconds between checks is used. If this group policy is enabled, you can specify the number of seconds between checks.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds between checks.
- Click OK to save settings in this policy.
This group policy modifies the dad.timer.monitor.nss.conf
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set client idle timeout
Use this group policy to specify how long (in seconds) the dad client can be idle before timing out. If this group policy is disabled or not configured, a default value of 1800 seconds is used.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds that the dad client can be idle before timing out.
- Click OK to save settings in this policy.
This group policy modifies the dad.client.idle.timeout
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set codepage of audit client
Use this group policy to specify the code page used for character encoding by the auditing service. Supported values are UTF8
and ISO8859-1
.
If this group policy is disabled, not configured, or set to a value that is not supported, a default code page of UTF8 is used. If this group policy is enabled, you can specify a supported code page.
This group policy modifies the lang_setting
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set connect to collector timeout
Use this group policy to specify the amount of time, in seconds, the agent waits during each connection attempt before it determines that it cannot connect to a collector.
If this group policy is disabled or not configured, the default value is 60 seconds. This group policy modifies the dad.connect.collector.timeout
configuration parameter.
You can use this parameter with the Common Settings group policy which allows you to specify the number of unsuccessful attempts that the agent can make to connect to a collector before notifying the user that it is not connected to a collector.
Set fix NSS configuration file automatically
Use this group policy to specify whether to enable the dad
process to fix /etc/nsswitch.conf
automatically if anything goes wrong.
If this group policy is disabled, /etc/nsswitch.conf
is not updated. If this group policy is enabled or not configured, /etc/nsswitch.conf
is updated automatically by the dad
process.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Click OK to save settings in this policy.
This group policy modifies the autofix.nss.conf
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set max cache size
Use this group policy to specify the maximum number of entries that can be stored in the name service cache. Entries store query results about users and groups. This group policy is applicable only if the Set cache the query results group policy is enabled.
If this group policy is enabled, the query results are stored in memory up to the value that you specify, resulting in better performance. If this group policy is disabled or not configured, a default value of 80,000 entries is used.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the maximum number of entries to cache.
- Click OK to save settings in this policy.
This group policy modifies the cache.max.size
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set resource monitor check interval
Use this group policy to specify how often (in seconds) the resource monitor checks dad
resource usage.
If this group policy is disabled or not configured, a default value of 600 seconds is used. If this group policy is enabled and set to 0 seconds, monitoring is disabled.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds for the interval.
- Click OK to save settings in this policy.
This group policy modifies the dad.resource.timer
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set resource monitor CPU limit
Use this group policy to specify the maximum percentage of CPU cycles that dad can consume.
If this group policy is disabled or not configured, a default value of 50 percent is used. If this group policy is enabled and set to 0 percent, dad CPU usage is unlimited.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the maximum CPU usage percentage.
- Click OK to save settings in this policy.
This group policy modifies the dad.resource.cpulimit
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set resource monitor CPU limit tolerance
Use this group policy to specify (in seconds) how long the maximum percentage of dad CPU cycles can be exceeded before dad is restarted. If this group policy is disabled or not configured, a default value of 5 seconds is used.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds that the maximum percentage of dad CPU cycles can be exceeded.
- Click OK to save settings in this policy.
This group policy modifies the dad.resource.cpulimit.tolerance
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set resource monitor file descriptor limit
Use this group policy to specify the maximum number of file descriptors that dad can open.
If this group policy is disabled or not configured, a default value of 1024 is used. If this group policy is enabled and set to 0, the number of file descriptors is unlimited.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the maximum number of file descriptors.
- Click OK to save settings in this policy.
This group policy modifies the dad.resource.fdlimit
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set resource monitor memory limit
Use this group policy to specify the maximum number of bytes that can be allocated to dad.
If this group policy is disabled or not configured, a default value of 104857600 bytes (100 MB) is used. If this group policy is enabled and set to 0, dad memory allocation is unlimited.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the maximum number of bytes that can be allocated to dad.
- Click OK to save settings in this policy.
This group policy modifies the dad.resource.memlimit
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set resource monitor should restart dad
Use this group policy to specify whether the resource monitor should restart dad if resource usage exceeds the limits set in other group policies or configuration parameters.
If this group policy is enabled, dad is restarted if resource usage exceeds specified limits. If this group policy is disabled or not configured, dad is not restarted if resource usage exceeds specified limits.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Click OK to save settings in this policy.
This group policy modifies the dad.resource.restart
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set seal over a secure GSSAPI connection collector
Use this group policy to specify whether the auditing service seals network communications with the collector using a secure GSSAPI connection.
If this group policy is enabled or not configured, the network connection is sealed and cannot be read. If this group policy is disabled, the connection is not sealed and is human-readable.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Click OK to save settings in this policy.
This group policy modifies the dad.gssapi.seal
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set sign over a secure GSSAPI connection with collector
Use this group policy to specify whether the auditing service signs network communications with the collector over a secure GSSAPI connection.
If this group policy is enabled or not configured, the network connection is signed. If this group policy is disabled, the network connection is not signed.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Click OK to save settings in this policy.
This group policy modifies the dad.gssapi.sign
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set soft limit of open files
Use this group policy to specify the number of file descriptors that can be used for audited sessions.
For some UNIX platforms, such as Solaris, the default number of available file descriptors for each process is insufficient of auditing sessions, because the Centrify Agent requires two descriptors per session.
Use this policy to increase the number of file descriptors available.
This policy modifies the dad.process.fdlimit
parameter in the agent configuration file.
Set update agent status timeout
Use this group policy to specify how often (in seconds) the agent status in the audit store database is updated.
If this group policy is disabled or not configured, a default value of 300 seconds is used.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds between agent status updates.
- Click OK to save settings in this policy.
This group policy modifies the dad.timer.update.agent.status
setting in the configuration file /etc/centrifyda/centrifyda.conf
.
Set verification of spool disk space timeout
Use this group policy to specify the number of seconds between checks of disk space when the disk space reserved for offline storage is less than the percentage specified in the Set minimum percentage of disk space
group policy. At each check, a warning message is written to the log file.
If this group policy is enabled, disk space is checked at the interval that you specify. If this group policy is disabled or not configured, a default value of 360 seconds is used.
To use this group policy:
- Double click the policy in the right pane of the Group Policy Management Editor.
- On the Policy tab, select Enabled.
- Specify the number of seconds between disk space checks.
- Click OK to save settings in this policy.
This group policy modifies the dad.timer.diskspace
setting in the configuration file /etc/centrifyda/centrifyda.conf
.