DirectAudit Daemon Settings

Use the group policies under DirectAudit Daemon Settings to control operations for the auditing service.

Set allow to dump core

Use this group policy to specify whether the dad process is allowed to dump core. If this group policy is enabled, the dad process is allowed to dump core. If this group policy is disabled or not configured, the dad process is not allowed to dump core.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab of the Properties dialog box, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dad.dumpcore setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set audit level of ignored user

Use this group policy to specify the audit level of users who are on the ignored user list. Values that you can set in this policy are:

  • 0 — Audit if possible.
  • 1 — Do not audit.

If this group policy is disabled or not configured, a default value of 0 is used, meaning that the audit level is “audit if possible.” If you enable this group policy is enabled, you can specify a value of 0 or 1.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Set the ignored user audit level to 0 or 1.
  4. Click OK to save settings in this policy.

This group policy modifies the user.ignore.audit.level setting in the /etc/centrifyda/centrifyda.conf configuration file.

Set cache live time

Use this group policy to specify the length of time entries should remain valid in the name service cache. You can specify the maximum number of seconds cached query result should be available in the cache. This policy is applicable only if the Set cache the query results policy is enabled.

If this group policy is disabled or not configured, a default value of 600 seconds is used. If this group policy is enabled, you can specify the number of seconds.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds that cached information remains valid.
  4. Click OK to save settings in this policy.

For example, to increase the number of seconds that query results are available in the cache on an audited computer, enable this policy and specify a value of your choice that is greater than 600 seconds.

This group policy modifies the cache.time.to.live setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set cache the query results

Use this group policy to specify whether the dad process caches name service query results about users and groups.

  • If this group policy is disabled, query results are not saved and must be retrieved whenever they are needed.
  • If this group policy is enabled or not configured, the dad process stores query results—for example, from user lookup requests—in memory for better performance.
  • If this group policy is enabled, you can use the Set max cache size and Set cache live time policies to control the number and duration of entries in the cache.
  • If this group policy is enabled, you can also use the daflush command to clear the cache manually when you want to ensure you get updated information. For example, if you remove the UNIX Login role for an Active Directory user, some information for that user might remain in the cache and be returned when you run a command such as getent passwd. You can run daflush to ensure that the user is removed completely from the local computer cache, including the auditing name service cache.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the cache.enable setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set check NSS configuration file timeout

Use this group policy to specify how frequently (in seconds) the dad process checks the /etc/nsswitch.conf file for changes.

If this group policy is disabled or not configured, a default value of 60 seconds between checks is used. If this group policy is enabled, you can specify the number of seconds between checks.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds between checks.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.timer.monitor.nss.conf setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set client idle timeout

Use this group policy to specify how long (in seconds) the dad client can be idle before timing out. If this group policy is disabled or not configured, a default value of 1800 seconds is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds that the dad client can be idle before timing out.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.client.idle.timeout setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set codepage of audit client

Use this group policy to specify the code page used for character encoding by the auditing service. Supported values are UTF8 and ISO8859-1.

If this group policy is disabled, not configured, or set to a value that is not supported, a default code page of UTF8 is used. If this group policy is enabled, you can specify a supported code page.

This group policy modifies the lang_setting setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set connect to collector timeout

Use this group policy to specify the amount of time, in seconds, the agent waits during each connection attempt before it determines that it cannot connect to a collector.

If this group policy is disabled or not configured, the default value is 60 seconds. This group policy modifies the dad.connect.collector.timeout configuration parameter.

You can use this parameter with the Common Settings group policy which allows you to specify the number of unsuccessful attempts that the agent can make to connect to a collector before notifying the user that it is not connected to a collector.

Set fix NSS configuration file automatically

Use this group policy to specify whether to enable the dad process to fix /etc/nsswitch.conf automatically if anything goes wrong.

If this group policy is disabled, /etc/nsswitch.conf is not updated. If this group policy is enabled or not configured, /etc/nsswitch.conf is updated automatically by the dad process.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the autofix.nss.conf setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set max cache size

Use this group policy to specify the maximum number of entries that can be stored in the name service cache. Entries store query results about users and groups. This group policy is applicable only if the Set cache the query results group policy is enabled.

If this group policy is enabled, the query results are stored in memory up to the value that you specify, resulting in better performance. If this group policy is disabled or not configured, a default value of 80,000 entries is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the maximum number of entries to cache.
  4. Click OK to save settings in this policy.

This group policy modifies the cache.max.size setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set resource monitor check interval

Use this group policy to specify how often (in seconds) the resource monitor checks dad resource usage.

If this group policy is disabled or not configured, a default value of 600 seconds is used. If this group policy is enabled and set to 0 seconds, monitoring is disabled.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds for the interval.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.resource.timer setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set resource monitor CPU limit

Use this group policy to specify the maximum percentage of CPU cycles that dad can consume.

If this group policy is disabled or not configured, a default value of 50 percent is used. If this group policy is enabled and set to 0 percent, dad CPU usage is unlimited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the maximum CPU usage percentage.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.resource.cpulimit setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set resource monitor CPU limit tolerance

Use this group policy to specify (in seconds) how long the maximum percentage of dad CPU cycles can be exceeded before dad is restarted. If this group policy is disabled or not configured, a default value of 5 seconds is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds that the maximum percentage of dad CPU cycles can be exceeded.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.resource.cpulimit.tolerance setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set resource monitor file descriptor limit

Use this group policy to specify the maximum number of file descriptors that dad can open.

If this group policy is disabled or not configured, a default value of 1024 is used. If this group policy is enabled and set to 0, the number of file descriptors is unlimited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the maximum number of file descriptors.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.resource.fdlimit setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set resource monitor memory limit

Use this group policy to specify the maximum number of bytes that can be allocated to dad.

If this group policy is disabled or not configured, a default value of 104857600 bytes (100 MB) is used. If this group policy is enabled and set to 0, dad memory allocation is unlimited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the maximum number of bytes that can be allocated to dad.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.resource.memlimit setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set resource monitor should restart dad

Use this group policy to specify whether the resource monitor should restart dad if resource usage exceeds the limits set in other group policies or configuration parameters.

If this group policy is enabled, dad is restarted if resource usage exceeds specified limits. If this group policy is disabled or not configured, dad is not restarted if resource usage exceeds specified limits.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dad.resource.restart setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set seal over a secure GSSAPI connection collector

Use this group policy to specify whether the auditing service seals network communications with the collector using a secure GSSAPI connection.

If this group policy is enabled or not configured, the network connection is sealed and cannot be read. If this group policy is disabled, the connection is not sealed and is human-readable.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dad.gssapi.seal setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set sign over a secure GSSAPI connection with collector

Use this group policy to specify whether the auditing service signs network communications with the collector over a secure GSSAPI connection.

If this group policy is enabled or not configured, the network connection is signed. If this group policy is disabled, the network connection is not signed.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dad.gssapi.sign setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set soft limit of open files

Use this group policy to specify the number of file descriptors that can be used for audited sessions.

For some UNIX platforms, such as Solaris, the default number of available file descriptors for each process is insufficient of auditing sessions, because the Centrify Agent requires two descriptors per session.

Use this policy to increase the number of file descriptors available.

This policy modifies the dad.process.fdlimit parameter in the agent configuration file.

Set update agent status timeout

Use this group policy to specify how often (in seconds) the agent status in the audit store database is updated.

If this group policy is disabled or not configured, a default value of 300 seconds is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds between agent status updates.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.timer.update.agent.status setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set verification of spool disk space timeout

Use this group policy to specify the number of seconds between checks of disk space when the disk space reserved for offline storage is less than the percentage specified in the Set minimum percentage of disk space group policy. At each check, a warning message is written to the log file.

If this group policy is enabled, disk space is checked at the interval that you specify. If this group policy is disabled or not configured, a default value of 360 seconds is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds between disk space checks.
  4. Click OK to save settings in this policy.

This group policy modifies the dad.timer.diskspace setting in the configuration file /etc/centrifyda/centrifyda.conf.