DirectAudit Shell Settings

Use the group policies under DirectAudit Shell Settings to configure shell operations for an audited shell.

Defining information pattern in custom format to obfuscate sensitive information

Use this group policy to specify information that is not displayed in auditing results. You specify the information to omit from display by defining a pattern in the group policy. Information that matches the pattern is not displayed in auditing results.

If this group policy is not configured or disabled, all information is displayed in auditing results. By default, this group policy is not configured.

If you enable this group policy, you must define a pattern as follows for information that is not displayed.

  • Type the pattern that will not be displayed in auditing results. For example:
    nnnn-nnnn-nnnn-nnnn
  • Each single character in a pattern corresponds to one character in actual session data.

  • If you define more than one pattern, separate the patterns with spaces. For example:

    nnnn-nnnn A-nnnn

Supported characters in a pattern are as follows:

a

Any lower case letter.

A

Any upper case letter.

d

Any character.

D

Any letter.

n

Any decimal digit character.

s

Symbols, such as the following:

~ ` ! @ # (space) $ % ^ & * ( - _ =
+ [ { ] } | \ : ; ' < , > . ? /

-

Separator for exact matching in session data.

_

Separator for exact matching in session data.

(

Separator for exact matching in session data.

)

Separator for exact matching in session data.

,

Separator for exact matching in session data.

.

Separator for exact matching in session data.

This group policy modifies the dash.obfuscate.pattern setting in the centrifyda.conf configuration file.

Defining information pattern in regex format to obfuscate sensitive information

Use this group policy to specify information that is not displayed in auditing results. You specify the information to omit from display by defining a regular expression in the group policy. Information that matches the regular expression is not displayed in auditing results.

If this group policy is not configured or disabled, all information is displayed in auditing results. By default, this group policy is not configured.

If you enable this group policy, you must define a regular expression as follows for information that is not displayed.

  • Type a regular expression to define the information that will not be displayed in auditing results. For example:
    [A-Z][0-9]{6}\\([0-9A-Z]\\)
  • If you define more than one regular expression, separate the regular expressions with spaces. For example:

    [0-9]-[0-9] [a-z]-[0-9]

This group policy modifies the dash.obfuscate.regex setting in the centrifyda.conf configuration file.

Set always allowed unix user name list

Use this group policy to specify UNIX users who are allowed to use a session even if the computer cannot be audited due to environment setup issues.

If this group policy is disabled or not configured, root is the only user allowed to use an unaudited session. If you enable this group policy, you must specify a space-separated list of UNIX user names.

This group policy modifies the dash.user.alwaysallowed.list setting in the centrifyda.conf configuration file.

Set audit all invocations

Use this group policy to specify whether to audit all shell invocations.

If this group policy is Enabled, all login and non-login shells are audited.

If this group policy is Disabled or Not Configured:

  • Only login shells and login sub-shells are audited.
  • Invoked shells are not audited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dash.allinvoked setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set audit commands

Use this group policy to specify commands to audit.

If this group policy is enabled, you can create a command list and specify whether each command in the list is audited. Commands in the command list that have an action of Enable are audited by the auditing agent. Commands in the command list that have an action of Disable are not audited by the auditing agent.

If this group policy is disabled or not configured, commands to be audited must be configured manually on each UNIX computer.

When you add a command to the list, you must specify the full path to the command. You cannot add a link, shell, or wrapper script to the command list.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click Add to add a command to the Audit Commands list.
  4. Specify the full UNIX path name of the command.
  5. In the Action field, select whether to enable or disable auditing for the command.
  6. Click OK in the Set audit commands dialog box.
  7. Click OK in the Set audit commands Properties dialog box to save settings in this policy.

Set audit STDIN data

Use this group policy to specify whether the auditing agent captures standard input (stdin).

If this group policy is enabled or not configured, the auditing service records all session input and output, including standard input (stdin).

If this group policy is disabled, the auditing service records all session activity to standard output, but does not capture standard input data.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dash.auditstdin setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set continue working without dad

Use this group policy to specify whether the audited shell (cdash) continues to run if the dad process is not running.

If this group policy is enabled or not configured, the audited shell continues to run when the dad process is not running. If this group policy is disabled, the audited shell stops running when the dad process stops running, and the user is prompted to restart the dad process.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dash.cont.without.dad setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set except auditing password strings

Use this group policy to specify strings that the auditing agent should ignore when capturing standard input data. For security, typed passwords are always ignored by default.

If this group policy is enabled, specify strings to ignore using regular expressions that do not include quotes. Leading and trailing spaces are ignored, spaces in the middle are not affected. For example:

dash.auditstdin.except: (prompt1|prompt2)

will match strings like these:

This is prompt1:
Prompt2 asks for password:

If this group policy is disabled or not configured, this mandatory string pattern is applied:

(password[[:alnum:][:blank:][:punct:]]*:[[:space:]]*$)|(verify[[:alnum:][:blank:][:punct:]]*:[[:space:]]*$)

The default value is empty to ignore only the passwords that users enter.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Type a regular expression that defines the string to ignore.
  4. Click OK to save settings in this policy.

This group policy modifies the dash.auditstdin.except setting in the configuration file /etc/centrifyda/centrifyda.conf. For more information about specifying exceptions, see the comments in the centrifyda.conf file.

Set force audit list

Use this group policy to specify one or more session binary files to audit.

If this group policy is enabled, the binary files that you specify are audited. You can separate entries in the list of binary files by typing a space or a comma. You can escape spaces or commas in file names using the backslash character (\).

If the group policy is disabled or not configured, no binary files are audited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Type one or more binary file names in the list.
  4. Click OK to save settings in this policy.

This group policy modifies the dash.force.audit setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set not audited ssh command list

Use this group policy to specify a space-separated list of ssh commands that are not audited.

If the group policy is disabled or not configured, the commands scp, rsync, and sftp-server are not audited. If this group policy is enabled, the commands that you specify are not audited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Type one or more commands in the list, separated by spaces.
  4. Click OK to save settings in this policy.

This group policy modifies the dash.ssh.command.skiplist setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set parent process skip list

Use this group policy to specify a list of parent processes that are not audited. If the name of a process’s parent is in this list, the audited shell (cdash) will drop out without auditing.

If this group policy is disabled or not configured, the following processes are not audited by default:

sapstartsrv
gdm-binary
gdm-session-wor
kdm
sdt_shell

If you enable this group policy, you must specify a space-separated list of process names.

This group policy modifies the dash.parent.skiplist setting in the centrifyda.conf configuration file.

Set reconnect to dad timeout

Use this group policy to specify the number of seconds to wait after restarting the dad process before cdash attempts to reconnect to the auditing service.

If this group policy is enabled, the timeout that you specify is used. If this group policy is disabled or not configured, a default value of 1 second is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of seconds to wait.
  4. Click OK to save settings in this policy.

This group policy modifies the dash.reconnect.dad.wait.time setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set reconnect to dad times

Use this group policy to specify how many times cdash attempts to connect to the auditing service after the dad process has started.

If this group policy is enabled, the number of attempts that you specify is used. If this group policy is disabled or not configured, a default value of 3 attempts is used.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Specify the number of attempts.
  4. Click OK to save settings in this policy.

This group policy modifies the dash.reconnect.dad.retry.count setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set record login entry

Use this group policy to specify whether the auditing service should add utmp entries for the cdash pseudo terminals (pty). The setting of this group policy affects the results of whoami and who commands.

If this group policy is enabled, the auditing service adds utmp entries for cdash pty processes. Under this scenario, the whoami command in an audited shell works as expected, but the who command lists logged-in users twice.

If this group policy is disabled or not configured, the auditing service does not create additional utmp entries. Under this scenario, the whoami command in an audited shell cannot determine complete user information.

Workaround: on some operating systems, the who --lookup command works, but the who command lists users only once.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Click OK to save settings in this policy.

This group policy modifies the dash.loginrecord setting in the configuration file /etc/centrifyda/centrifyda.conf.

Set SHELL to actual user shell

Use this group policy to specify whether cdash sets the SHELL environment variable to the user’s actual shell or to the audit shell.

If this group policy is enabled or not configured, the default value is true, and the SHELL environment variable is set to user’s actual shell. If you disable this group policy, the SHELL environment variable is set to the DirectAudit audit shell.

This group policy modifies the dash.shell.env.var.set setting in the centrifyda.conf configuration file.

Set skip auditing userlist

Use this group policy to specify the names of UNIX users and Active Directory users with a UNIX login who should not be audited. You can separate user names by typing a space or a comma. For example:

dash.user.skiplist: Mae kelly,dmorris,Booker

If this group policy is enabled, the users on the list are not audited. If this group policy is disabled or not configured, all users are audited.

To use this group policy:

  1. Double click the policy in the right pane of the Group Policy Management Editor.
  2. On the Policy tab, select Enabled.
  3. Create a list of users to audit.
  4. Click OK to save settings in this policy.

This group policy modifies the dash.user.skiplist setting in the configuration file /etc/centrifyda/centrifyda.conf.

Show actual user running an audited command

Use this group policy to specify whether command-based auditing records will display the actual user account that executed the audited command, rather than just the run-as user account. Enable this policy to show both the run-as user account and the actual user account in command-based auditing records.

By default, this policy is not enabled, and only the run-as account used to run the privileged command is shown in auditing records. To enable this policy, set the parameter to true.

This group policy modifies the dash.cmd.audit.show.actual.user setting in the agent configuration file.