Centrify Infrastructure Services 2017.2 Auditing & Monitoring Services 3.4.2 Release Notes

© 2007-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Contents

1.   About Centrify Auditing & Monitoring Service 3

2.   Feature Changes 5

2.1    Feature Changes in Centrify Auditing & Monitoring Service 3.4.2 (version 2017.2) 5

2.2.1       General 5

2.2.2       Collector 5

2.2.3       Audit Analyzer and Session Player 5

2.2.4       Centrify UNIX Agent for Audit 5

2.2.5       Database 5

2.2.6       FindSessions Tool 6

2.2.7       Windows Agent 6

2.2.8       Centrify Audit Module for PowerShell 6

2.2.9       Supported Platforms 6

2.2    Feature Changes in DirectAudit 3.4.1 (Suite 2017.1) 6

2.2.1       General 6

2.2.2       Collector 7

2.2.3       Audit Analyzer and Session Player 7

2.2.4       Centrify UNIX Agent for Audit 7

2.2.5       Database 7

2.2.6       FindSessions Tool 7

2.2.7       Windows Agent 7

2.2.8       Centrify Audit Module for PowerShell 7

2.2.9       Supported Platforms 7

3.   Bugs Fixed 8

3.1    Bug Fixed in DirectAudit 3.4.2 (Suite 2017.2) 8

3.2.1       General 8

3.2.2       Windows Install / Upgrade / Uninstall 8

3.2.3       Collector 8

3.2.4       Audit Analyzer and Session Player 8

3.2.5       Audit Manager 8

3.2.6       Centrify UNIX Agent for Audit 8

3.2.7       Database 8

3.2.8        FindSessions Tool 8

3.2.9       Centrify Audit Module for PowerShell 8

3.2    Bug Fixed in DirectAudit 3.4.1 (Suite 2017.1) 9

3.2.1       General 9

3.2.2       Windows Install / Upgrade / Uninstall 9

3.2.3       Collector 9

3.2.4       Audit Analyzer and Session Player 9

3.2.5       Audit Manager 9

3.2.6       Centrify UNIX Agent for Audit 9

3.2.7       Database 10

3.2.8        FindSessions Tool 10

3.2.9       Centrify Audit Module for PowerShell 10

4.   Known Issues 10

4.1    General 10

4.2    Windows Install / Upgrade / Uninstall 10

4.3    Collector 11

4.4    Audit Analyzer and Session Player 11

4.5    Audit Manager 12

4.6    Centrify UNIX Agent for Audit 13

4.6.1 General 13

4.6.2 RedHat Linux 15

4.6.3 Debian Linux 16

4.6.4 Solaris 17

4.6.5  AIX 18

4.6.6 Ubuntu 19

4.7  Database 20

4.8  Audit Management Server 21

4.9  FindSession Tools 21

4.10  Centrify  Agent for Windows 21

4.11      Centrify Audit Module for PowerShell 22

5      Additional Information and Support 22

 

 

1.   About Centrify Auditing & Monitoring Service

Starting with release 2017.2, Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:

    Centrify Identity Broker Service

    Centrify Privilege Elevation Service

    Centrify Auditing & Monitoring Service

The DirectControl Agent provides services for the Identity Broker Service and Privilege Elevation Service contained in the CentrifyDC packages. The DirectAudit Agent provides services for Auditing & Montoring Service contained in the CentrifyDA packages.

The Centrify Auditing & Monitoring Service is a key component of Centrify Infrastructure Services. it enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With this service, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. Centrify Auditing & Monitoring Service supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a cumulative list of the platforms supported, see the document in www.centrify.com/platforms.

In Unix and Linux agents, Centrify DirectControl Agent is a pre-requisite for the Auditing & Monitoring service. The minimum DirectControl version required by this version of the service is 5.4.0 (Suite 2017).

Starting in Suite 2016, only ADMX format for group policies will be installed and ADM format will no longer be provided. (Ref: CS-6821)

Starting in Suite 2016, Centrify will no longer be adding new features to the Centrify DirectManage Audit SDK component. Centrify recommends all existing users of this component to start using Centrify Audit Module for PowerShell component, which is the intended replacement of the SDK. (Ref: CS-6713)

From Suite 2017.1 onward, DirectAudit no longer supports Version 1 Audit Store databases. You will no longer be able to attach Version 1 databases to an existing DirectAudit installation. To view data from version 1.x databases, please install a DirectAudit Auditor Console 1.x and attach the database. (Ref: CS-41219)

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40117)

 

2.   Feature Changes

2.1    Feature Changes in Centrify Auditing & Monitoring Service 3.4.2 (version 2017.2)

2.2.1       General

 

·         From this release onward, the Audit Manager console no longer allows adding or removing license keys using the Licenses dialog. Please use Centrify Licensing Service Control Panel for managing all DirectAudit licenses. (Ref: CS-40968) 

·         The Centrify Module for PowerShell now supports two optional arguments/parameters for database rotation that allow specifying:

o    a. Whether the target SQL Server is an Amazon RDS instance or not (default - false) 

o    b. Whether to enable "Data Integrity Checking" feature on the new Audit Store database or not (default - false) (Ref: CS-42633)

·         The DirectAudit package for Solaris Sparc platforms is now 64-bit and only Sparc 64-bit platforms are supported. The package still provides 32-bit libraries to work with 32-bit programs. (Ref: CS-43307)

2.2.2       Collector

N/A

2.2.3       Audit Analyzer and Session Player

·         Previously in Audit Analyzer, when a user ran an audited command by su/sudo/dzdo, only the current run-as user (the effective user after su/sudo/dzdo) would be displayed by default. Now, the original user can be optionally displayed by this setting: dash.cmd.audit.show.actual.user: true in the Unix agent. (Ref: CS-43186, CS-39833)

2.2.4       Centrify UNIX Agent for Audit

·         In CentOS, the DirectAudit Agent will now display a warning on the command line if audit.rules is configured with "-e 2". Note: Advanced monitoring feature is only effective after system reboot due to audit.rules system configuration file being set with '-e 2'. (Ref: CS-43296)

2.2.5       Database

·         The Auditing & Monitoring Service now supports deploying Audit Store Database on Amazon RDS SQL server in AWS Microsoft AD. To deploy Audit Store Database on Amazon RDS SQL server, users do not require system administrator privileges but require some server level permissions. For details, please refer to the DirectAudit Administrator's Guide. (Ref: CS-42633, CS-42635, CS-42636, CS-42637, CS-42638)

·         Added audit database tampering detection support.  Provide mechanism for auditors to verify that audited session data cannot be modified by a privilege user who has write permission to databases. (Ref: CS-42747)

2.2.6       FindSessions Tool

N/A

2.2.7       Windows Agent

N/A

2.2.8       Centrify Audit Module for PowerShell

N/A

2.2.9       Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the suite release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the document available from www.centrify.com/platforms.

2.2    Feature Changes in DirectAudit 3.4.1 (Suite 2017.1)

2.2.1       General

·         Enhanced file monitoring functionality by adding /var/centrify to the default advanced monitoring directory list and file monitoring events will not be generated when configuration files are modified by Centrify Agent for Linux daemon. (Ref: CS-42618)

·         Added an "advanced_monitoring" query to dainfo using the -q option  which can return the following values: "enabled: online" (0), "enabled: offline" (1), "enabled: unknown" (2), "disabled" (3), "not supported" (4) and "unknown" (5). (Ref: CS-42610)

·         SElinux context “centrify_log_t” is added to the file centrifyda_client.log so that NSS applications can still write to this log in debug mode. (Ref: CS-40784)

·         In Windows Services, DirectAudit Agent service is now configured to depend on Centrify Agent Logger service. (Ref: CS-42715)

 

2.2.2       Collector

N/A

2.2.3       Audit Analyzer and Session Player

      N/A

2.2.4       Centrify UNIX Agent for Audit

·         The system limits for number of open files per process may be low (e.g., 1024) in some operating systems.  This will result in errors in DirectAudit daemon when there are a lot of concurrent audited sessions.   If you see this warning message in system log:  “The number of open files reached the limitation.  Need to increase the limitation, then restart dad to take effect”, please modify the configuration parameter dad.process.fdlimit to increase the number of file descriptors allowed (must be less than system hard limit).  Also, there is  a new GP entry: 'Set soft limit of open files' in "Computer Configuration" -> "Centrify DirectAudit Settings" -> "UNIX Agent Settings" -> "DirectAudit Daemon Settings" to configure this parameter. (Ref: CS-42554, CS-42522)

2.2.5       Database

N/A

2.2.6       FindSessions Tool

N/A

2.2.7       Windows Agent

N/A

2.2.8       Centrify Audit Module for PowerShell

N/A

2.2.9       Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the suite release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the suite release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the “Centrify Server Suite, Enterprise Edition” section in the document available from www.centrify.com/platforms.

 

 

3.   Bugs Fixed

3.1    Bug Fixed in DirectAudit 3.4.2 (Suite 2017.2)

3.2.1       General

N/A

3.2.2       Windows Install / Upgrade / Uninstall

N/A

3.2.3       Collector

N/A

3.2.4       Audit Analyzer and Session Player

N/A

3.2.5       Audit Manager

N/A

3.2.6       Centrify UNIX Agent for Audit

·          Fixed an issue where an audited user invoking an audited command would result in two audited sessions, one for the original login session, another one for the new audited command. Now there is a single audited session. (Ref: CS-43063)

3.2.7       Database

·         Fixed an issue in the database layer that resulted in authorization failure when the required database permissions of an outgoing account were delegated indirectly via the Active Directory group. (Ref: CS-40101)

3.2.8        FindSessions Tool

N/A

3.2.9       Centrify Audit Module for PowerShell

      N/A

3.2    Bug Fixed in DirectAudit 3.4.1 (Suite 2017.1)

3.2.1       General

·         In Suite 2017, advanced monitoring feature was not supported in Fedora 24. This issue is now fixed. (Ref: CS-42575)

3.2.2       Windows Install / Upgrade / Uninstall

N/A

3.2.3       Collector

N/A

3.2.4       Audit Analyzer and Session Player

·         Fixed an issue in DirectManage Audit Analyzer console that could result in an incorrect or malformed exported file name when session's machine name was not stored in FQDN (Fully Qualified Domain Name) format in the database. (Ref: CS-42862)

·         Fixed the issue that the monitored command uncorrected showed in both "Monitored Execution Report" and "Detailed Execution Report" for users on the event.execution.monitor.user.skiplist when it should only show in "Monitored Execution Report". (Ref: CS-42585)

3.2.5       Audit Manager

N/A

3.2.6       Centrify UNIX Agent for Audit

·         Advanced Monitoring is now supported in Fedora 24 (CS-42575)

·         Fixed an issue where, if Advanced Monitoring was enabled and the parameter "event.execution.monitor" was set to true, the DirectAudit daemon might become non-responsive after running for an extended time. (Ref: CS-42881)

·         Fixed an issue in Suite 2017 that prevented a local user from logging in if the DirectAudit agent was stopped on a *nix system that was enabled for session auditing and had DirectControl installed but not joined to Active Directory. (Ref: CS-42724)

·         Removed the limitation of 500 concurrent audited sessions in the Unix agent. (Ref: CS-42555)

·         Fixed permission issues in selinux when /var/centrifyda was a soft link from /var/centrifydc/centrifyda. (Ref: CS-42545)

·         Fixed an issue on Solaris 11.3 where running su, dzdo su, or sudo su, Ctrl-C would inappropriately terminate the session. Add the following parameter "dash.new.process.group.for.interactive.shell: true" to centrifyda.conf, then run dareload to apply the change and allow Ctrl-C to behave as expected. (Ref:  CS-42349)

·         Fixed an issue where running an audited su command with a pipe, such as "su user -c cmd | grep string", the user's password would be displayed. (CS-42882)

·         In previous releases, if a user who was not audited ran the command “sudo –bi –u <audited_user> <long_command>” and logged out immediately, the long_command might not run to completion. This issue is now fixed for all platforms except AIX. (Ref: CS-43073)

3.2.7       Database

·         Fixed an issue in the DirectAudit database query engine that could cause the Session table to lock indefinitely and block collectors from inserting or updating data into the active Audit Store database. (Ref: CS-42678)

3.2.8        FindSessions Tool

·         Fixed an issue in the DirectManage Audit FindSessions Tool that resulted into no sessions being exported when any one of the Audit Store databases was offline. (Ref: CS-42671)

3.2.9       Centrify Audit Module for PowerShell

      N/A

4.   Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1    General

For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

4.2    Windows Install / Upgrade / Uninstall

·         If a DirectManage Audit installation has been configured with multiple Audit Management Servers and some of the servers are running on an older version, the Audit Manager may not list these older servers because the new servers list supersedes the older ones. (Ref: CS-40818)

 ·       On a Windows 2008/2008 R2 Core system, if user elects the option to launch the configuration wizard at the end of "Centrify Agent for Windows" installation wizard, it will result into a run time error because of lack of support for Windows Presentation Foundation on these operating systems. To work around the issue, you can manually run the "Centrify.WinAgent.Config.exe" application from the installation folder to launch the old configuration wizard.

·         When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as Centrify Licensing Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the Centrify Licensing Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

·         If you uninstall the collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the collector is successfully uninstalled when you click OK.

4.3    Collector

·         In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4    Audit Analyzer and Session Player

·         When detaching and re-attaching an Audit Store database from an Audit Store, Centrify recommends refreshing the query results for all open queries in Audit Analyzer console prior to replaying a session from that database. Failure to do so may result into a database error. (Ref: CS-42125)

·         If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If an audited Windows session is using multiple monitors in extended mode in DirectAudit 3.2.2 or earlier, it cannot be exported as WMV files. In DirectAudit 3.2.3 or later, it will be trimmed to 2048x2048 pixels before it is saved and can be exported as in WMV file in 2048x2048 resolution. (Ref: 27003a, 75163, CS-6450, CS-3265).

·         When Windows agent machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly.  (Ref: 36818c)

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645b)

·         In Audit Analyzer, you can specify double-quote enclosed strings in the query that searches for “Unix Commands and Outputs” attribute.  However, if a double-quote character is inside the double-quote enclosed string, the query result is undefined.  (Ref: CS-39348)

·         If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command are also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)

·         By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From DirectAudit 3.2.0 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

4.5    Audit Manager

·         User and group criteria should not be combined in an Audit Role or it may result into inconsistent results, the workaround is for users to use two different audit roles (one for groups, another for users) if they want to mix users and groups in audit role assignment. (Ref: CS-38968)

·         When creating an AuditRole with "ClientName" Audit Manager's Role Properties / Criteria will display an empty value rather than "ClientName = <IP address>" (Ref: CS-41803)

·         If you assign DirectAudit permissions to a Domain Local group, which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.”   A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

4.6    Centrify UNIX Agent for Audit

4.6.1 General

·         Centrify recommends customers use the session auditing capability of DirectAudit to ensure the complete login session is audited vs. auditing individual commands.  When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell.  It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing.  Whereas the likelihood of this happening is very minute, Centrify recommends session auditing be turned on to avoid the chance of this happening.

·         Turning dadebug off when disk is full will result in an empty Centrifyda.conf file. (Ref: CS-41308)

·         If a user is logged in to AIX and HP-UX via a GUI, for example Xmanager, a terminal opened in the GUI will not be audited. To workaround this issue, set the centrifyda.conf parameter 'dash.allinvoked' to true. (Ref: 66330, CS-5876)

·         Obfuscation of session data has the following limitation: If the information is sent to stdout not as a whole, but piece by piece, the information will not be obfuscated. Example: A user wants to obfuscate a pattern "1234-5678". However, "1234-" is shown first and "5678" is shown 1 second later, this pattern will not be obfuscated.  Since the stdout buffer in the audit shell is 4KB, the obfuscation string is at most 4KB long. Note: this applies to stdout only. (80462a)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.

Workaround:

-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036a)

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override.

If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulate the local user database (passwd file).  These commands include useradd, userdel and usermod. From DirectAudit 3.2.0 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259a)

·         If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

·         The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usr/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

·         Disable auditing before upgrade

If you upgrade from DirectAudit 2.0, please run "dacontrol -d -a" to disable DirectAudit before upgrade.  Both the installer shell script, install-da.sh, and the native package manager will detect if auditing is enabled and abort if so.

If you are using the native package manager to upgrade and youattempt to upgrade while auditing is enabled, you may find that,after the package manager aborts, the DirectAudit installation isshown as broken. This may be ignored. Simply disable auditing,upgrade and then re-enable auditing and the package will beshown as committed.

 

 

4.6.2 RedHat Linux

·         Due to a limitation of some implementations of audispd (audit dispatcher daemon provided by the operating system), DirectAudit advanced monitoring feature may not work if “dacontrol –n/-m” was run multiple times and over the limit specified in the parameter max_restarts in /etc/audisp/audispd.conf (default 10).  If you enable the DirectAudit Advanced monitoring feature and it does not generate the audit trail events as expected, you can run dainfo to check on the status of advanced monitoring feature.   If the program /usr/share/centrifydc/bin/dadispatcher is not running, dainfo will show “DirectAudit advanced monitoring status” as “not running”.  In this case, you need to restart the system audit daemon using the command “service auditd restart”.  This will re-activate the advanced monitoring feature. (Ref: CS-41267)

·         Some versions of AIX sshd do not function reliably with Centrify products. When possible, Centrify recommends using sshd included in Centrify openSSH on AIX platforms. (Ref: CS-7098)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)

·         DirectAudit advanced monitoring features may not work with early versions of RedHat 5 due to different system configurations. The earliest version that Centrify tested is RedHat 5.6. Please contact Centrify Support if you need support in versions earlier than RedHat 5.6. (Ref: CS-43042)

·         The advanced monitoring feature in RedHat 5 version only supports selinux mode set to 'disabled' or 'permissive', 'enforcing' is not supported due to incompatible selinux policies. Moreover, advanced monitoring feature may not work with earlier versions of RedHat 5 releases due to different system configurations. Please contact Centrify support if you need support in versions earlier than RedHat 5.6. (Ref: CS-43024)

4.6.3 Debian Linux

·         To install the Centrify DirectAudit package on a computer with the Debian operating environment, you must use the dpkg --install or dpkg -i option. You cannot use the dpkg --update or dpkg -u options to install or update the Centrify DirectAudit package. If you need to update the Centrify DirectAudit package, you need to first delete the old package using the dpkg --purge or dpkg -P option then install the new package with the dpkg --install or dpkg -i option.

Note: Do not use the dpkg --remove or dpkg -r command to remove Centrify DirectAudit. Using the --remove option prevents the Centrify DirectAudit configuration file, /etc/centrifyda/centrifyda.conf, from being created properly when you reinstall the package.

 

4.6.4 Solaris

·         Centrify recommends that you install the appropriate recommended patch bundles for the version of Sun Solaris you are using before installing Centrify DirectAudit.

The patch installation will skip any individual patches that don't apply to your system, and you can use Sun's patch management system to ensure your computers get the latest security fixes.

To help you identify any required patches for your environment, Centrify supplies the pca patch checker in all Solaris Centrify Suite packages. Install.sh will prompt you to check the patch level of your environment during installation.

To check for Sun recommended patches with the pca patch checker you should have the wget package installed. This package may be obtained from:

    http://ftp.wayne.edu/sun_freeware/

And source code may be obtained from:

    http://www.gnu.org/software/wget/

For more information about downloading and installing patches, see the Sun Web site.

The minimum patches required for Centrify DirectAudit are provided below for reference purposes. In some cases these patches may be obsoleted or incorporated into other patches, so the patch numbers on your Solaris machines may be different. The authoritative source on patch compatibility is Sun; their Web site will allow you to follow patch histories to ensure any later patches you are using are compatible with the ones required by DirectAudit.

For Solaris 10: 119254-65 120011-14 127127-11 138263-03

 

·         Please contact technical support if you are using sparse zone(s) and like to do one of the following:

·         Change session auditing status from disabled to enabled during upgrade.

·         Enable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone.  (Ref: 76572, 80616b)

 

·         The following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

 

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

o    svcadm disable centrifyda

o    svcadm enable centrifyda

o    Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

 

4.6.5  AIX

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

·         Change in AIX root user behavior: By default, all releases starting with Suite 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a.  Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b.  Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c.  If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d.  Restart adclient (Ref: 56239a, 56604a)

·         For AIX customers who upgrade from prior versions of Centrify Server Suite 2014 (DirectAudit 3.2.0), there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited. (Ref: 56235)HPUX

You can install this package by copying it to a HP-UX computer and running install.sh, the Centrify Suite installer, or by running the following commands, where <release> is the version of the Centrify DirectAudit package you are installing:

gzip -d centrifyda-<release>-hp11.31-ia64.depot.gz

swinstall -s /path/centrifyda-<release>-hp11.31-ia64.depot \

-x allow_incompatible=true

·         You must specify the full path to the Centrify DirectAudit depot file and set the allow_incompatible option to true to install successfully.

·         The installation script checks your environment for the minimum patch levels required. If you have more recent patches installed, however, you may see an error message. To install, re-run the installation command with the following additional command line option:

-x enforce_scripts=false

 

4.6.6 Ubuntu 

The Graphical Interface may fail to display on Ubuntu when not joined to a domain. The workaround is:

1. On systems that use the Upstart boot mechanism, install DC and DA, restart the machine and while not joined to Domain, the machine will start normally and successfully enter the graphical interface.

2. On systems that use the Upstart boot mechanism, install DC and DA, then uninstall DC and DA and restart the machine, the machine will start normally and successfully enter the graphical interface. (Ref: CS-42964)

 

4.7  Database

·         When adding an Audit Store database to a SQL Server Availability Group with the multi subnet failover feature, the SQL Server that hosts the management database must be SQL Server 2012 or above. In addition, when upgrading an existing DirectAudit installation to use the SQL Server Availability Group feature, Centrify recommends upgrading Collectors, Audit Management Server service, Audit Manager consoles and Audit Analyzer consoles to the latest version to benefit from this feature. (Ref: CS-39872)

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:

http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/74a94f06-adf5-4059-bb92-57a99def37bd/

SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)

HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold

·         Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold  DWORD in MB, not configured, default to 1024 MB.  If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s).

4.8  Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

4.9  FindSession Tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

·         When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su  –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

4.10  Centrify  Agent for Windows

·         In the DirectAudit Windows Agent control panel, the setting “Maximum size of the offline data file” indicates the minimum amount of disk space (in percentage) that must be available/free in the spool volume in order to continue auditing users (especially when the DirectAudit Windows agent cannot send audit data to collector).  The DirectAudit Windows Agent makes its best attempt to pause auditing when the specified amount of disk space is no longer available and in certain cases may continue to write to spool volume for a few minutes before eventually pausing the auditing activity. (78072, CS-6718)

·         Cannot connect to an installation when the Windows Agent machine has 2 IPs and the 2 IPs belong to the scope of two different AuditStores. (Ref: CS-42157)

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit Windows agent software has not completed its setup. (Ref: 26286a)

 

4.11      Centrify Audit Module for PowerShell

·         Audit Module for PowerShell may take a long time to start because of the publisher's certificate verification.  To resolve the problem, disable the "Check for publisher's certificate revocation" option in System Control Panel\Internet Options\Advanced\Security. (Ref: 72499)

·         After installing Audit Module for PowerShell in a RDP session, PowerShell complains module "Centrify.DirectAudit.PowerShell" cannot be loaded.  This is because the installation package needs to modify system environment variables to let PowerShell know where to load the module.  This operation needed to be done in a "Console Session" if installation is done via RDP.  To resolve this problem, logout and re-login or run RDP with the "admin" option as "mstsc /admin" or "mstsc /console". (Ref: 72500a)

5      Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.