Centrify Infrastructure Services 2018 Auditing & Monitoring Service 3.5.0 Release Notes

© 2007-2018 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.


1.        About Centrify Auditing & Monitoring Service 3

2.        Feature Changes 5

2.1         Feature Changes in Centrify Auditing & Monitoring Service 3.5.0 (Release 2018) 5

2.1.1        General 5

2.1.2        Centrify Audit Collector 5

2.1.3        Centrify Audit Analyzer and Session Player 5

2.1.4        Centrify Audit Manager 6

2.1.5        Centrify DirectAudit Agent for *NIX 6

2.1.6        Database 6

2.1.7        FindSessions Tool 6

2.1.8        Centrify Agent for Windows 6

2.1.9        Centrify Audit Module for PowerShell 6

2.1.10     Supported Platforms 7

2.2         Feature Changes in Centrify Auditing & Monitoring Service 3.4.3 (Release 2017.3) 7

2.2.1        General 7

2.2.2        Centrify Audit Collector 7

2.2.3        Centrify Audit Analyzer and Session Player 7

2.2.4        Centrify DirectAudit Agent for *NIX 8

2.2.5        Database 8

2.2.6        FindSessions Tool 8

2.2.7        Centrify Agent for Windows 8

2.2.8        Centrify Audit Module for PowerShell 8

2.2.9        Supported Platforms 9

3.        Bugs Fixed 9

3.1         Bugs Fixed in DirectAudit 3.5.0 (Release 2018) 9

3.1.1        General 9

3.1.2        Windows Install / Upgrade / Uninstall 9

3.1.3        Centrify Audit Collector 9

3.1.4        Centrify Audit Analyzer and Session Player 10

3.1.5        Centrify Audit Manager 10

3.1.6        Centrify DirectAudit Agent for *NIX 10

3.1.7        Database 10

3.1.8        FindSessions Tool 10

3.1.9        Centrify Agent for Windows 10

3.1.10     Centrify Audit Module for PowerShell 10

3.2         Bugs Fixed in DirectAudit 3.4.3 (Release 2017.3) 10

3.2.1        General 10

3.2.2        Windows Install / Upgrade / Uninstall 11

3.2.3        Collector 11

3.2.4        Audit Analyzer and Session Player 11

3.2.5        Audit Manager 11

3.2.6        Centrify DirectAudit Agent for *NIX 11

3.2.7        Database 11

3.2.8        FindSessions Tool 12

3.2.9        Centrify Agent for Windows 12

3.2.10     Centrify Audit Module for PowerShell 12

4.        Known Issues 12

4.1         General 12

4.2         Windows Install / Upgrade / Uninstall 12

4.3         Collector 13

4.4         Audit Analyzer and Session Player 13

4.5         Audit Manager 14

4.6         Centrify DirectAudit Agent for *NIX 15

4.6.1        General 15

4.6.2        RedHat Linux 17

4.6.3        Debian Linux 18

4.6.4        Solaris 18

4.6.5        AIX 20

4.6.6        HPUX 20

4.7         Database 21

4.8         Audit Management Server 22

4.9         FindSession Tools 22

4.10       Centrify Agent for Windows 22

4.11       Centrify Audit Module for PowerShell 24

5.        Additional Information and Support 24



1.  About Centrify Auditing & Monitoring Service

Starting with release 2017.2, Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:

    Centrify Identity Broker Service

    Centrify Privilege Elevation Service

    Centrify Auditing & Monitoring Service

The DirectControl Agent provides services for the Identity Broker Service and Privilege Elevation Service contained in the CentrifyDC packages. The DirectAudit Agent provides services for Auditing & Monitoring Service contained in the CentrifyDA packages.

The Centrify Auditing & Monitoring Service is a key component of Centrify Infrastructure Services. it enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With this service, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. Centrify Auditing & Monitoring Service supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a cumulative list of the platforms supported, see the document in www.centrify.com/platforms.

In Unix and Linux agents, Centrify DirectControl Agent is a pre-requisite for the Auditing & Monitoring service.

Starting in Suite 2016, only ADMX format for group policies will be installed and ADM format will no longer be provided. (Ref: CS-6821)

Starting in Suite 2016, Centrify will no longer be adding new features to the Centrify DirectManage Audit SDK component. Centrify recommends all existing users of this component to start using Centrify Audit Module for PowerShell component, which is the intended replacement of the SDK. (Ref: CS-6713)

From Suite 2017.1 onward, DirectAudit no longer supports Version 1 Audit Store databases. You will no longer be able to attach Version 1 databases to an existing DirectAudit installation. To view data from version 1.x databases, please install a DirectAudit Auditor Console 1.x and attach the database. (Ref: CS-41219)

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)


2.  Feature Changes

2.1    Feature Changes in Centrify Auditing & Monitoring Service 3.5.0 (Release 2018)

2.1.1       General

·         From this release onward, the Audit Analyzer and Centrify Audit Module for PowerShell allow searching audited session by Account name. (Ref: CS-44351)

·         Feature Changes in Centrify Auditing & Monitoring Service 5.5.0 (2018)

Product packaging changes

o    The required .NET framework is upgraded to version 4.6.2 in this release. (Ref: CS-44071, CS-45110, CS-45299)


o    If you operate in an offline or intranet mode that does not have internet access, you need to download the root certificate from Microsoft first or else the installation of .NET 4.6.2 will fail. Please see https://support.microsoft.com/en-us/help/3149737/.

o    The installation of .NET 4.6.2 will also fail if the URL cache on the destination computer does not contain an up-to-date Certificate Revocation List (CRL). To resolve this issue, please see: https://support.microsoft.com/en-sg/help/2694321/net-framework-4-update-error-generic-trust-failure-0x800b010b

·         Improved video capturing performance by ignoring non-screen update system messages. (Ref: CS-44540)

2.1.2       Centrify Audit Collector

·         Enhanced the DirectAudit Collector to record details of audited Windows/Unix systems and network devices that are currently managed by the Centrify Infrastructure services. The DirectAudit Collector will periodically register the heartbeat of these devices into the active Audit Store database so these devices can be later viewed and managed using the Audit Manager console. (Ref: CS-44206)

2.1.3       Centrify Audit Analyzer and Session Player

·         Added a new built-in query viz. "Infrastructure Services - Privileged Sessions" to the Audit Analyzer console, enabling search and display of audited activity from the Windows/Unix systems and network devices that are currently managed by the Centrify Infrastructure services. (Ref: CS-44593)

·         Enhanced the Zone Administration Report to display the client name of the corresponding session. (Ref: CS-39967)

2.1.4       Centrify Audit Manager

·         Added a new node viz. "Audited Systems(Vault-based)" in Audit Manager console to list out the audited Windows/Unix systems and network devices that are currently managed by the Centrify Infrastructure services. (Ref: CS-45069)

2.1.5       Centrify DirectAudit Agent for *NIX

·         In previous releases, if an audited command was terminated by a signal, the exit status would incorrectly return 0. In Release 2018, the exit status is set to the signal number of the terminating signal plus 128, which is the expected value for most command shells. For example, ft the command is killed by SIGKILL (signal 9), the exit status is now 137 (128 + 9). (Ref: CS-44770)

·         Compatibility

o    The minimum Centrify DirectControl Agent for *NIX version required by this version of the service is 5.4.0 (Suite 2017) with the following exceptions:

§  On AIX, Linux PowerPC platforms, Centrify DirectControl Agent must be Release 2017.3 or later. (Ref: CS-44597, CS-44749, CS-44601)

§  On Solaris x86 and SPARC platforms, Centrify DirectControl Agent must be Release 2018 or later because the Solaris x86 packages have been changed to 64-bit in this release - The packages still provide 32-bit libraries to work with 32-bit programs. (Ref: CS-44594, CS-44597, CS-44749, CS-44084)

2.1.6       Database

·         The Auditing & Monitoring Service now supports Audit Store Database in Amazon RDS with Multi-AZ deployments for SQL server by using Database Mirroring. (Ref: CS-44590)

2.1.7       FindSessions Tool


2.1.8       Centrify Agent for Windows


2.1.9       Centrify Audit Module for PowerShell


2.1.10     Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the Centrify Infrastructure Services release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the document available from www.centrify.com/platforms.

2.2    Feature Changes in Centrify Auditing & Monitoring Service 3.4.3 (Release 2017.3)

2.2.1       General

·         Added a GP named "Enable DirectAudit session auditing" to enable/disable Direct Audit session auditing on Unix machines. (Ref: CS-43842)

·         When DirectAudit Advanced Monitoring is enabled and there are existing audit rules that monitor files in the directory trees monitored by DirectAudit, DirectAudit will display this warning message: “Conflicting rules are found in audit.rules system configuration file to specify that not all files accessing the monitored directories will generate audit trail events and be reported”. (Ref: CS-43479)

·         CoreOS is supported. The command dainfo -t can also run on CoreOS. However, due to the CoreOS architecture, not all the features are supported, e.g. command auditing is not supported. For details, please refer to user documentation. (Ref: CS-44024, CS-44025)

2.2.2       Centrify Audit Collector


2.2.3       Centrify Audit Analyzer and Session Player

·         Added a new set of Audit Trail events in the following categories,

- DirectAuthorize - Windows
- Centrify sshd
- dzdo
- dzsh

One or more of these newly introduced events supersede existing events in order to log additional information such as whether Multi-Factor Authentication (MFA) is required or not. Please refer to the Centrify Infrastructure Services - Audit Events Administrator’s Guide for more information on the deprecated Audit Trail events. (Ref: CS-44237)

·         Also added new Audit Trail events to track successful or failed actions when enabling or disabling Centrify Identity Services Platform, Centrify Privilege Elevation Service or Centrify Auditing and Monitoring Service using the Agent Configuration panel. (Ref: CS-43567)

·         Added a new report to the Audit Analyzer console to display all Centrify Multi-Factor Authentication (MFA) failure events captured in the environment. (Ref: CS-39968)

·         Because of changes from 32-bit to 64-bit binaries, it is required to upgrade both DirectControl and DirectAudit to Release 2017.3 or later for the following upgrades:

o    - upgrade from Suite 2016.1 (or earlier releases) on AIX

o    - upgrade from Suite 2017.1 (or earlier releases) on RHEL PowerPC

o    - upgrade from Suite 2017.1 (or earlier releases) on SUSE PowerPC

o    - upgrade from Suite 2017.1 (or earlier releases) on Solaris Sparc

If these upgrades are not performed, audit trail events will not be sent to DirectAudit. (CS-44601)

2.2.4       Centrify DirectAudit Agent for *NIX

·         If DA installation has not been set up, "dacontrol -m" will not enable "Advanced Monitoring" (Ref: CS-43887)

2.2.5       Database

·         Centrify Infrastructure Services ISO now packages Microsoft SQL Server 2012 Express SP3 in order to support TLS 1.2. (Ref: CS-43304)

2.2.6       FindSessions Tool


2.2.7       Centrify Agent for Windows


2.2.8       Centrify Audit Module for PowerShell

·         Added a new cmdlet, "Get-CdaMonitoredExecution" to get the monitored commands being executed on audited machines. (Ref: CS-40718)

·         Added a new cmdlet "Get-CdaDetailedExecution" to get the commands being executed on the audited machines including commands that are run as part of scripts or other commands. (Ref: CS-41831)

·         Added a new cmdlet "Get-CdaMonitoredFile" to get the sensitive files being modified by users on the audited machines. (Ref: CS-40717)

2.2.9       Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the Centrify Infrastructure Services release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the document available from www.centrify.com/platforms.

·         Starting in version 2017.3, Centrify Auditing and Monitoring Service is supported in CoreOS. In addition, login sessions to CoreOS docker containers can be audited if session auditing is enabled in the container host. KB-9565 describes how to enable DirectControl and DirectAudit functionalities inside docker containers, as well as the known limitations when running DirectAudit in docker containers. (Ref: CS-44156)

3.  Bugs Fixed

3.1    Bugs Fixed in DirectAudit 3.5.0 (Release 2018)

3.1.1       General

·         Fixed an issue in Centrify Agent for Windows - Audit that .NET runtime error could happen in the wash32 process. (Ref: CS-44981)

·         Fixed an issue where Centrify Agent for Windows and Collector could not connect to an installation when the machine belonging to the scope of two different AuditStores. In Release 2018, user can configure the preferred Audit Store for the Centrify Agent for Windows and Collector using the configuration wizard or the "Set the preferred Audit Store" group policy under the "Common Settings" category. (Ref: CS-42157)

3.1.2       Windows Install / Upgrade / Uninstall


3.1.3       Centrify Audit Collector

·         Fixed an issue in Collector that could cause high CPU utilization. (Ref: CS-45264)

3.1.4       Centrify Audit Analyzer and Session Player


3.1.5       Centrify Audit Manager

·         In prior releases, Additional Connection Parameters can only be specified in Audit Manager when a Management database or Audit Store database is created or attached, and cannot be changed later. When SQL database mirroring is used for DirectAudit, the parameter “Failover Partner=<slave database>” is required after the database is created and the database mirror is setup.  In Release 2018, you can modify the connection string in Audit Manager after the database is created. (Ref: CS-44533)

3.1.6       Centrify DirectAudit Agent for *NIX

·         Fixed an issue where chsec command cannot successfully change user attributes when DirectAudit is enabled on AIX. (Ref: CS-44220)

3.1.7       Database


3.1.8       FindSessions Tool


3.1.9       Centrify Agent for Windows

·         In previous releases, when an audited Windows system has insufficient disk space, audit trail events will not be generated even after the disk space issue is resolved. This issue is fixed in Release 2018.  Audit trail events are now generated when the disk space issue is resolved. (Ref: CS-44187)

3.1.10     Centrify Audit Module for PowerShell


3.2    Bugs Fixed in DirectAudit 3.4.3 (Release 2017.3)

3.2.1       General

·         Fixed an issue that when running ssh with -t option to run su command, job control would not be enabled. Example:

      ssh -t hostname su - (Ref: CS-44058)

·         For Solaris Sparc and Linux PPC, DirectAudit in Release 2017.2 does not provide 32-bit libatda (audit trail) library therefore it is not compatible with DirectControl Suite 2017.1 or earlier. Similarly, DirectAudit prior to Release 2017.2 does not provide 64-bit libatda library therefore it is not compatible with DirectControl Release 2017.2 or later. DirectAudit in Release 2017.3 provides both 32-bit and 64-bit libatda which solves the compatibility problem. (Ref: CS-44597)

·         Fixed an issue that turning dadebug off when disk is full will result in an empty Centrifyda.conf file. (Ref: CS-41308)


3.2.2       Windows Install / Upgrade / Uninstall


3.2.3       Collector


3.2.4       Audit Analyzer and Session Player

·         Fixed an issue in Audit Analyzer console that resulted in incorrectly sorted query results when using "Total Logon Time" as the sort order. (Ref: CS-43320)

·         Fixed an issue in Audit Analyzer console where different usernames would be displayed under "Account" of some Windows sessions. (Ref: CS-44046)

·         Fixed an issue in Audit Analyzer console that cannot send report using secure password authentication in an environment where TLS 1.0 is not allowed. (Ref: CS-44105)

·         Fixed an issue in DirectAudit session player that previously resulted into truncated output while replaying the session whenever the command typed by the user was long enough to get split into multiple lines. (Ref: CS-40930)

·         Fixed an issue in DirectAudit session player that previously resulted in extra white spaces being shown on the screen when the session data contained one or more half width Latin characters. (Ref: CS-6458)

3.2.5       Audit Manager

·         Fixed an issue in Audit Manager console that resulted into incorrect export of DirectAudit license keys when a user is exporting DirectAudit publication information to a text file. (Ref: CS-43804)

3.2.6       Centrify DirectAudit Agent for *NIX

·         Fixed an issue where the remote command/script execution might not get the correct return code when "dash.allinvoked" was enabled. (Ref: CS-44722)

3.2.7       Database


3.2.8       FindSessions Tool


3.2.9       Centrify Agent for Windows


3.2.10     Centrify Audit Module for PowerShell


4.  Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1    General

For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

4.2    Windows Install / Upgrade / Uninstall

·          On a Windows 2008/2008 R2 Core system, if user elects the option to launch the configuration wizard at the end of "Centrify Agent for Windows" installation wizard, installer will launch the older version of configuration wizard because of lack of support for Windows Presentation Foundation on these operating systems. (Ref: CS-43733)

·         If a DirectManage Audit installation has been configured with multiple Audit Management Servers and some of the servers are running on an older version, the Audit Manager may not list these older servers because the new servers list supersedes the older ones. (Ref: CS-40818)

 ·       When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as Centrify Licensing Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the Centrify Licensing Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

·        If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

·        If you uninstall the collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the collector is successfully uninstalled when you click OK.

4.3    Collector

·         In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4    Audit Analyzer and Session Player

·         Release 2017.3 has introduced a new version of dzdo and PAM authentication audit trail events. However, these events cannot be captured by older version of database/Collector or reported by older versions of DirectAudit Audit Analyzer console or FindSessions utility or PowerShell cmdlets. To rectify this issue, you need to upgrade the DirectAudit backend components (such as Audit Manager console, Audit Analyzer console, Collector, and Audit Store databases) to Release 2017.3 or later version. Contact Centrify support if you are unable to upgrade the DirectAudit backend components so that DirectAudit database patching scripts can be provided to you based on your current version. (Ref: CS-44654)

·         When detaching and re-attaching an Audit Store database from an Audit Store, Centrify recommends refreshing the query results for all open queries in Audit Analyzer console prior to replaying a session from that database. Failure to do so may result into a database error. (Ref: CS-42125)

·         If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If an audited Windows session is using multiple monitors in extended mode in DirectAudit 3.2.2 or earlier, it cannot be exported as WMV files. In DirectAudit 3.2.3 or later, it will be trimmed to 2048x2048 pixels before it is saved and can be exported as in WMV file in 2048x2048 resolution. (Ref: 27003a, 75163, CS-6450, CS-3265).

·         When Centrify Agent for Windows machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly.  (Ref: 36818c)

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645b)

·         In Audit Analyzer, you can specify double-quote enclosed strings in the query that searches for “Unix Commands and Outputs” attribute.  However, if a double-quote character is inside the double-quote enclosed string, the query result is undefined.  (Ref: CS-39348)

·         If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command are also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)

·         By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From DirectAudit 3.2.0 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

4.5    Audit Manager

·         User and group criteria should not be combined in an Audit Role or it may result into inconsistent results, the workaround is for users to use two different audit roles (one for groups, another for users) if they want to mix users and groups in audit role assignment. (Ref: CS-38968)

·         When creating an AuditRole with "ClientName" Audit Manager's Role Properties / Criteria will display an empty value rather than "ClientName = <IP address>" (Ref: CS-41803)

·         If you assign DirectAudit permissions to a Domain Local group, which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.”   A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

4.6    Centrify DirectAudit Agent for *NIX

4.6.1       General

·         Centrify recommends customers use the session auditing capability of DirectAudit to ensure the complete login session is audited vs. auditing individual commands.  When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell.  It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing.  Whereas the likelihood of this happening is very minute, Centrify recommends session auditing be turned on to avoid the chance of this happening.

·         If a user is logged in to AIX and HP-UX via a GUI, for example Xmanager, a terminal opened in the GUI will not be audited. To workaround this issue, set the centrifyda.conf parameter 'dash.allinvoked' to true. (Ref: 66330, CS-5876)

·         Obfuscation of session data has the following limitation: If the information is sent to stdout not as a whole, but piece by piece, the information will not be obfuscated. Example: A user wants to obfuscate a pattern "1234-5678". However, "1234-" is shown first and "5678" is shown 1 second later, this pattern will not be obfuscated.  Since the stdout buffer in the audit shell is 4KB, the obfuscation string is at most 4KB long. Note: this applies to stdout only. (80462a)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.


-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036a)

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl Agent will respond to <username>@localhost if the user name is set in pam.allow.override.

If you upgrade from DirectAudit 2.0, disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulate the local user database (passwd file).  These commands include useradd, userdel and usermod. From DirectAudit 3.2.0 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259a)

·         If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl Agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

·         The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usr/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

·         Disable auditing before upgrade

If you upgrade from DirectAudit 2.0, please run "dacontrol -d -a" to disable DirectAudit before upgrade.  Both the installer shell script, install-da.sh, and the native package manager will detect if auditing is enabled and abort if so.

If you are using the native package manager to upgrade and youattempt to upgrade while auditing is enabled, you may find that,after the package manager aborts, the DirectAudit installation isshown as broken. This may be ignored. Simply disable auditing,upgrade and then re-enable auditing and the package will beshown as committed.



4.6.2       RedHat Linux

·         Due to a limitation of some implementations of audispd (audit dispatcher daemon provided by the operating system), DirectAudit advanced monitoring feature may not work if “dacontrol –n/-m” was run multiple times and over the limit specified in the parameter max_restarts in /etc/audisp/audispd.conf (default 10).  If you enable the DirectAudit Advanced monitoring feature and it does not generate the audit trail events as expected, you can run dainfo to check on the status of advanced monitoring feature.   If the program /usr/share/centrifydc/bin/dadispatcher is not running, dainfo will show “DirectAudit advanced monitoring status” as “not running”.  In this case, you need to restart the system audit daemon using the command “service auditd restart”.  This will re-activate the advanced monitoring feature. (Ref: CS-41267)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)

·         DirectAudit advanced monitoring features may not work with early versions of RedHat 5 due to different system configurations. The earliest version that Centrify tested is RedHat 5.6. Please contact Centrify Support if you need support in versions earlier than RedHat 5.6. (Ref: CS-43042)

·         The advanced monitoring feature in RedHat 5 version only supports selinux mode set to 'disabled' or 'permissive', 'enforcing' is not supported due to incompatible selinux policies. Moreover, advanced monitoring feature may not work with earlier versions of RedHat 5 releases due to different system configurations. Please contact Centrify support if you need support in versions earlier than RedHat 5.6. (Ref: CS-43024)

4.6.3       Debian Linux

·         To install the Centrify DirectAudit package on a computer with the Debian operating environment, you must use the dpkg --install or dpkg -i option. You cannot use the dpkg --update or dpkg -u options to install or update the Centrify DirectAudit package. If you need to update the Centrify DirectAudit package, you need to first delete the old package using the dpkg --purge or dpkg -P option then install the new package with the dpkg --install or dpkg -i option.

Note: Do not use the dpkg --remove or dpkg -r command to remove Centrify DirectAudit. Using the --remove option prevents the Centrify DirectAudit configuration file, /etc/centrifyda/centrifyda.conf, from being created properly when you reinstall the package.


4.6.4       Solaris

·         Centrify recommends that you install the appropriate recommended patch bundles for the version of Sun Solaris you are using before installing Centrify DirectAudit.

The patch installation will skip any individual patches that don't apply to your system, and you can use Sun's patch management system to ensure your computers get the latest security fixes.

To help you identify any required patches for your environment, Centrify supplies the pca patch checker in all Solaris Centrify Infrastructure Services packages. Install.sh will prompt you to check the patch level of your environment during installation.

To check for Sun recommended patches with the pca patch checker you should have the wget package installed. This package may be obtained from:


And source code may be obtained from:


For more information about downloading and installing patches, see the Sun Web site.

The minimum patches required for Centrify DirectAudit are provided below for reference purposes. In some cases these patches may be obsoleted or incorporated into other patches, so the patch numbers on your Solaris machines may be different. The authoritative source on patch compatibility is Sun; their Web site will allow you to follow patch histories to ensure any later patches you are using are compatible with the ones required by DirectAudit.

For Solaris 10: 119254-65 120011-14 127127-11 138263-03


·         Please contact technical support if you are using sparse zone(s) and like to do one of the following:

o    Change session auditing status from disabled to enabled during upgrade.

o    Enable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone.  (Ref: 76572, 80616b)


·         The following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.


·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

o    svcadm disable centrifyda

o    svcadm enable centrifyda

o    Run 'svcs' and find 'centrifyda' to confirm the daemon is online.


4.6.5       AIX

·         Some versions of AIX sshd do not function reliably with Centrify products. When possible, Centrify recommends using sshd included in Centrify openSSH on AIX platforms. (Ref: CS-7098)

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

·         Change in AIX root user behavior: By default, all releases starting with Suite 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a.  Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b.  Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c.  If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d.  Restart adclient (Ref: 56239a, 56604a)

·         For AIX customers who upgrade from prior versions of Centrify Server Suite 2014 (DirectAudit 3.2.0), there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited. (Ref: 56235)

4.6.6       HPUX

You can install this package by copying it to a HP-UX computer and running install.sh, the Centrify Server Suite installer, or by running the following commands, where <release> is the version of the Centrify DirectAudit package you are installing:

gzip -d centrifyda-<release>-hp11.31-ia64.depot.gz

swinstall -s /path/centrifyda-<release>-hp11.31-ia64.depot \

-x allow_incompatible=true

·         You must specify the full path to the Centrify DirectAudit depot file and set the allow_incompatible option to true to install successfully.

·         The installation script checks your environment for the minimum patch levels required. If you have more recent patches installed, however, you may see an error message. To install, re-run the installation command with the following additional command line option:

-x enforce_scripts=false

4.7    Database

·         When adding an Audit Store database to a SQL Server Availability Group with the multi subnet failover feature, the SQL Server that hosts the management database must be SQL Server 2012 or above. In addition, when upgrading an existing DirectAudit installation to use the SQL Server Availability Group feature, Centrify recommends upgrading Collectors, Audit Management Server service, Audit Manager consoles and Audit Analyzer consoles to the latest version to benefit from this feature. (Ref: CS-39872)

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:


SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)


·         Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold  DWORD in MB, not configured, default to 1024 MB.  If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s).

4.8    Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

4.9    FindSession Tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

·         When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su  –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

4.10  Centrify Agent for Windows

·         When a user disconnects and then later reconnects to an existing user session from a switch user operation, a successful logon audit trail message will not be logged after the user has reconnected to the session though authentication. This does not apply when the user is performing lock and unlock operations or the logon method is different from the previous login (remote vs. console logon). (Ref: CS-41453)

·         There will be no audit trail event generated when a user fails to login and unlock a computer on Windows Server 2008 R2 and Windows 7. (Ref: CS-41455)

·         In the DirectAudit Agent for Windows control panel, the setting “Maximum size of the offline data file” indicates the minimum amount of disk space (in percentage) that must be available/free in the spool volume in order to continue auditing users (especially when the DirectAudit Agent cannot send audit data to collector).  The DirectAudit Agent makes its best attempt to pause auditing when the specified amount of disk space is no longer available and in certain cases may continue to write to spool volume for a few minutes before eventually pausing the auditing activity. (78072, CS-6718)

·         The optional video capture feature requires both the Collector and the DirectAudit Agent to use 2013.2 or later. If any of collectors or agents are running an older version, video data may still be recorded even though you have turned it off in Suite 2013 Update 2 Audit Manager. (Ref: 44064a)

·         If Centrify Agent for Windows is auditing a Windows 8 or Windows 2012 system, the Indexed Event List of the corresponding audited session will not show any events for the applications that are using the Metro User Interface. The Metro UI is not supported. (Ref: 56556b)

·         Upon making changes to Group Policy “Centrify Audit Trail Setting” > “Centrify Common Setting” > “Send audit trail to log file”, it would require reboot of the client computer (agent) for this setting to be effective despite the Group Policy has already been refreshed on the client computer. (Ref: 73368b)

·         The offline data location (and subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location. This may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on the c:\ drive to be copied to d:\spool. (Ref: 26592a)

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit software has not completed its setup. (Ref: 26286a)

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the Centrify Agent for Windows software has not completed its setup. (Ref: 26286a)


4.11  Centrify Audit Module for PowerShell

·         Audit Module for PowerShell may take a long time to start because of the publisher's certificate verification.  To resolve the problem, disable the "Check for publisher's certificate revocation" option in System Control Panel\Internet Options\Advanced\Security. (Ref: 72499)

·         After installing Audit Module for PowerShell in a RDP session, PowerShell complains module "Centrify.DirectAudit.PowerShell" cannot be loaded.  This is because the installation package needs to modify system environment variables to let PowerShell know where to load the module.  This operation needed to be done in a "Console Session" if installation is done via RDP.  To resolve this problem, logout and re-login or run RDP with the "admin" option as "mstsc /admin" or "mstsc /console". (Ref: 72500a)

5.  Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:


You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.