© 2006-2013 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
The Centrify DirectAudit feature set is a key component of Centrify Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see DirectAudit Supported Platforms.
Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.2.0.
This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.
Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.
· Optional video capture auditing: In this release, you can choose to enable or disable video capture auditing. By default, video capture auditing is disabled for new installations. Disabling video capture helps to greatly reduce the storage requirement for audited sessions. To use this feature, however, you must upgrade both the collector service and the Centrify agent to the 2013.2 release.
· Audit Analyzer is enhanced to support the following features:
- Users can now query audit trail events by role. For example, you can find out who has used the “Domain Administrator” role on a domain controller by using this new search capability.
- There are four available audit trail queries:
§ All, grouped by machine
§ All, grouped by user
§ All, grouped by DirectAuthorize role
- Users can select multiple session items to export and delete. You can export to common data format (CDF), to an event list, or to Windows Media Video (WMV) format.
- A new Report folder is available in the Audit Analyzer console. The folder contains six generic report templates:
§ Login by user report
§ Login by computer report
§ Authorization failure report
§ User activity report
§ Privileged activity report
§ Centrify Zone administrative activity report
These report templates can be used to generate reports based on user-specified criteria. The results can be exported into HTML, PDF, Excel, CSV, and XML formats.
· FindSessions.exe: This command-line utility that is bundled with Audit Analyzer is enhanced to support delete and export operations of the data returned by the search query. You can export the data to CSV, PDF and HTML formats.
· Audit trail configuration capability: Group policy allows finer control of whether audit trail events from Access Manager and Centrify Windows Agent for Access should be generated and whether they should be sent to the Microsoft Event Application Log or DirectAudit. An Administrative Template file (audittrail.adm) is available in the Audit Manager Installation folder that can be used for setting the audit trail targets. Available targets are: 0 for none, 1 for Audit Store, 2 for Windows Application log, and 3 for both.
· Centrify UNIX Agent for DirectAudit is also supported on the following operating systems:
- Red Hat Enterprise Linux (RHEL) AS/ES/WS 5.9 x86 and AS/ES/WS 5.9 x86_64
- RHEL AS/ES/WS 6.4 x86 and AS/ES/WS 6.4 x86_64
- Oracle Linux 5.9 x86 and 5.9 x86_64
- Oracle Linux 6.4 x86 and 6.4 x86_64
- CentOS Linux 5.9 x86 and 5.9 x86_64
- CentOS Linux 6.4 x86 and 6.4 x86_64
- Scientific Linux 5.9 x86 and 5.9 x86_64
- Scientific Linux 6.4 x86 and 6.4 x86_64
- Fedora 18 x86 and 18 x86_64
- Fedora 19 x86 and 19 x86_64
- openSUSE Linux 12.3 x86 and 12.3 x86_64
- Ubuntu 13.04 x86 and 13.04 x86_64
- Debian Linux 7 x86 and 7 x86_64
- Linux Mint Debian (LMDE) 201303 x86 and 201303 x86_64
- Linux Mint 15 x86 and 15 x86_64
- Solaris 11.1 x86_64 and 11.1 SPARC
· The following operating systems are no longer supported:
- Ubuntu 8.0.4 LTS
- Windows Vista (32 and 64 bit)
· None. This is a maintenance release.
· Agent support is added for the following new operating systems:
- CentOS 6.3 x86 and 6.3 x86_64 (32- and 64-bit)
- Linux Mint 12 x86 and 12 x86_64
- openSUSE Linux 12.1 x86 and 12.1 x86_64
- Oracle Solaris 11 SPARC and 11 x86_64
- RHEL AS/ES/WS 5.8 x86 and AS/ES/WS 5.8 x86_64
- RHEL AS/ES/WS 6.3 x86 and AS/ES/WS 6.3 x86_64
- Fedora 17 x86 and 17 x86_64
- Scientific Linux 5.7 x86 and 5.7 x86_64
- Scientific Linux 6.3 x86 and 6.3 x86_64
- Ubuntu Linux Server 12.04 x86 and 12.04 x86_64
- VMware vMA 4.0 x86_64 4.1 x86_64 5.0 x86_64
- Windows 2012 Server (64-bit)
- Windows 8 (32-bit and 64-bit)
· Agent support is no longer available for the following old operating systems:
- Fedora 9, 10, 11, 12, and 13
· END OF LIFE - Support of Windows Vista will be discontinued after Centrify Suite 2013.
· DirectAudit now includes the ability to capture detailed UNIX and Linux keystrokes.
· Audit trail events have been integrated for monitoring with Centrify Insight.
· Audit Event data is searchable, by any methods including Boolean and time-based searches. Searches can be focused on specific applications, commands, and files.
· Enhanced agent resiliency prevents unplanned agent disruption, either accidental or intentional.
· Data Management includes automatic rollover of a collection of databases along with the ability to eliminate unneeded session data. Data elimination and manipulation is based upon privileges assigned through user roles and rights.
· Data is collected using one of these versions of the Microsoft SQL Server including:
- SQL Server 2005 (not supported on Windows 8 and Server 2012)
- SQL Server 2008
- SQL Server 2008 R2
- SQL Server 2012
- Express Standard and Enterprise editions, as well as 32-bit and 64-bit mode, will be supported.
· Auditing features are integrated with Centrify DirectAuthorize on the Windows platform.
· NSS/LAM support no longer requires symbolic links to the DirectAudit shell. Changes to the operating system that previously created problems with the symbolic links to shell programs should not affect auditing operations.
· Quick query used to find sessions containing all specified words. A check box is added to allow user to find sessions containing any specified words. For example, session A contains commands "ifconfig" and "vi". Session B contains commands "vi" only. Quick query on "vi ifconfig" returns session A only by default. If the check box is checked, both session A and session B are returned. (Ref: 40564)
· The current collector design assumes that the standard input (stdin) source contains only one input line. When there are multiple lines in one packet, the collector throws an exception. In this scenario, the audit agent would go offline and would keep spooling to the local disk until there was manual intervention. This issue is fixed. (Ref: 43738)
· The memory leak issue has been fixed. (Ref: 39717)
· In previous releases, the Centrify UNIX Agent for Audit was not handling the environment paths for root and regular users properly (in particular, in setting LIBPATH or LD_LIBRARY_PATH). This caused problems during installation or when a regular user executed the ‘dainfo’ command. This issue is resolved. (Ref: 40964, 41410, 41234, 44560).
· If the Centrify UNIX Agent auditing service (dad) is stopped for any reason, there is a change in auditing behavior based on the “audit required” setting of the user’s role. (Ref: 43352)
- If the user’s role has the audit setting “Audit if possible”, the session will continue. However, the user’s subsequent activities during the session will not be audited. No message is displayed to notify the user that auditing has stopped. Auditing will continue only after restarting the auditing service.
- If the user’s role has the audit setting “Audit required”, a message is displayed informing the user that the auditing service has been stopped by an administrator and that the session cannot continue until the auditing service is restarted. The user can then terminate the session or attempt to resume. The attempt to resume will fail until the auditing service is restarted by the system administrator. In most cases, the user must terminate the session because no user activity is allowed until the auditing service is available.
· If both Audit and Access features were installed from Centrify Windows Agent, the logoff menu could not be shown on some machines. This issue has been fixed in this release. (Ref: 34767)
The following sections describe known issues, suggestions, and limitations associated with DirectAudit.
· This release of DirectAudit does not support the Server Core installation option of Windows Server 2008 or of Windows Server 2012.
· For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.
· When upgrading DirectAudit, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as the Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the components that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293)
· DirectAudit 3.1.0 agents require a DirectAudit 3.1.0 collector. The DirectAudit 3.1.0 collector is backward compatible with previous versions of the DirectAudit agent. We recommend upgrading the DirectAudit collector before upgrading any agent. Similarly, a DirectAudit 3.1.0 management database requires a DirectAudit 3.1.0 audit store. Here is the recommended order for upgrading DirectAudit components. (Ref: 46976)
- Audit store
- Management database server
- Console or collector
· If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have domain administrator privileges. If you install components by using the .EXE or .MSI installers, you won’t need domain administrator privileges.
· Centrify DirectAudit stores audit data in SQL Server. If there is no SQL Server available in the environment, the DirectAudit configuration wizard can set up and install Microsoft SQL Server 2005 Express Edition for evaluation purposes. SQL Server 2005 Express Edition is supported on Windows XP/2003, Windows 2008 and Windows 2008 R2. It is not supported on Windows 8 and Windows 2012. You can download and install SQL Server 2008 Express Edition instead. For details, see the following link. (Ref: 46655)
· If you use the “Easy Install” installation option, installation of SQL Server Express can take a long time. When you are installing the Centrify Audit Analyzer or DirectManage Audit Manager software, some installation options include the installation of Microsoft SQL Server Express. In some cases, installation of SQL Server Express can take 10-15 minutes, during which time there is no feedback on the screen. Do not terminate the installation as this lack of feedback is expected behavior.
· If you uninstall the Audit Collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:
The specified domain either does not exist or could not be contacted.
(Exception from HRESULT: 0x8007054B)
Despite the alert message, the Audit Collector is successfully uninstalled when you click OK.
· During an upgrade, the following message is displayed twice:
The setup must update files or services that cannot be updated while the system is running. If you choose to continue, a reboot will be required to complete the setup
You must reboot after upgrading if a service is running during the upgrade and the service has a lock preventing replacement of the binary files. (If later the installer finds that the service is no longer running, the reboot is not necessary.) A reboot ensures that all components are installed correctly. (Ref: 37499)
· In the Installation properties, on the Audit Notification page, a .gif image is not supported.
· After installing the DirectAudit software, you might not find audit trail data in the DirectAudit database. The problem occurs when DirectAuthorize is installed first, followed by an operating system restart and finally by a fresh installation of DirectAudit. In order to resolve this problem, restart the operating system again after the DirectAudit installation. This issue might also be seen if you upgrade from the Beta release.
· If you were involved in the Centrify Suite 2013 Update 2 Beta program, you cannot use any components from the Beta setup with the final version of Centrify Suite 2013 Update 2. You should delete Beta components prior to the installation.
· In the Collector Configuration Wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.
· If the active audit management database spans two databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”
· If the session player window is blank when you are replaying a session, and you are using a 32-bit SQL Server instance, it is possible that the SQL Server has run out of memory. Giving more memory to the SQL Server by using the -g384 switch on the SQL Server should resolve the issue. To add more memory:
- Open the SQL Server configuration manager.
- Stop the instance.
- Add the parameter "-g384".
- Start the instance.
- Reopen the failing session on the session player and it should now play normally.
· DirectAudit does not support the export of audited sessions as WMV files on Windows systems with dual monitors in extended mode.
· During an audited session, if you change the system color from 8 bit to 32 bit, the captured session will not display properly until the next audited session is started.
· Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer". This issue will be addressed in an upcoming release. (Ref: 39645)
· The Centrify Zone Administrative Activity Report available in DirectAudit 3.1.0 does not show operations on Windows Rights. (Ref: 45909)
· Audit trail messages cannot be recorded in the DirectAudit database until the database has been upgraded to DirectAudit 3.1.0. To avoid losing any audit trail messages, administrators should upgrade the Management and Audit Store databases before upgrading Centrify Windows Agent software and the DirectManage Access Manager console. (Ref: 44031, 44032)
· When specifying search criteria for a query in Audit Analyzer, in the “Unix Commands and Outputs” attribute, if you enter a string that includes a double-quote character, the query result is undefined. This is true for these criteria: “Contains any of,” “Does not contain,” and “Contains all of.” The workaround is not to use double-quote characters. (Ref: 46692, 44813)
· If a local administrator configures an installation but does not have Active Directory administrative privileges, the Configuration Wizard displays an error message that the user does not have permission to create the publication location. This issue is caused by the scpcreator service, which is responsible for creating the publication location for a non-administration user, when the service does not start in timely fashion. To work around this issue, increase the default service startup timeout value in the registry and restart the computer:
Open the registry editor and navigate to
HKLM > SYSTEM > CurrentControlSet > Control
Add a new DWORD key with the name ServicesPipeTimeout and set its value to a number higher than 30000 (30 sec). The recommended value is 120000 (decimal) or higher.
· Permissions granted to a Domain Local group might not take effect because the resources might be in different domains. Grant permissions instead to the Global group or Universal group in order to avoid confusion.
· Video recording was always turned on in previous DirectAudit releases. DirectAudit 3.1.0 allows user to optionally turn off video recording. This requires that both DirectAudit collectors and Windows agents be upgraded to version 3.1.0. If any of DirectAudit collectors or Windows agents is an older version, video data may still be recorded even though you have turned it off in Audit Manager Version 3.1.0. (Ref: 44064)
· Auditing init during startup on UNIX is not possible. The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly. To audit the init command, run it from an audited shell.
· You cannot start a GUI session if you are logged in via an interactive session. Running startx or starting a GUI session from an interactive session results in the following message:
X: user not authorized to run the X server, aborting.
- Run "sudo dpkg-reconfigure x11-common"
- When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").
The GUI session or X server should start normally. (Ref: 25036)
· If the host name of the collector is changed in /etc/resolv.conf, the collector will not pick up the new host name automatically. The dad program must be restarted for this to occur.
· Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (REF: 33299).
· To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)
· The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.
To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.
NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.
· On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:
alias bg cd
command fc fg
getopts hash jobs
kill read test
type ulimit umask
To identify commands implemented as ksh scripts, run the following script:
The commands that are implemented internally by ksh should not be audited.
· On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:
1) svcadm disable centrifyda
2) svcadm enable centrifyda
Run 'svcs' and find 'centrifyda' to confirm the daemon is online.
· When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.
DirectAudit 3.0 understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override;
· On Solaris, some upgrades from Beta may fail. This problem occurs on Solaris machines with NSS2 support. DirectAudit can be reinstalled (upgraded from the Beta Release) manually using pkgadd. It is safe to ignore warnings and continue.
· On most Solaris platforms, when the Solaris global zone is detected, the prompt “Would you like to join the zone? (Y)” appears. However, on the Solaris 11 platform, the prompt “Would you like to join the zone? (N)” appears.
· If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.
· Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the agent software is still being set up.
· If an installation or upgrade fails, do not repeat the failed steps leading up to the problem. You need to clean up the installation by uninstalling it and reinstalling it.
· For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.
· In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.
· If you are using SQL Server 2005 Express, and you change the date and time format on the computer with your database to English (Singapore), some of the stored procedures respond with an error “Locale not supported” while other stored procedures continue to work fine. This problem does not occur on other SQL Server versions.
· If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:
· If you have a DirectAudit 1.x database attached to a DirectAudit 2.x installation, then upgrade the 2.x installation to a DirectAudit 3.x installation, you might see the misleading error message that the DirectAudit 1.x database must be upgraded. However, there are no changes to 1.x database when it is attached to a 2.x installation. Therefore, when the 2.x installation is upgraded to a 3.x installation, the 1.x schema remains unchanged. (Ref: 37799)
· SQL Server 2005 full text search categorizes certain words as noise words by default and ignores them for searches. Some noise words are common UNIX commands such as like, which, do, and while. The full list is provided below.
You can change the noise word list by modifying this file (for US English): C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\noiseENU.txt
about, 1, after, 2, all, also, 3, an, 4, and, 5, another, 6,
any, 7, are, 8, as, 9, at, 0, be, $, because, been, before,
being, between, both, but, by, came, can, come, could, did,
do, does, each, else, for, from, get, got, has, had, he,
have, her, here, him, himself, his, how, if, in, into, is,
it, its, just, like, make, many, me, might, more, most, much,
must, my, never, no, now, of, on, only, or, other, our, out,
over, re, said, same, see, should, since, so, some, still,
such, take, than, that, the, their, them, then, there, these,
they, this, those, through, to, too, under, up, use, very,
want, was, way, we, well, were, what, when, where, which,
while, who, will, with, would, you, your, A, B, C, D, E, F,
G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z
· To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989)
In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.
You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-408-542-7500, option 2.
For information about purchasing or evaluating Centrify products, send email to info.