Centrify® DirectAudit® 3.1.1 Release Notes

© 2006-2013 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1. About DirectAudit 3.1.1 2

2. New Features 2

2.1 New Features in DirectAudit 3.1.1 2

2.2 New Features in DirectAudit 3.1.0 3

2.3 New Features in DirectAudit 3.0.1 5

2.4 New Features in DirectAudit 3.0.0 5

3. Bugs Fixed 7

3.1 Bug Fixed in DirectAudit 3.1.1 7

3.1.1 Collector 7

3.1.2 Centrify UNIX Agent for Audit 7

3.2 Bug Fixed in DirectAudit 3.1.0 7

3.2.1 Audit Analyzer 7

3.2.2 Collector 7

3.2.3 Centrify UNIX Agent for Audit 7

3.3 Bug Fixed in DirectAudit 3.0.1 8

4. Known Issues 8

4.1 General 8

4.2 Install / Uninstall 9

4.3 Collector 10

4.4 Audit Analyzer and Session Player 11

4.5 Audit Manager 12

4.6 Centrify UNIX Agent for Audit 12

4.7 Database 15

4.8 Audit Management Server 16

5. Additional Information and Support 17

 

1. About DirectAudit 3.1.1

The Centrify DirectAudit feature set is a key component of Centrify Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see DirectAudit Supported Platforms.

Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.2.0.

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2. New Features

2.1 New Features in DirectAudit 3.1.1

·         Starting from 3.1.1, video capture auditing is enabled for new installations by default. (Ref:49374)

·         In prior releases, the default value for the parameters dash.allinvoked and dash.force.audit was false.  The default value has been changed to true to support command level auditing. (Ref: 44476)

·         Audit Analyzer has been enhanced to support search phrases in Quick Query, in addition to existing full text search capability. To search for a specific phrase, you should enclose the phrase with double quotes.  For example, you can type “dacontrol –e” (including the double quotes) into Quick Query. Audit Anaylzer will then find all sessions that contain the exact command “dacontrol –e”. You can also search using wildcards. For example, you can type “dacontrol -*” into Quick Query to have Audit Analyzer find all the sessions that contain the command starting with “dacontrol –”. The query results might then include sessions with the command “dacontrol –e”, sessions with the command “dacontrol –d”, and sessions with a command “dacontrol --help”.  For performance reasons, you can only use the asterisk (*) wildcard character at the end of the search phrase. (Ref: 35004)

2.2 New Features in DirectAudit 3.1.0

·         Optional video capture auditing: In this release, you can choose to enable or disable video capture auditing. By default, video capture auditing is disabled for new installations. Disabling video capture helps to greatly reduce the storage requirement for audited sessions. To use this feature, however, you must upgrade both the collector service and the Centrify agent to the 2013.2 release.

·         Audit Analyzer is enhanced to support the following features:

-          Users can now query audit events by role. For example, you can find out who has used the “Domain Administrator” role on a domain controller by using this new search capability.

-          There are four available audit event queries:

§  All, grouped by machine

§  All, grouped by user

§  All, grouped by DirectAuthorize role

§  Today

-          Users can select multiple session items to export and delete. You can export to common data format (CDF), to an event list, or to Windows Media Video (WMV) format.

-          A new Report folder is available in the Audit Analyzer console. The folder contains six generic report templates:

§  Login by user report

§  Login by computer report

§  Authorization failure report

§  User activity report

§  Privileged activity report

§  Centrify Zone administrative activity report

These report templates can be used to generate reports based on user-specified criteria. The results can be exported into HTML, PDF, Excel, CSV, and XML formats.

·         FindSessions.exe: This command-line utility that is bundled with Audit Analyzer is enhanced to support delete and export operations of the data returned by the search query. You can export the data to CSV, PDF and HTML formats.

·         Audit trail configuration capability: Group policy allows finer control of whether audit events from Access Manager and Centrify Windows Agent for Access should be generated and whether they should be sent to the Microsoft Event Application Log or DirectAudit.  An Administrative Template file (audittrail.adm) is available in the Audit Manager Installation folder that can be used for setting the audit trail targets.  Available targets are:  0 for none, 1 for Audit Store, 2 for Windows Application log, and 3 for both.

·         Centrify UNIX Agent for DirectAudit is also supported on the following operating systems:

-          Red Hat Enterprise Linux (RHEL) AS/ES/WS  5.9 x86 and AS/ES/WS 5.9 x86_64

-          RHEL AS/ES/WS 6.4 x86 and AS/ES/WS 6.4 x86_64

-          Oracle Linux 5.9 x86 and 5.9 x86_64

-          Oracle Linux 6.4 x86 and 6.4 x86_64

-          CentOS Linux 5.9 x86 and 5.9 x86_64

-          CentOS Linux 6.4 x86 and 6.4 x86_64

-          Scientific Linux 5.9 x86 and 5.9 x86_64

-          Scientific Linux 6.4 x86 and 6.4 x86_64

-          Fedora 18 x86 and 18 x86_64

-          Fedora 19 x86 and 18 x86_64

-          openSUSE Linux 12.3 x86 and 12.3 x86_64

-          Ubuntu 13.04 x86 and 13.04 x86_64

-          Debian Linux 7 x86 and 7 x86_64

-          Linux Mint Debian (LMDE) 201303 x86 and 201303 x86_64

-          Linux Mint 15 x86 and 15 x86_64

-          Solaris 11.1 x86_64 and 11.1 SPARC

·         The following operating systems are no longer supported:

-          Ubuntu 8.0.4 LTS

-          Windows Vista (32 and 64 bit)

2.3 New Features in DirectAudit 3.0.1

·         None. This is a maintenance release.

2.4 New Features in DirectAudit 3.0.0

·         Agent support is added for the following new operating systems:

-          CentOS 6.3 x86 and 6.3 x86_64 (32- and 64-bit)

-          Linux Mint 12 x86 and 12 x86_64

-          openSUSE Linux 12.1 x86 and 12.1 x86_64

-          Oracle Solaris 11 SPARC and 11 x86_64

-          RHEL AS/ES/WS 5.8 x86 and AS/ES/WS 5.8 x86_64

-          RHEL AS/ES/WS 6.3 x86 and AS/ES/WS 6.3 x86_64

-          Fedora 17 x86 and 17 x86_64

-          Scientific Linux 5.7 x86 and 5.7 x86_64

-          Scientific Linux 6.3 x86 and 6.3 x86_64

-          Ubuntu Linux Server 12.04 x86 and 12.04 x86_64

-          VMware vMA 4.0 x86_64 4.1 x86_64 5.0 x86_64

-          Windows 2012 Server (64-bit)

-          Windows 8 (32-bit and 64-bit)

·         Agent support is no longer available for the following old operating systems:

-          Fedora 9, 10, 11, 12, and 13

·         END OF LIFE - Support of Windows Vista will be discontinued after Centrify Suite 2013.

·         DirectAudit now includes the ability to capture detailed UNIX and Linux keystrokes.

·         Audit events have been integrated for monitoring with Centrify Insight.

·         Audit event data is searchable, by any methods including Boolean and time-based searches. Searches can be focused on specific applications, commands, and files.

·         Enhanced agent resiliency prevents unplanned agent disruption, either accidental or intentional.

·         Data Management includes automatic rollover of a collection of databases along with the ability to eliminate unneeded session data.  Data elimination and manipulation is based upon privileges assigned through user roles and rights.

·         Data is collected using one of these versions of the Microsoft SQL Server including:

-          SQL Server 2005 (not supported on Windows 8 and Server 2012)

-          SQL Server 2008

-          SQL Server 2008 R2

-          SQL Server 2012

-          Express Standard and Enterprise editions, as well as 32-bit and 64-bit mode, will be supported.

·         Auditing features are integrated with Centrify DirectAuthorize on the Windows platform.

·         NSS/LAM support no longer requires symbolic links to the DirectAudit shell. Changes to the operating system that previously created problems with the symbolic links to shell programs should not affect auditing operations.

3. Bugs Fixed

3.1 Bug Fixed in DirectAudit 3.1.1

3.1.1 Collector

·         In previous releases, SQL Server authentication information that had been configured for the collector was not preserved after the collector was upgraded to a new version. This issue has been fixed. (Ref: 52263)

·         Collector service maintains a SQL Server connection pool with 300 connections in it.  When there are more than 300 machines sending data to the collector concurrently, collector cannot handle all the requests and it will stop completely.  To remedy the problem, more collectors should be added to the Audit Store or the number of connections in the SQL Server connection pool should be increased.  The number of connections in the SQL Server connection pool can be set using the following registry key with the type of DWORD

HKLM\Software\Centrify\DirectAudit\Collector\MaxPoolSize (Ref: 48452)

3.1.2 Centrify UNIX Agent for Audit

·         The default value of the regular expression used to match the password prompt has been updated. Some programs include the user name in the prompt for the user's password (for example: "Enter password for username:").  The regular expression used in previous releases was unable to match non-alphabetic user names, which caused STDIN auditing to capture the password unexpectedly. The regular expression used in this release will match all possible user names.  (Ref: 52618)

·         In previous releases of DirectAudit, the user might get the following error message when he or she invoked a command that was configured to be audited:

DirectAudit was unable to work out an appropriate shell based on the name xxx, defaulting to fallback shell: /bin/da.emergency.shell

where xxx is any character string.  This bug is now fixed in Suite 2013.3. (Ref: 44476)

·         In previous releases, the Centrify UNIX agent would stop auditing if no collectors could be contacted and there is was not enough disk space to spool the audited data.  This issue has been fixed.  In this release, under the same situation, a user whose effective audit level is “Audit required” will not be allowed to log in or enter any additional commands. (Ref: 48319)

·         On a SUSE machine with AppArmor enabled, DirectAudit needs to restart AppArmor to enable audit. The restart is done automatically. However, it could fail silently and audit is disabled. The bug is fixed. (Ref: 52605).

·         In previous releases, the DirectAudit shell is saved as /da/cdashmod.  From Suite 2013.3 onwards, it is saved as /bin/centrifyda to remove the need for another top level directory /da. If you enable command level auditing of dzdo and the users need to use the ‘-i’ option in dzdo, you need to set up a Unix command definition for ‘/da/cdashmod’ and grant this right to roles that can use ‘dzdo –i’.  Since /da/cdashmod is replaced by /bin/centrifyda in this release, you need to change the corresponding command right definition.  (Ref: 45346)

·         The cdashmod processes may use up additional unnecessary CPU resources when DirectAudit agent is stopped on UNIX computers.  This problem has been fixed. (Ref: 51576)

·         In AIX, NIS group memberships are not returned for local users after DirectAudit agent versions 3.0 to 3.1.  This problem has been fixed. (Ref: 53692)

3.2 Bug Fixed in DirectAudit 3.1.0

3.2.1 Audit Analyzer

·         Quick query used to find sessions containing all specified words.  A check box is added to allow user to find sessions containing any specified words.  For example, session A contains commands "ifconfig" and "vi".  Session B contains commands "vi" only.  Quick query on "vi ifconfig" returns session A only by default.  If the check box is checked, both session A and session B are returned. (Ref: 40564)

3.2.2 Collector

·         The current collector design assumes that the standard input (stdin) source contains only one input line. When there are multiple lines in one packet, the collector throws an exception. In this scenario, the audit agent would go offline and would keep spooling to the local disk until there was manual intervention. This issue is fixed. (Ref: 43738)

3.2.3 Centrify UNIX Agent for Audit

·         The memory leak issue has been fixed. (Ref: 39717)

·         In previous releases, the Centrify UNIX Agent for Audit was not handling the environment paths for root and regular users properly (in particular, in setting LIBPATH or LD_LIBRARY_PATH). This caused problems during installation or when a regular user executed the ‘dainfo’ command. This issue is resolved. (Ref: 40964, 41410, 41234, 44560).

·         If the Centrify UNIX Agent auditing service (dad) is stopped for any reason, there is a change in auditing behavior based on the “audit required” setting of the user’s role. (Ref: 43352)

-          If the user’s role has the audit setting “Audit if possible”, the session will continue. However, the user’s subsequent activities during the session will not be audited. No message is displayed to notify the user that auditing has stopped. Auditing will continue only after restarting the auditing service.

-          If the user’s role has the audit setting “Audit required”, a message is displayed informing the user that the auditing service has been stopped by an administrator and that the session cannot continue until the auditing service is restarted. The user can then terminate the session or attempt to resume. The attempt to resume will fail until the auditing service is restarted by the system administrator. In most cases, the user must terminate the session because no user activity is allowed until the auditing service is available.

3.3 Bug Fixed in DirectAudit 3.0.1

·         If both Audit and Access features were installed from Centrify Windows Agent, the logoff menu could not be shown on some machines.  This issue has been fixed in this release. (Ref: 34767)

4. Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1 General

·         This release of DirectAudit does not support the Server Core installation option of Windows Server 2008 or of Windows Server 2012.

·         For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

4.2 Install / Uninstall

·         When upgrading DirectAudit, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as the Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the components that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293)

·         DirectAudit 3.1.0 agents require a DirectAudit 3.1.0 collector. The DirectAudit 3.1.0 collector is backward compatible with previous versions of the DirectAudit agent. We recommend upgrading the DirectAudit collector before upgrading any agent. Similarly, a DirectAudit 3.1.0 management database requires a DirectAudit 3.1.0 audit store.  Here is the recommended order for upgrading DirectAudit components. (Ref: 46976)

-          Audit store

-          Management database server

-          Console or collector

-          Agent

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have domain administrator privileges. If you install components by using the .EXE or .MSI installers, you won’t need domain administrator privileges.

·         Centrify DirectAudit stores audit data in SQL Server. If there is no SQL Server available in the environment, the DirectAudit configuration wizard can set up and install Microsoft SQL Server 2005 Express Edition for evaluation purposes.  SQL Server 2005 Express Edition is supported on Windows XP/2003, Windows 2008 and Windows 2008 R2.  It is not supported on Windows 8 and Windows 2012.  You can download and install SQL Server 2008 Express Edition instead. For details, see the following link. (Ref: 46655)

http://www.microsoft.com/en-us/download/details.aspx?id=25052

·         If you use the “Easy Install” installation option, installation of SQL Server Express can take a long time. When you are installing the Centrify Audit Analyzer or DirectManage Audit Manager software, some installation options include the installation of Microsoft SQL Server Express. In some cases, installation of SQL Server Express can take 10-15 minutes, during which time there is no feedback on the screen. Do not terminate the installation as this lack of feedback is expected behavior.

·         If you uninstall the Audit Collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the Audit Collector is successfully uninstalled when you click OK.

·         During an upgrade, the following message is displayed twice:

The setup must update files or services that cannot be updated while the system is running. If you choose to continue, a reboot will be required to complete the setup

You must reboot after upgrading if a service is running during the upgrade and the service has a lock preventing replacement of the binary files. (If later the installer finds that the service is no longer running, the reboot is not necessary.) A reboot ensures that all components are installed correctly. (Ref: 37499)

·         In the Installation properties, on the Audit Notification page, a .gif image is not supported.

·         After installing the DirectAudit software, you might not find audit events in the DirectAudit database. The problem occurs when DirectAuthorize is installed first, followed by an operating system restart and finally by a fresh installation of DirectAudit. In order to resolve this problem, restart the operating system again after the DirectAudit installation. This issue might also be seen if you upgrade from the Beta release.

4.3 Collector

·         In the Collector Configuration Wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4 Audit Analyzer and Session Player

·         If the active audit management database spans two databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If the session player window is blank when you are replaying a session, and you are using a 32-bit SQL Server instance, it is possible that the SQL Server has run out of memory. Giving more memory to the SQL Server by using the -g384 switch on the SQL Server should resolve the issue. To add more memory:

-          Open the SQL Server configuration manager.

-          Stop the instance.

-          Add the parameter "-g384".

-          Start the instance.

-          Reopen the failing session on the session player and it should now play normally.

·         Audit Event node in Audit Analyzer shows only the audit events from Windows sessions.  Audit events from UNIX sessions will be added in a future release.

·         DirectAudit does not support the export of audited sessions as WMV files on Windows systems with dual monitors in extended mode.

·         During an audited session, if you change the system color from 8 bit to 32 bit, the captured session will not display properly until the next audited session is started.

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645)

·         The Centrify Zone Administrative Activity Report available in DirectAudit 3.1.1 does not show operations on Windows Rights. (Ref: 45909)

·         Audit event cannot be recorded in the DirectAudit database until the database has been upgraded to DirectAudit 3.1.0 or later.  To avoid losing any audit events, administrators should upgrade the Management and Audit Store databases before upgrading Centrify Windows Agent software and the DirectManage Access Manager console. (Ref: 44031, 44032) 

·         When specifying search criteria for a query in Audit Analyzer, in the “Unix Commands and Outputs” attribute, if you enter a string that includes a double-quote character, the query result is undefined. This is true for these criteria: “Contains any of,” “Does not contain,” and “Contains all of.” The workaround is not to use double-quote characters. (Ref: 46692, 44813)

4.5 Audit Manager

·         If a local administrator configures an installation but does not have Active Directory administrative privileges, the Configuration Wizard displays an error message that the user does not have permission to create the publication location. This issue is caused by the scpcreator service, which is responsible for creating the publication location for a non-administration user, when the service does not start in timely fashion.  To work around this issue, increase the default service startup timeout value in the registry and restart the computer:

Open the registry editor and navigate to

HKLM > SYSTEM > CurrentControlSet > Control

Add a new DWORD key with the name ServicesPipeTimeout and set its value to a number higher than 30000 (30 sec). The recommended value is 120000 (decimal) or higher.

·         Permissions granted to a Domain Local group might not take effect because the resources might be in different domains.  Grant permissions instead to the Global group or Universal group in order to avoid confusion.

·         Video recording was always turned on in previous DirectAudit releases.  DirectAudit 3.1.0 allows user to optionally turn off video recording.  This requires that both DirectAudit collectors and Windows agents be upgraded to version 3.1.0.  If any of DirectAudit collectors or Windows agents is an older version, video data may still be recorded even though you have turned it off in Audit Manager Version 3.1.0. (Ref: 44064)

4.6 Centrify UNIX Agent for Audit

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly. To audit the init command, run it from an audited shell.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.

Workaround:

-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036)

·         If the host name of the collector is changed in /etc/resolv.conf, the collector will not pick up the new host name automatically. The dad program must be restarted for this to occur.

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (REF: 33299).

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.

To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.

NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.

·         On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

1)  svcadm disable centrifyda

2)  svcadm enable centrifyda

Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override;

·         On Solaris, some upgrades from Beta may fail. This problem occurs on Solaris machines with NSS2 support. DirectAudit can be reinstalled (upgraded from the Beta Release) manually using pkgadd. It is safe to ignore warnings and continue.

·         On most Solaris platforms, when the Solaris global zone is detected, the prompt “Would you like to join the zone? (Y)” appears. However, on the Solaris 11 platform, the prompt “Would you like to join the zone? (N)” appears.

·         If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the agent software is still being set up.

·         If an installation or upgrade fails, do not repeat the failed steps leading up to the problem. You need to clean up the installation by uninstalling it and reinstalling it.

·         For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.

4.7 Database

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If you are using SQL Server 2005 Express, and you change the date and time format on the computer with your database to English (Singapore), some of the stored procedures respond with an error “Locale not supported” while other stored procedures continue to work fine. This problem does not occur on other SQL Server versions.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:

http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/74a94f06-adf5-4059-bb92-57a99def37bd/

·         If you have a DirectAudit 1.x database attached to a DirectAudit 2.x installation, then upgrade the 2.x installation to a DirectAudit 3.x installation, you might see the misleading error message that the DirectAudit 1.x database must be upgraded. However, there are no changes to 1.x database when it is attached to a 2.x installation. Therefore, when the 2.x installation is upgraded to a 3.x installation, the 1.x schema remains unchanged. (Ref: 37799)

·         SQL Server 2005 full text search categorizes certain words as noise words by default and ignores them for searches. Some noise words are common UNIX commands such as like, which, do, and while. The full list is provided below.

You can change the noise word list by modifying this file (for US English): C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\noiseENU.txt

      about, 1, after, 2, all, also, 3, an, 4, and, 5, another, 6,

      any, 7, are, 8, as, 9, at, 0, be, $, because, been, before,

      being, between, both, but, by, came, can, come, could, did,

      do, does, each, else, for, from, get, got, has, had, he,

      have, her, here, him, himself, his, how, if, in, into, is,

      it, its, just, like, make, many, me, might, more, most, much,

      must, my, never, no, now, of, on, only, or, other, our, out,

      over, re, said, same, see, should, since, so, some, still,

      such, take, than, that, the, their, them, then, there, these,

      they, this, those, through, to, too, under, up, use, very,

      want, was, way, we, well, were, what, when, where, which,

      while, who, will, with, would, you, your, A, B, C, D, E, F,

      G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z

4.8 Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989)

5. Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-408-542-7500, option 2.

For information about purchasing or evaluating Centrify products, send email to info.