Centrify® Server Suite 2014 DirectAudit® 3.2.0 Release Notes

© 2007-2014 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1. About DirectAudit 3.2.0 2

2. New Features 3

2.1 New Features in DirectAudit 3.2.0 3

2.2 New Features in DirectAudit 3.1.1 6

2.3 New Features in DirectAudit 3.1.0 6

2.4 New Features in DirectAudit 3.0.1 8

2.5 New Features in DirectAudit 3.0.0 8

3. Bugs Fixed 10

3.1 Bug Fixed in DirectAudit 3.2.0 10

3.2 Bug Fixed in DirectAudit 3.1.1 10

3.2.1 Collector 10

3.2.2 Centrify UNIX Agent for Audit 11

3.3 Bug Fixed in DirectAudit 3.1.0 12

3.3.1 Audit Analyzer 12

3.3.2 Collector 12

3.3.3 Centrify UNIX Agent for Audit 12

3.4 Bug Fixed in DirectAudit 3.0.1 13

4. Known Issues 13

4.1 General 13

4.2 Install / Uninstall 14

4.3 Collector 15

4.4 Audit Analyzer and Session Player 15

4.5 Audit Manager 17

4.6 Centrify UNIX Agent for Audit 17

4.7 Database 22

4.8 Audit Management Server 23

4.9 FindSession tools 23

5. Additional Information and Support 23


1. About DirectAudit 3.2.0

The Centrify DirectAudit feature set is a key component of Centrify Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see DirectAudit Supported Platforms.

Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.2.0.

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2. New Features

2.1 New Features in DirectAudit 3.2.0

·         A number of Group Policies for DirectAudit are added.  These policies include DirectAudit shell, DirectAudit Daemon and other settings about DirectAudit UNIX agent. (Ref: 8146)

·         The information of applied Group Policy settings, contained in /var/centrifydc/reg/machine/gp.report, has been added into "dainfo -t".  (Ref: 55939)

·         dainfo is updated to include the following information. (Ref: 54779, 56594)

1.  Offline store size of audit trail

2.  Despool rate of audit trail

3.  the online status of audit trail channel

·         For file transfer commands like rsync, sftp, scp, where SSH connection is being used, DirectAudit would be unnecessarily recording all the binary data being sent to and from the server.  In Suite 2014, user can specify what SSH command to skip auditing by setting the dash.ssh.command.skiplist setting in centrifyda.conf.  By default, the SSH command rsync, sftp and scp will be skipped.  (Ref: 56166)

·         DirectAudit periodically monitors and repairs the NSS/LAM configuration files (/etc/nsswitch.conf for NSS; /etc/security/user and /usr/lib/security/methods.cfg for LAM).  The default monitoring interval is now increased from 60 seconds to one hour to reduce system load.   If there is any other software that modifies these configuration files (e.g., adjoin/adleave), the NSS/LAM configuration files will not be modified till the next monitoring interval.  Restarting DirectAudit immediately will set up the configuration files corectly.  (Ref: 58288)

·         DirectAudit is enhanced to allow specifying some local users to log in or run an audited command when it encounters environment setup issues, like not getting a pty. The users can be specified with dash.user.alwaysallowed.list in centrifyda.conf. Previously, only the root user is always allowed.  (Ref: 55995)

·         A new configuration parameter is introduced for centrifyda.conf, namely cache.enable, which controls whether the dad process caches name service query results about users and groups. For details, please refer to Configuration and Tuning Reference Guide.  (ref: 56258)

·         You can specify a regular expression to detect command prompt. The custom command prompt regular expression can be specified by adding a new registry String Value named prompt under HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAudit\Collector on each of the systems where Centrify DirectManage Audit Collector component is installed and running. If this registry value is absent, the default regular expression ^[^#%>\$]*[#%>\$]\s* will be used to detect the command prompt.  (Ref: 56654)

·         New command line options, /role and /ticket, have been added to the FindSessions utility to export UNIX commands, UNIX input, and UNIX input and output data.

·         FindSession is updated to support querying session for multiple users and computers.  For example, user can enter e.g. "user1; user2" in the User textbox, then both user1 and user2 sessions will be queried out.  The cases is the same for Machine textbox. For no UI mode, run FindSessions /u="user1;user2", then both user1 and user2 sessions will be queried out. The case is the same for FindSessions /m="machine1; machine2".  (Ref: 55029)

·         New command line options, /role and /ticket, have been added to the FindSessions utility to export UNIX commands, UNIX input and output data.  You can use these new options.  Please refer to FindSessions.pdf in Audit Analyzer installed folder for more the option details.  (Ref: 48483)

·         FindSession is updated to also show the URL link when exporting the session list.  User can replay the audited session by passing the URL to daplayer.exe (i.e. DirectAudit Session Player) directly.  (Ref: 53449)

·         From Suite 2014 onward, multiple users and/or computers can be specified as search criteria when searching for Audit Events. To search for Audit Events from multiple users and/or computers, the user names and/or computer names can be specified as a semicolon separate list on the "Query Audit Events" dialog box. (Ref: 54984)

·         Centrify UNIX Agent for DirectAudit is now supporting the following operating systems:

-          Red Hat Enterprise Linux Server 5.10, 6.5 (32-bit and 64-bit)

-          Red Hat Enterprise Linux Desktop 5.10, 6.5 (32-bit and 64-bit)

-          CentOS 5.10, 6.5 (32-bit and 64-bit)

-          Oracle Linux 6.5 (32-bit and 64-bit)

-          Scientific Linux 5.10 (32-bit and 64-bit)

-          Fedora 20 (32-bit and 64-bit)

-          Debian Linux 7.2, 7.3 (32-bit and 64-bit)

-          Linux Mint 16 (32-bit and 64-bit)

-          Ubuntu Desktop 13.10 (32-bit and 64-bit)

-          Ubuntu Server 13.10 (32-bit and 64-bit)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (REF#: 56640, 59381):

-          Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

-          CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-          Debian Linux 5, 6 (32-bit and 64-bit x86)

-          Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

-          Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

-          Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

-          Linux Mint 12, 14 (32-bit and 64-bit x86)

-          OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

-          Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-          SUSE Enterprise Linux 8.0 (32-bit x86)

-          SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

-          VMware ESX 3.5 (32-bit)

-          VMware ESX 4.0, 4.1 (64-bit)

·         Centrify Windows Agent is now supporting the following platform

-          Windows 8.1 (32-bit and 64-bit)

-          Windows 2012 R2 (64-bit)

2.2 New Features in DirectAudit 3.1.1

·         Starting from 3.1.1, video capture auditing is enabled for new installations by default. (Ref:49374)

·         In prior releases, the default value for the parameters dash.allinvoked and dash.force.audit was false.  The default value has been changed to true to support command level auditing. (Ref: 44476)

·         Audit Analyzer has been enhanced to support search phrases in Quick Query, in addition to existing full text search capability. To search for a specific phrase, you should enclose the phrase with double quotes.  For example, you can type “dacontrol –e” (including the double quotes) into Quick Query. Audit Anaylzer will then find all sessions that contain the exact command “dacontrol –e”. You can also search using wildcards. For example, you can type “dacontrol -*” into Quick Query to have Audit Analyzer find all the sessions that contain the command starting with “dacontrol –”. The query results might then include sessions with the command “dacontrol –e”, sessions with the command “dacontrol –d”, and sessions with a command “dacontrol --help”.  For performance reasons, you can only use the asterisk (*) wildcard character at the end of the search phrase. (Ref: 35004)

2.3 New Features in DirectAudit 3.1.0

·         Optional video capture auditing: In this release, you can choose to enable or disable video capture auditing. By default, video capture auditing is disabled for new installations. Disabling video capture helps to greatly reduce the storage requirement for audited sessions. To use this feature, however, you must upgrade both the collector service and the Centrify agent to the 2013.2 release.

·         Audit Analyzer is enhanced to support the following features:

-          Users can now query audit events by role. For example, you can find out who has used the “Domain Administrator” role on a domain controller by using this new search capability.

-          There are four available audit event queries:

§  All, grouped by machine

§  All, grouped by user

§  All, grouped by DirectAuthorize role

§  Today

-          Users can select multiple session items to export and delete. You can export to common data format (CDF), to an event list, or to Windows Media Video (WMV) format.

-          A new Report folder is available in the Audit Analyzer console. The folder contains six generic report templates:

§  Login by user report

§  Login by computer report

§  Authorization failure report

§  User activity report

§  Privileged activity report

§  Centrify Zone administrative activity report

These report templates can be used to generate reports based on user-specified criteria. The results can be exported into HTML, PDF, Excel, CSV, and XML formats.

·         FindSessions.exe: This command-line utility that is bundled with Audit Analyzer is enhanced to support delete and export operations of the data returned by the search query. You can export the data to CSV, PDF and HTML formats.

·         Audit trail configuration capability: Group policy allows finer control of whether audit events from Access Manager and Centrify Windows Agent for Access should be generated and whether they should be sent to the Microsoft Event Application Log or DirectAudit.  An Administrative Template file (audittrail.adm) is available in the Audit Manager Installation folder that can be used for setting the audit trail targets.  Available targets are:  0 for none, 1 for Audit Store, 2 for Windows Application log, and 3 for both.

·         Centrify UNIX Agent for DirectAudit is also supported on the following operating systems:

-          Red Hat Enterprise Linux (RHEL) AS/ES/WS  5.9 x86 and AS/ES/WS 5.9 x86_64

-          RHEL AS/ES/WS 6.4 x86 and AS/ES/WS 6.4 x86_64

-          Oracle Linux 5.9 x86 and 5.9 x86_64

-          Oracle Linux 6.4 x86 and 6.4 x86_64

-          CentOS Linux 5.9 x86 and 5.9 x86_64

-          CentOS Linux 6.4 x86 and 6.4 x86_64

-          Scientific Linux 5.9 x86 and 5.9 x86_64

-          Scientific Linux 6.4 x86 and 6.4 x86_64

-          Fedora 18 x86 and 18 x86_64

-          Fedora 19 x86 and 18 x86_64

-          openSUSE Linux 12.3 x86 and 12.3 x86_64

-          Ubuntu 13.04 x86 and 13.04 x86_64

-          Debian Linux 7 x86 and 7 x86_64

-          Linux Mint Debian (LMDE) 201303 x86 and 201303 x86_64

-          Linux Mint 15 x86 and 15 x86_64

-          Solaris 11.1 x86_64 and 11.1 SPARC

·         The following operating systems are no longer supported:

-          Ubuntu 8.0.4 LTS

-          Windows Vista (32 and 64 bit)


2.4 New Features in DirectAudit 3.0.1

·         None. This is a maintenance release.

2.5 New Features in DirectAudit 3.0.0

·         Agent support is added for the following new operating systems:

-          CentOS 6.3 x86 and 6.3 x86_64 (32- and 64-bit)

-          Linux Mint 12 x86 and 12 x86_64

-          openSUSE Linux 12.1 x86 and 12.1 x86_64

-          Oracle Solaris 11 SPARC and 11 x86_64

-          RHEL AS/ES/WS 5.8 x86 and AS/ES/WS 5.8 x86_64

-          RHEL AS/ES/WS 6.3 x86 and AS/ES/WS 6.3 x86_64

-          Fedora 17 x86 and 17 x86_64

-          Scientific Linux 5.7 x86 and 5.7 x86_64

-          Scientific Linux 6.3 x86 and 6.3 x86_64

-          Ubuntu Linux Server 12.04 x86 and 12.04 x86_64

-          VMware vMA 4.0 x86_64 4.1 x86_64 5.0 x86_64

-          Windows 2012 Server (64-bit)

-          Windows 8 (32-bit and 64-bit)

·         Agent support is no longer available for the following old operating systems:

-          Fedora 9, 10, 11, 12, and 13

·         END OF LIFE - Support of Windows Vista will be discontinued after Centrify Suite 2013.

·         DirectAudit now includes the ability to capture detailed UNIX and Linux keystrokes.

·         Audit events have been integrated for monitoring with Centrify Insight.

·         Audit event data is searchable, by any methods including Boolean and time-based searches. Searches can be focused on specific applications, commands, and files.

·         Enhanced agent resiliency prevents unplanned agent disruption, either accidental or intentional.

·         Data Management includes automatic rollover of a collection of databases along with the ability to eliminate unneeded session data.  Data elimination and manipulation is based upon privileges assigned through user roles and rights.

·         Data is collected using one of these versions of the Microsoft SQL Server including:

-          SQL Server 2005 (not supported on Windows 8 and Server 2012)

-          SQL Server 2008

-          SQL Server 2008 R2

-          SQL Server 2012

-          Express Standard and Enterprise editions, as well as 32-bit and 64-bit mode, will be supported.

·         Auditing features are integrated with Centrify DirectAuthorize on the Windows platform.

·         NSS/LAM support no longer requires symbolic links to the DirectAudit shell. Changes to the operating system that previously created problems with the symbolic links to shell programs should not affect auditing operations.

3. Bugs Fixed

3.1 Bug Fixed in DirectAudit 3.2.0

·         When adding sites to audit store, the sites is now changed to be sorted in ascending order by default. User can change the sort order by clicking the columm header.  (Ref: 40977)

·         From Suite 2014 onward, if an audit event is associated with an audited user session, you can double click on the event in Audit Analyzer (Audit Events node) to replay the corresponding session.  (Ref: 49065)

·         Some session inputs were exported into one single record when using the FindSession.exe option /export=UnixInputOutput.  This issue is fixed except one case.  The keystroke entered in cursor-based application like “man” is still going to be appended to the next command the user entered because there is no CRLF characters in the input stream so the tool cannot distinguish when to start the new line.  (Ref: 57457)

·         Fixed a problem on AIX systems where after enabling auditing with "dacontrol -e", Hardware Management Console (HMC) logons would not work until the system was rebooted. (Ref: 54553)

·         Fixed a problem where an entry in /etc/environment setting LIBPATH could interfere with being able to successfully start the DirectAudit deamon. (Ref: 55432)

·         Fixed a problem with patching the OS kernel while DA auditing is enabled which could cause the system to hang after rebooting or cause users logging in to receive an "emergency shell". (Ref: 21975, 24399)

3.2 Bug Fixed in DirectAudit 3.1.1

3.2.1 Collector

·         In previous releases, SQL Server authentication information that had been configured for the collector was not preserved after the collector was upgraded to a new version. This issue has been fixed. (Ref: 52263)

·         Collector service maintains a SQL Server connection pool with 300 connections in it.  When there are more than 300 machines sending data to the collector concurrently, collector cannot handle all the requests and it will stop completely.  To remedy the problem, more collectors should be added to the Audit Store or the number of connections in the SQL Server connection pool should be increased.  The number of connections in the SQL Server connection pool can be set using the following registry key with the type of DWORD

HKLM\Software\Centrify\DirectAudit\Collector\MaxPoolSize (Ref: 48452)

3.2.2 Centrify UNIX Agent for Audit

·         The default value of the regular expression used to match the password prompt has been updated. Some programs include the user name in the prompt for the user's password (for example: "Enter password for username:").  The regular expression used in previous releases was unable to match non-alphabetic user names, which caused STDIN auditing to capture the password unexpectedly. The regular expression used in this release will match all possible user names.  (Ref: 52618)

·         In previous releases of DirectAudit, the user might get the following error message when he or she invoked a command that was configured to be audited:

DirectAudit was unable to work out an appropriate shell based on the name xxx, defaulting to fallback shell: /bin/da.emergency.shell

where xxx is any character string.  This bug is now fixed in Suite 2013.3. (Ref: 44476)

·         In previous releases, the Centrify UNIX agent would stop auditing if no collectors could be contacted and there is was not enough disk space to spool the audited data.  This issue has been fixed.  In this release, under the same situation, a user whose effective audit level is “Audit required” will not be allowed to log in or enter any additional commands. (Ref: 48319)

·         On a SUSE machine with AppArmor enabled, DirectAudit needs to restart AppArmor to enable audit. The restart is done automatically. However, it could fail silently and audit is disabled. The bug is fixed. (Ref: 52605).

·         In previous releases, the DirectAudit shell is saved as /da/cdashmod.  From Suite 2013.3 onwards, it is saved as /bin/centrifyda to remove the need for another top level directory /da. If you enable command level auditing of dzdo and the users need to use the ‘-i’ option in dzdo, you need to set up a Unix command definition for ‘/da/cdashmod’ and grant this right to roles that can use ‘dzdo –i’.  Since /da/cdashmod is replaced by /bin/centrifyda in this release, you need to change the corresponding command right definition.  (Ref: 45346)

·         The cdashmod processes may use up additional unnecessary CPU resources when DirectAudit agent is stopped on UNIX computers.  This problem has been fixed. (Ref: 51576)

·         In AIX, NIS group memberships are not returned for local users after DirectAudit agent versions 3.0 to 3.1.  This problem has been fixed. (Ref: 53692)

3.3 Bug Fixed in DirectAudit 3.1.0

3.3.1 Audit Analyzer

·         Quick query used to find sessions containing all specified words.  A check box is added to allow user to find sessions containing any specified words.  For example, session A contains commands "ifconfig" and "vi".  Session B contains commands "vi" only.  Quick query on "vi ifconfig" returns session A only by default.  If the check box is checked, both session A and session B are returned. (Ref: 40564)

3.3.2 Collector

·         The current collector design assumes that the standard input (stdin) source contains only one input line. When there are multiple lines in one packet, the collector throws an exception. In this scenario, the audit agent would go offline and would keep spooling to the local disk until there was manual intervention. This issue is fixed. (Ref: 43738)

3.3.3 Centrify UNIX Agent for Audit

·         The memory leak issue has been fixed. (Ref: 39717)

·         In previous releases, the Centrify UNIX Agent for Audit was not handling the environment paths for root and regular users properly (in particular, in setting LIBPATH or LD_LIBRARY_PATH). This caused problems during installation or when a regular user executed the ‘dainfo’ command. This issue is resolved. (Ref: 40964, 41410, 41234, 44560).

·         If the Centrify UNIX Agent auditing service (dad) is stopped for any reason, there is a change in auditing behavior based on the “audit required” setting of the user’s role. (Ref: 43352)

-          If the user’s role has the audit setting “Audit if possible”, the session will continue. However, the user’s subsequent activities during the session will not be audited. No message is displayed to notify the user that auditing has stopped. Auditing will continue only after restarting the auditing service.

-          If the user’s role has the audit setting “Audit required”, a message is displayed informing the user that the auditing service has been stopped by an administrator and that the session cannot continue until the auditing service is restarted. The user can then terminate the session or attempt to resume. The attempt to resume will fail until the auditing service is restarted by the system administrator. In most cases, the user must terminate the session because no user activity is allowed until the auditing service is available.

3.4 Bug Fixed in DirectAudit 3.0.1

·         If both Audit and Access features were installed from Centrify Windows Agent, the logoff menu could not be shown on some machines.  This issue has been fixed in this release. (Ref: 34767)

4. Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1 General

·         This release of DirectAudit does not support the Server Core installation option of Windows Server 2008 or of Windows Server 2012.

·         For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

·         From Suite 2014 onward, the Audit Trail user name will be stored in UPN (user@domain) format. For all the domain users, the user name will be stored in user@domain format and for all local users, the user name will be stored in user@computer format. If you are upgrading to Suite 2014, the upgrade process will not automatically update the user information that already exists in the database. Auditors can continue to use the old formats (SHORT_DOMAIN_NAME\username or user@domain) to query Audit Trail events that were generated before the upgrade. (Ref: 54985)

·         When an Audit Trail event is generated, every event log is associated with an event id. However, the event id is not always unique because two or more Centrify products can share the same event id for two different events. There are plans to introduce unique event ids in future and hence customer should not rely on the event ids to track particular events; event ids may change in future.  (Ref: 55847)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and trouble-tickets names. (Ref: 51687)

4.2 Install / Uninstall

·         When upgrading DirectAudit, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as the Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the components that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293)

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have domain administrator privileges. If you install components by using the .EXE or .MSI installers, you won’t need domain administrator privileges.

·         If you use the “Easy Install” installation option, installation of SQL Server Express can take a long time. When you are installing the Centrify Audit Analyzer or DirectManage Audit Manager software, some installation options include the installation of Microsoft SQL Server Express. In some cases, installation of SQL Server Express can take 10-15 minutes, during which time there is no feedback on the screen. Do not terminate the installation as this lack of feedback is expected behavior.

·         If you uninstall the Audit Collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the Audit Collector is successfully uninstalled when you click OK.

·         In Suite 2013.3 (or previous versions), the DirectAudit installation process used to automatically generate a 30 day evaluation license key. This process has now been removed. If you are creating a new DirectAudit installation using Suite 2014 or later release, when prompted, you must type the evaluation license key that you have received from Centrify. If you are upgrading an existing DirectAudit installation with an evaluation license key to Suite 2014, the existing evaluation license key will still remain usable. (Ref: 52259)

·         Centrify Windows Agent uses a registry DWORD Value named AuditTrailTargets to determine whether the Audit Trail events should go to the DirectAudit database or Windows event log or both. If you are upgrading Centrify Windows Agent to Suite 2014, this registry value will be reset to default by the upgrade process. It is recommended to note down all the values under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\AuditTrail and manually restore these values after the upgrade if they have been reset. (xRef: 58446)

4.3 Collector

·         In the Collector Configuration Wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4 Audit Analyzer and Session Player

·         If the active audit management database spans two databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If the session player window is blank when you are replaying a session, and you are using a 32-bit SQL Server instance, it is possible that the SQL Server has run out of memory. Giving more memory to the SQL Server by using the -g384 switch on the SQL Server should resolve the issue. To add more memory:

-          Open the SQL Server configuration manager.

-          Stop the instance.

-          Add the parameter "-g384".

-          Start the instance.

-          Reopen the failing session on the session player and it should now play normally.

·         DirectAudit does not support the export of audited sessions as WMV files on Windows systems with dual monitors in extended mode.

·         During an audited session, if you change the system color from 8 bit to 32 bit, the captured session will not display properly until the next audited session is started.

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645)

·         When specifying search criteria for a query in Audit Analyzer, in the “Unix Commands and Outputs” attribute, if you enter a string that includes a double-quote character, the query result is undefined. This is true for these criteria: “Contains any of,” “Does not contain,” and “Contains all of.” The workaround is not to use double-quote characters. (Ref: 46692, 44813)

·         If DirectAudit Installation is configured not to capture video data, parameters of the UNIX command is also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681)

·         By default, Centrify Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From Suite 2014 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (xRef: 56021)

4.5 Audit Manager

·         In the Installation properties, on the Audit Notification page, a .gif image is not supported. (Ref: 32793)

·         Permissions granted to a Domain Local group might not take effect because the resources might be in different domains.  Grant permissions instead to the Global group or Universal group in order to avoid confusion.

·         Video recording was always turned on in previous DirectAudit releases.  DirectAudit 3.1.0 allows user to optionally turn off video recording.  This requires that both DirectAudit collectors and Windows agents be upgraded to version 3.1.0.  If any of DirectAudit collectors or Windows agents is an older version, video data may still be recorded even though you have turned it off in Audit Manager Version 3.1.0. (Ref: 44064)

·         In Suite 2013.3 or previous releases, the Audit Manager Help shortcut was available under "All Programs\Centrify Suite 2013\Audit\Documentation" on the Windows Start menu. In Suite 2014, this help shortcut has been moved to "All Programs\Centrify Server Suite 2014\Audit" on the Windows Start menu. (xRef: 55851)

4.6 Centrify UNIX Agent for Audit

·         Starting from Suite 2014, dash.force.audit has been deprecated and is no longer needed in the configuration of command-level auditing for managed computers. As a result, it is no longer included in the configuration file (centrifyda.conf) by default. For details, please refer to the Configuration and Tuning Reference Guide. (Ref: 56822)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly. To audit the init command, run it from an audited shell.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.


-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036)

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (REF: 33299).

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.

To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.

NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.

·         On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

1)  svcadm disable centrifyda

2)  svcadm enable centrifyda

Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override;

·         On Solaris, some upgrades from Beta may fail. This problem occurs on Solaris machines with NSS2 support. DirectAudit can be reinstalled (upgraded from the Beta Release) manually using pkgadd. It is safe to ignore warnings and continue.

·         On most Solaris platforms, when the Solaris global zone is detected, the prompt “Would you like to join the zone? (Y)” appears. However, on the Solaris 11 platform, the prompt “Would you like to join the zone? (N)” appears.

·         If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the agent software is still being set up.

·         For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.

·         In previous releases, the following commands always return a zero exit status regardless of whether the commands are completed successfully or not.

dacontrol -q -c <command>

dacontrol -e -c <command>

dacontrol -d -c <command>

The issue has been fixed in this release.  If the commands cannot be completed successfully, a non-zero error code is returned.  Otherwise, a zero exit status is returned. (Ref: 56038)

·         DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulates the local user database (passwd file).  These commands include useradd, userdel and usermod. In Suite 2014, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259)

·         In previous releases, after a UNIX command is enabled for auditing, users with no permission to execute that command would be redirected to launch an emergency shell.  The user would also see a misleading error message, in which there is no hint about permission denied. This issue is fixed in this release.  User with no permission to execute the audited command will see a clear error message about permission denied and is not redirected to any other shell. (Ref: 52556)

·         Audit Trail events for DirectAudit commands are shown differently in syslog.  For example, instead of

Dec 12 09:49:30 al_rhel5_3 adclient[15733]: INFO  AUDIT_TRAIL|Audit Manager|Centrify Commands|1.0|0|Auditing enabled|5|user=root pid=2092 utc=1386870570327 status=GRANTED service=/bin/df

It is shown as

Dec 12 09:49:30 al_rhel5_3 adclient[15733]: INFO  AUDIT_TRAIL|Centrify Suite|Centrify Commands|1.0|0|Auditing enabled|5|user=root pid=2092 utc=1386870570327 status=GRANTED service=/bin/df

Note that Centrify may change the content of some fields in all audit trail events in upcoming releases. (Ref: 55778)

·         Change in AIX root user behavior: By default, Suite 2014 DOES NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a. Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b. Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c. If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d. Restart adclient (Ref: 56239, 56604)

   For AIX customers who upgrade from prior versions of Centrify Server Suite, there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited.

·         In Suite 2013.x, if session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599, 57946, 56935, 58251)

If root is in user.ignore and DA is installed, login from centrify-openssh is audited, login from telnet or stock ssh is not audited. If root's audit level is "audit required" and DA is not installed, root can login with root is in user.ignore, root can't login with root is not in user.ignore.

·         To start and stop DirectAudit's daemon, use system native command is recommended. For example, on Solaris, use svcadm {enable|disable} centrifyda; on AIX, use startsrc -s centrifyda and stopsrc -s centrifyda; on Linux, use /etc/init.d/centrifyda {stop|start}. Operations such as killing a daemon; running dad (DirectAudit's daemon) directly; running dastop command, could lead to issues in daemon managers. For example, SMF of Solaris; SRC of AIX; systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653)

·         Before running mkinitrd, any command level auditing should be disabled.  Failure to do so may result in an image which can't be successfully booted.  Command level auditing may be re-enabled after running mkinitrd. (Ref: 57842)

4.7 Database

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If you are using SQL Server 2005 Express, and you change the date and time format on the computer with your database to English (Singapore), some of the stored procedures respond with an error “Locale not supported” while other stored procedures continue to work fine. This problem does not occur on other SQL Server versions.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:


·         If you have a DirectAudit 1.x database attached to a DirectAudit 2.x installation, then upgrade the 2.x installation to a DirectAudit 3.x installation, you might see the misleading error message that the DirectAudit 1.x database must be upgraded. However, there are no changes to 1.x database when it is attached to a 2.x installation. Therefore, when the 2.x installation is upgraded to a 3.x installation, the 1.x schema remains unchanged. (Ref: 37799)

·         SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The Centrify DirectManage Audit Collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389)


4.8 Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989)

4.9 FindSession tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936)

·         When run FindSession.exe with /export=UnixCommand option, the role and trouble ticket information in the exported file are not shown for the dzdo command itself, if the dzdo command is “dzdo su –“ or “dzdo –i”.  However, all the commands executed in that dzdo session will have the correct role and trouble ticket information.  Also, the session can be searched using the role and/or trouble ticket information. (Ref: 51787)

·         When run FindSessions.exe with /export=UnixInputOutput option, the output line associated with the dzdo command in the exported file has no role and trouble ticket information.  However, all subsequent input and output lines have the role and trouble ticket information.  The session can still be searched using the role and/or trouble ticket information. (Ref: 51787)

5. Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-408-542-7500, option 2.

For information about purchasing or evaluating Centrify products, send email to info.