Centrify® Server Suite 2015 DirectAudit® 3.2.2 Release Notes

© 2007-2015 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1.         About DirectAudit 3

2.         New Features 3

2.1       New Features in DirectAudit 3.2.2 3

2.1.1      General 3

2.1.2      Collector 4

2.1.3      Audit Analyzer and Session Player 4

2.1.4      Audit Manager 5

2.1.5      Centrify UNIX Agent for Audit 5

2.1.6      Supported Platforms 8

2.2       New Features in DirectAudit 3.2.1 10

2.3       New Features in DirectAudit 3.2.0 12

2.4       New Features in DirectAudit 3.1.1 15

2.5       New Features in DirectAudit 3.1.0 15

2.6       New Features in DirectAudit 3.0.1 17

2.7       New Features in DirectAudit 3.0.0 18

3.         Bugs Fixed 19

3.1       Bug Fixed in DirectAudit 3.2.2 19

3.1.1      General 19

3.1.2      Windows Install / Upgrade / Uninstall 19

3.1.3      Collector 20

3.1.4      Audit Analyzer and Session Player 20

3.1.5      Audit Manager 20

3.1.6      Centrify UNIX Agent for Audit 21

3.1.7      Database 22

3.1.8      FindSession Tool 23

3.2       Bug Fixed in DirectAudit 3.2.1 23

3.3       Bug Fixed in DirectAudit 3.2.0 24

3.4       Bug Fixed in DirectAudit 3.1.1 25

3.4.1      Collector 25

3.4.2      Centrify UNIX Agent for Audit 26

3.5       Bug Fixed in DirectAudit 3.1.0 27

3.5.1      Audit Analyzer 27

3.5.2      Collector 27

3.5.3      Centrify UNIX Agent for Audit 27

3.6       Bug Fixed in DirectAudit 3.0.1 28

4.         Known Issues 28

4.1       General 28

4.2       Windows Install / Upgrade / Uninstall 29

4.3       Collector 29

4.4       Audit Analyzer and Session Player 30

4.5       Audit Manager 31

4.6       Centrify UNIX Agent for Audit 31

4.7       Centrify Windows Agent for Audit 35

4.8       Database 35

4.9       Audit Management Server 36

4.10         FindSession tools 36

5.         Additional Information and Support 37


1.   About DirectAudit

The Centrify DirectAudit feature set is a key component of Centrify Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see DirectAudit Supported Platforms.

Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.2.0.

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2.   New Features

2.1    New Features in DirectAudit 3.2.2

2.1.1       General

o    The Audit Trail feature has been enhanced with the following:

o    All audit trail events are now documented in an XML file. The document AuditTrailEvents.xml can be found on "Autorun">"Documentation" page, or in the Documentation folder of the ISO image. You can use it as a reference in integrating the audit trail events with other monitoring tools (Ref: 55847)

o    The Audit Trail feature of Suite 2015 has been redesigned to write a unique event ID also known as Centrify Event ID for each of the Audit Trail events. On Windows clients, the audit trail event is written in Windows Application Event Logs with the unique event ID as Event ID and a new Windows Event Source "Centrify AuditTrail V2". On Unix/Linux clients, the newly redesigned event IDs will be written to syslog in the centrifyEventID field. Please refer to the Centrify Audit Trail Events XML documentation for a complete list of Audit Trail events and their corresponding unique Centrify Event IDs. (Ref: 55847, 55849)

2.1.2       Collector

o    A new group policy “Centrify DirectAudit Setting\Collector Setting\Do not audit output of specified UNIX commands” is added. When a command is detected, it's checked (using exact match) against the command list specified by group policy. If matches, the command's output is not saved to the AuditStore database. (Ref: 73763)

o    By default, command captured by a collector does not contain command prompt. This release adds a new option to enable command prompt as part of the command in Indexed Command List.  This feature is enabled by:

o    Setting the registry value of \\HKLM\Software\Centrify\DirectAudit\Collector\StripCommandPrompt (DWORD value, default 1) to 0 in all collectors; AND

o    Enable stdin capturing in DirectAudit Unix agent; or setting the registry value of \\HKLM\Software\Centrify\DirectAudit\Collector\SkipRecognizeCommandByPrompt (DWORD value, default 0) to 0 when stdin capturing in DirectAudit Unix agent is disabled. (Ref: 73818)

o    The default maximum SQL Server connection pool size has been increased from previous value of 300 to 1000 for collector. The new setting allows collector to serve more concurrent agents at a time without exhausting the connection pool. (Ref: 76410)

o    In Collector Configuration Wizard, a new wizard page is added to configure the maximum SQL connection pool size. Configured value is displayed in the Diagnostics output in the Collector Control Panel. (Ref: 67502, 64276)

2.1.3       Audit Analyzer and Session Player

o    Active Directory security group(s) can be used as session/AuditEvent/Report filtering criteria in queries and it can be specified as part of audit role definition.  This audit role definition can be assigned to other users/groups, so that the users of this audit role can only see the sessions/AuditEvents/Reports generated for users of the AD security group(s). This feature requires an instance of the audit management server that is configured and running in the DirectAudit Installation. (Ref: 54415)

o    New feature has been added in Audit Analyzer and the DirectAudit PowerShell module to allow querying sessions by Session ID (GUID string format) and Client Name. You can also specify the Session ID and client name as part of the AQL query in FindSessions.exe (Ref: 65952, 70351)

o    From Suite 2015 onward, the Audit Analyzer session result pane has a new column named "Display Name". For Unix session, it displays the GECOS field if it's available; otherwise, it displays the samAccountName of AD user, or Unix name of the Unix local user. For Windows session, it shows the AD display name (if available) or the samAccountName of the audited user. (Ref: 72644)

2.1.4       Audit Manager

o    In Suite 2015, DirectAudit administrator can enable policy that prevents any users from reviewing or deleting their own sessions. If you enable the policy to prevent users from reviewing their own sessions, users cannot update the review status or comment on their sessions regardless of the rights granted to their audit role. Similarly, if you enable the policy to prevent the users from deleting their own sessions, users cannot delete their own sessions regardless of the rights granted to their audit role. Both new policies are disabled by default which is the same behavior as in previous versions of DirectAudit.  The policy can be changed by changing the DirectAudit Installation properties using Audit Manager. (Ref: 72646)

o    VNC Viewer is not packaged with Audit Manager. User has to obtain VNC Viewer from RealVNC and install it. Audit Manager will try to locate the VNC Viewer on the local machine at the default deployment folder; if the VNC Viewer is not found, it asks user to provide its path and locate it thereafter. (Ref: 73312)

2.1.5       Centrify UNIX Agent for Audit

o    In DirectAudit 3.1.1, the default value of configuration parameter dash.allinvoked is changed to true.  However, this may lead to unintended capture of data transfer traffic over ssh connection (e.g., scp, rsync).  The default value of configuration parameter dash.allinvoked is changed in Suite 2014.1 to false as it applies only to command auditing only. (Ref: 65470)

o    Some sensitive output data in an audited session on a system may not be suitable to be viewed by auditor. DirectAudit allows administrator to specify patterns of such data to be masked. If a pattern is matched, the data is shown as '*' instead of plain text when it is shown in the Session Player, and the data is not searchable. The login user can still see the sensitive data in the terminal session. The patterns can be specified using the parameters dash.obfuscate.regex (using regular expression) and dash.obfuscate.pattern (using character patterns). (Ref: 60021)

o    A watchdog process, cdawatch, is now implemented to monitor the DirectAudit daemon (dad) to ensure that it is running all the time unless it is stopped by system administrator.  With this change, the Centrify Audit Shell (cdash) no longer automatically restarts dad.  Also, dad no longer needs to be a setuid program. (Ref: 61644, 69729, 72035)

o    A universal script, /usr/share/centrifydc/bin/centrifyda, is available to control the start and stop of DirectAudit daemon (dad). The script supports different variations of system service control in different Unix/Linux platforms. The use of dastop to stop the DirectAudit daemon is discouraged. (Ref: 72292)

o    There are several enhancements in the area of DirectAudit UNIX login and audit level control:

o    The DirectAudit NSS/LAM module now supports the user.ignore list as in DirectControl NSS/LAM module.  Notes about this parameter:

§  The default value is file:/etc/centrifydc/user.ignore, which is the same default value for the DirectControl parameter nss.user.ignore.  Centrify recommends customers to use the same list for both DirectControl and DirectAudit.

§  This parameter specifies the local users who must be able to login all the time even when the DirectAudit daemon is not running.    

§  The default audit level for users in this list is “audit_if_possible”.  The administrator can specify the audit level of users in this list using the nss.user.override.userlist; and specify the audit level individually in the list (or use the nss.user.override.auditlevel that specifies the default audit level for all users in the nss.user.override.userlist).    DO NOT set the audit level of users in the user.ignore list to “audit required” as such users may not be able to login when DirectAudit or DirectControl agent is not running.

§  When users in this list logins and the audit level is “audit_not_requested/required”, the “login successful” audit trail event (centrifyEventID 18200) is not generated.

o    Starting from Suite 2014.1, a new parameter, nss.user.override.userlist, explicitly specifies the explicit audit level for users in the following situations:

§  Non-hierarchical zone users who has different audit level from that specified in the configuration parameter nss.alt.zone.auditlevel (default: audit_if_possible)

§  Users in the user.ignore list whose audit level needs to be “audit_not_requested/required”

DO NOT set the audit level of users in this list to “audit required”, because “audit required” is not supported in non-hierarchical zone, or it contradicts the intent of the user.ignore list.

(Ref: 70150, 60160, 70129)

o    The Audit Trail feature has been enhanced with the following:

o    For command level auditing, an audit trail event is generated when an audited command is executed. This allows you to use SIEM monitoring tools to trigger review of the associated DirectAudit sessions. The collector from previous releases will not save this audit trail event to Audit Store database. To guarantee that this event is not missed in the Audit Store database, all of the collectors must be at or above version 3.2.2. (Ref: 73015)

o    dainfo has a new argument --config (-c). 'dainfo -c' prints parsed contents of DirectAudit Configuration file (/etc/centrifyda/centrifyda.conf). (Ref: 60502)

o    A set of new parameters are introduced in centrifyda.conf for various new feature support:

o    dash.obfuscate.regex - This parameter specifies the obfuscation pattern used by the Unix DirectAudit to detect output data for masking as a regular expression. Each regular expression should be enclosed by ‘/’ characters, for example, /[A-Z][0-9]{6}\\([0-9A-Z]\\)/. You may specify more than one pattern by separating multiple patterns using the space character (‘ ‘). The default is none. See centrifyda.conf for more details. (Ref: 60021, 73276)

o    dash.obfuscate.pattern – This parameter specifies the obfuscation pattern used by the Unix DirectAudit to detect output data for masking as a pattern string. Each pattern should be enclosed by ‘/’ character, for example,/nnnn-nnnn-nnnn-nnnn/. You may specify more than one pattern by separating multiple patterns using the space character (‘ ‘). The default is none. See centrifyda.conf for more details. (Ref: 60021, 73276)

o    dash.shell.env.var.set – This parameter specifies if cdash should set the SHELL environment variable to actual user shell. If false, SHELL environment variable will be set to the audited shell. The default is true. (Ref: 75540)

o    nss.user.conflict.auditlevel – This parameter is used to override a user's audit level when the user is listed in user.ignore. If you need to ensure that users in user.ignore list will always get the native login shell upon login and not audited, set this parameter to ‘no_audit’. The default is "audit_if_possible". (Ref: 60160, 70027)

o    spool.diskspace.softlimit – DirectAudit keeps audit data locally. If a system is running out of disk space (by default, less than 10% free, controlled by the parameter spool.diskspace.min), audit service will be affected. A soft-limit is introduced. When a system's disk space is less than a certain percentage free, DirectAudit will give a warning, but audit service is not affected. This parameter, spool.diskspace.softlimit, specifies the minimum percentage of available disk space on the partition containing the spool file without triggering diskspace warnings in the log.  Auditing will continue even if available disk space falls below this level, until the space falls below spool.diskspace.min. Hence, the value must be larger than or equal to the value of spool.diskspace.min. The default is 12%. (Ref: 58197)

For details, please refer to the Configuration and Tuning Reference Guide.

2.1.6       FindSessions Tool

o    A command line option /suppresswarnings (/sw) is added to FindSessions.exe to suppress the warning messages. (Ref: 63790)

2.1.7       Supported Platforms

o    Centrify UNIX Agent for DirectAudit adds the support of the following operating systems (Ref: 72653, 73602):

o    CentOS 5.11, 6.6 (x86, x86_64)

o    Debian Linux 7.7 (x86, x86_64)

o    Fedora 21 (x86, x86_64)

o    Linux Mint 17.1 (x86, x86_64)

o    OpenSUSE 13.1, 13.2 (x86, x86_64)

o    Oracle Linux 5.11, 6.6 (x86, x86_64)

o    Oracle Linux 7.0 (x86_64)

o    Oracle Solaris 11.2 (x86_64, Sparc 64-bit)

o    Red Hat Enterprise Linux Server 5.11, 6.6 (x86, x86_64)

o    Red Hat Enterprise Linux Desktop 5.11, 6.6 (x86, x86_64)

o    Scientific Linux 5.11, 6.6 (x86, x86_64)

o    Scientific Linux 7.0 (x86_64)

o    Ubuntu Desktop 14.10 (x86, x86_64)

o    Ubuntu Server 14.10 (x86, x86_64)

o    SUSE Enterprise Linux 12 (x86_64)

o    Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

o    Oracle Solaris 8 SPARC

o    Centrify DirectAudit will no longer support the following platforms starting with the next release (Ref: 56644, 61795, 64457, 68948, 71092, 73138):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

o    Ubuntu Server 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Windows 2003 (32 and 64 bit), Windows 2003R2 (32 and 64 bit) – Estimated vendor EOL: 2015-07-14

o    The following operating systems are no longer supported (Ref: 56643, 61010, 66423, 69921):

o    CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    Debian Linux 5 (32-bit and 64-bit x86)

o    Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

o    Linux Mint 12, 14 (32-bit and 64-bit x86)

o    OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

o    Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

o    Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    SUSE Enterprise Linux 8.0 (32-bit x86)

o    SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

o    Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

o    VMware ESX 3.5 (32-bit)

o    VMware ESX 4.0, 4.1 (64-bit)

o    Windows XP (32 and 64 bit)

o    Please refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list of supported platforms.

2.2    New Features in DirectAudit 3.2.1

o    Added a new parameter, lang_setting, in DA configuration, centrifyda.conf, to support latin1 code set (Spanish). This parameter tells which codepage user are using. Available options are ISO8859-1 and UTF8. By default, it is UTF8. The corresponding GP, Centrify DirectAudit Settings->UNIX Agent Settings->DirectAudit Daemon Settings->Set codepage of audit client, is also added accordingly. (Ref: 64585)

o    Users can now find session by command and time. To support this new feature, two new search criteria, Unix Command Time and Unix Command Name, are added to the Edit Criteria page in the Query dialog in Audit Analyzer. Similarly, two new AQL predicates, inputcommand and inputcommandtime, are added to the tool, findsessions.exe, to provide the same support. (Ref: 63333, 65348)

o    A set of new parameters are introduced in centrifyda.conf for managing user’s audit level:

o    nss.user.override.userlist (which deprecates user.ignore) - This parameter specifies the list of users that will be overridden in the DA NSS module (i.e., DA will not go to AD to get the user profile and audit level information).

o    nss.user.override.auditlevel (which deprecates user.ignore.audit.level) - this parameter specifies the default audit level for the user(s) specified in the nss.user.override.userlist. The default is use_sysrights.

o    nss.alt.zone.auditlevel – This parameter specifies the default audit level for all other users in the non-hierarchical zones.

With a combination of the above parameters, users can easily deploy audit scenarios that cannot be done before, say, to have only a small group of users in a classic zone to be audited while all other users are not audited by default.

Please avoid using user.ignore and/or user.ignore.audit.level as they are deprecated. However, they will continue to be honored for backward compatibility in existing deployment.

For details, please refer to documentation. (Ref: 58753)

o    In DirectAudit 3.1.1, the default value of configuration parameter dash.allinvoked is changed to true.  However, this may lead to unintended capture of data transfer traffic over ssh connection (e.g., scp, rsync).  The default value of configuration parameter dash.allinvoked is changed in Suite 2014.1 to false as it applies only to command auditing only. (Ref: 65470)

o    Windows Server Core support is added in this release on the following platforms:

o    Windows 2008 R2 Server Core

o    Windows 2012 Server Core

o    Windows 2012 Minimal Server Interface

o    Windows 2012 R2 Server Core

o    Windows 2012 R2 Minimal Server Interface

Note: Due to its reduced feature set in Windows Server Core, certain specific functions are not supported such as Centrify shortcut menus. (Ref: 33467)

o    Centrify UNIX Agent for DirectAudit is now supporting the following operating systems:

o    CentOS Linux 7 (64-bit)

o    Debian Linux 7.5, 7.6 (32-bit and 64-bit)

o    Linux Mint 17 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201403 (32-bit and 64-bit)

o    Red Hat Enterprise Linux 7 (64-bit)

o    Ubuntu Desktop 14.04LTS (32-bit and 64-bit)

o    Ubuntu Server 14.04LTS (32-bit and 64-bit)

o    Centrify DirectAudit will no longer support the following platforms starting with the next release:

o    CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    Debian Linux 5 (32-bit and 64-bit x86)

o    Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

o    Linux Mint 12, 14 (32-bit and 64-bit x86)

o    OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

o    Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

o    Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    SUSE Enterprise Linux 8.0 (32-bit x86)

o    SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

o    VMware ESX 3.5 (32-bit)

o    VMware ESX 4.0, 4.1 (64-bit)

o    Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

o    Windows XP

o    Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56208, 56644, 61795, 68948):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Please refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list of supported platforms.

2.3    New Features in DirectAudit 3.2.0

o    A number of Group Policies for DirectAudit are added.  These policies include DirectAudit shell, DirectAudit Daemon and other settings about DirectAudit UNIX agent. (Ref: 8146)

o    The information of applied Group Policy settings, contained in /var/centrifydc/reg/machine/gp.report, has been added into "dainfo -t".  (Ref: 55939)

o    dainfo is updated to include the following information. (Ref: 54779, 56594)

1.  Offline store size of audit trail

2.  Despool rate of audit trail

3.  the online status of audit trail channel

·         For file transfer commands like rsync, sftp, scp, where SSH connection is being used, DirectAudit would be unnecessarily recording all the binary data being sent to and from the server.  In Suite 2014, user can specify what SSH command to skip auditing by setting the dash.ssh.command.skiplist setting in centrifyda.conf.  By default, the SSH command rsync, sftp and scp will be skipped.  (Ref: 56166)

·         DirectAudit periodically monitors and repairs the NSS/LAM configuration files (/etc/nsswitch.conf for NSS; /etc/security/user and /usr/lib/security/methods.cfg for LAM).  The default monitoring interval is now increased from 60 seconds to one hour to reduce system load.   If there is any other software that modifies these configuration files (e.g., adjoin/adleave), the NSS/LAM configuration files will not be modified till the next monitoring interval.  Restarting DirectAudit immediately will set up the configuration files corectly.  (Ref: 58288)

·         DirectAudit is enhanced to allow specifying some local users to log in or run an audited command when it encounters environment setup issues, like not getting a pty. The users can be specified with dash.user.alwaysallowed.list in centrifyda.conf. Previously, only the root user is always allowed.  (Ref: 55995) P.S. it is better to use the "rescue/always permit login" sysright which is a better alternative supported by both DirectControl and DirectAudit moving forward.

·         A new configuration parameter is introduced for centrifyda.conf, namely cache.enable, which controls whether the dad process caches name service query results about users and groups. For details, please refer to Configuration and Tuning Reference Guide.  (ref: 56258)

·         You can specify a regular expression to detect command prompt. The custom command prompt regular expression can be specified by adding a new registry String Value named prompt under HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAudit\Collector on each of the systems where Centrify DirectManage Audit Collector component is installed and running. If this registry value is absent, the default regular expression ^[^#%>\$]*[#%>\$]\s* will be used to detect the command prompt.  (Ref: 56654)

·         FindSession is updated to support querying session for multiple users and computers.  For example, user can enter e.g. "user1; user2" in the User textbox, then both user1 and user2 sessions will be queried out.  The case is the same for Machine textbox. For no UI mode, run FindSessions /u="user1;user2", then both user1 and user2 sessions will be queried out. The case is the same for FindSessions /m="machine1; machine2".  (Ref: 55029)

·         New command line options, /role and /ticket, have been added to the FindSessions utility to export UNIX commands, UNIX input and output data.  You can use these new options.  Please refer to FindSessions.pdf in Audit Analyzer installed folder for more the option details.  (Ref: 48483)

·         FindSession is updated to also show the URL link when exporting the session list.  User can replay the audited session by passing the URL to daplayer.exe (i.e. DirectAudit Session Player) directly.  (Ref: 53449)

·         From Suite 2014 onward, multiple users and/or computers can be specified as search criteria when searching for Audit Events. To search for Audit Events from multiple users and/or computers, the user names and/or computer names can be specified as a semicolon separate list on the "Query Audit Events" dialog box. (Ref: 54984)

·         Centrify UNIX Agent for DirectAudit is now supporting the following operating systems:

-          Red Hat Enterprise Linux Server 5.10, 6.5 (32-bit and 64-bit)

-          Red Hat Enterprise Linux Desktop 5.10, 6.5 (32-bit and 64-bit)

-          CentOS 5.10, 6.5 (32-bit and 64-bit)

-          Oracle Linux 6.5 (32-bit and 64-bit)

-          Scientific Linux 5.10 (32-bit and 64-bit)

-          Fedora 20 (32-bit and 64-bit)

-          Debian Linux 7.2, 7.3 (32-bit and 64-bit)

-          Linux Mint 16 (32-bit and 64-bit)

-          Ubuntu Desktop 13.10 (32-bit and 64-bit)

-          Ubuntu Server 13.10 (32-bit and 64-bit)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56640, 59381):

-          Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

-          CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-          Debian Linux 5, 6 (32-bit and 64-bit x86)

-          Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

-          Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

-          Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

-          Linux Mint 12, 14 (32-bit and 64-bit x86)

-          OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

-          Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-          SUSE Enterprise Linux 8.0 (32-bit x86)

-          SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

-          VMware ESX 3.5 (32-bit)

-          VMware ESX 4.0, 4.1 (64-bit)

·         Centrify Windows Agent is now supporting the following platforms

-          Windows 8.1 (32-bit and 64-bit)

-          Windows 2012 R2 (64-bit)

2.4    New Features in DirectAudit 3.1.1

·         Starting from 3.1.1, video capture auditing is enabled for new installations by default. (Ref:49374)

·         In prior releases, the default value for the parameters dash.allinvoked and dash.force.audit was false.  The default value has been changed to true to support command level auditing. (Ref: 44476)

·         Audit Analyzer has been enhanced to support search phrases in Quick Query, in addition to existing full text search capability. To search for a specific phrase, you should enclose the phrase with double quotes.  For example, you can type “dacontrol –e” (including the double quotes) into Quick Query. Audit Anaylzer will then find all sessions that contain the exact command “dacontrol –e”. You can also search using wildcards. For example, you can type “dacontrol -*” into Quick Query to have Audit Analyzer find all the sessions that contain the command starting with “dacontrol –”. The query results might then include sessions with the command “dacontrol –e”, sessions with the command “dacontrol –d”, and sessions with a command “dacontrol --help”.  For performance reasons, you can only use the asterisk (*) wildcard character at the end of the search phrase. (Ref: 35004)

2.5    New Features in DirectAudit 3.1.0

·         Optional video capture auditing: In this release, you can choose to enable or disable video capture auditing. By default, video capture auditing is disabled for new installations. Disabling video capture helps to greatly reduce the storage requirement for audited sessions. To use this feature, however, you must upgrade both the collector service and the Centrify agent to the 2013.2 release.

·         Audit Analyzer is enhanced to support the following features:

-          Users can now query audit events by role. For example, you can find out who has used the “Domain Administrator” role on a domain controller by using this new search capability.

-          There are four available audit event queries:

§  All, grouped by machine

§  All, grouped by user

§  All, grouped by DirectAuthorize role

§  Today

-          Users can select multiple session items to export and delete. You can export to common data format (CDF), to an event list, or to Windows Media Video (WMV) format.

-          A new Report folder is available in the Audit Analyzer console. The folder contains six generic report templates:

§  Login by user report

§  Login by computer report

§  Authorization failure report

§  User activity report

§  Privileged activity report

§  Centrify Zone administrative activity report

These report templates can be used to generate reports based on user-specified criteria. The results can be exported into HTML, PDF, Excel, CSV, and XML formats.

·         FindSessions.exe: This command-line utility that is bundled with Audit Analyzer is enhanced to support delete and export operations of the data returned by the search query. You can export the data to CSV, PDF and HTML formats.

·         Audit trail configuration capability: Group policy allows finer control of whether audit events from Access Manager and Centrify Windows Agent for Access should be generated and whether they should be sent to the Microsoft Event Application Log or DirectAudit.  An Administrative Template file (audittrail.adm) is available in the Audit Manager Installation folder that can be used for setting the audit trail targets.  Available targets are:  0 for none, 1 for Audit Store, 2 for Windows Application log, and 3 for both.

·         Centrify UNIX Agent for DirectAudit is also supported on the following operating systems:

-          Red Hat Enterprise Linux (RHEL) AS/ES/WS  5.9 x86 and AS/ES/WS 5.9 x86_64

-          RHEL AS/ES/WS 6.4 x86 and AS/ES/WS 6.4 x86_64

-          Oracle Linux 5.9 x86 and 5.9 x86_64

-          Oracle Linux 6.4 x86 and 6.4 x86_64

-          CentOS Linux 5.9 x86 and 5.9 x86_64

-          CentOS Linux 6.4 x86 and 6.4 x86_64

-          Scientific Linux 5.9 x86 and 5.9 x86_64

-          Scientific Linux 6.4 x86 and 6.4 x86_64

-          Fedora 18 x86 and 18 x86_64

-          Fedora 19 x86 and 18 x86_64

-          openSUSE Linux 12.3 x86 and 12.3 x86_64

-          Ubuntu 13.04 x86 and 13.04 x86_64

-          Debian Linux 7 x86 and 7 x86_64

-          Linux Mint Debian (LMDE) 201303 x86 and 201303 x86_64

-          Linux Mint 15 x86 and 15 x86_64

-          Solaris 11.1 x86_64 and 11.1 SPARC

·         The following operating systems are no longer supported:

-          Ubuntu 8.0.4 LTS

-          Windows Vista (32 and 64 bit)


2.6    New Features in DirectAudit 3.0.1

·         None. This is a maintenance release.

2.7    New Features in DirectAudit 3.0.0

·         Agent support is added for the following new operating systems:

-          CentOS 6.3 x86 and 6.3 x86_64 (32- and 64-bit)

-          Linux Mint 12 x86 and 12 x86_64

-          openSUSE Linux 12.1 x86 and 12.1 x86_64

-          Oracle Solaris 11 SPARC and 11 x86_64

-          RHEL AS/ES/WS 5.8 x86 and AS/ES/WS 5.8 x86_64

-          RHEL AS/ES/WS 6.3 x86 and AS/ES/WS 6.3 x86_64

-          Fedora 17 x86 and 17 x86_64

-          Scientific Linux 5.7 x86 and 5.7 x86_64

-          Scientific Linux 6.3 x86 and 6.3 x86_64

-          Ubuntu Linux Server 12.04 x86 and 12.04 x86_64

-          VMware vMA 4.0 x86_64 4.1 x86_64 5.0 x86_64

-          Windows 2012 Server (64-bit)

-          Windows 8 (32-bit and 64-bit)

·         Agent support is no longer available for the following old operating systems:

-          Fedora 9, 10, 11, 12, and 13

·         END OF LIFE - Support of Windows Vista will be discontinued after Centrify Suite 2013.

·         DirectAudit now includes the ability to capture detailed UNIX and Linux keystrokes.

·         Audit events have been integrated for monitoring with Centrify Insight.

·         Audit event data is searchable, by any methods including Boolean and time-based searches. Searches can be focused on specific applications, commands, and files.

·         Enhanced agent resiliency prevents unplanned agent disruption, either accidental or intentional.

·         Data Management includes automatic rollover of a collection of databases along with the ability to eliminate unneeded session data.  Data elimination and manipulation is based upon privileges assigned through user roles and rights.

·         Data is collected using one of these versions of the Microsoft SQL Server including:

-          SQL Server 2005 (not supported on Windows 8 and Server 2012)

-          SQL Server 2008

-          SQL Server 2008 R2

-          SQL Server 2012

-          Express Standard and Enterprise editions, as well as 32-bit and 64-bit mode, will be supported.

·         Auditing features are integrated with Centrify DirectAuthorize on the Windows platforms.

·         NSS/LAM support no longer requires symbolic links to the DirectAudit shell. Changes to the operating system that previously created problems with the symbolic links to shell programs should not affect auditing operations.

3.   Bugs Fixed

3.1    Bug Fixed in DirectAudit 3.2.2

3.1.1       General

·         The logger service for DirectAudit Windows component (agent, collector, etc.) now rotates logs if they are larger than 100M (in additional to the daily log rotation already there). The format of the filename for logs has been modified with extra index to accommodate this change. E.g. from previous filenames like, DirectAudit_2014_9_15_3.2.2.107.log, to the new filenames like, DirectAudit_2014_9_15_000_3.2.2.107.log, and DirectAudit_2014_9_15_001_3.2.2.107.log, etc. (Ref: 65726)

3.1.2       Windows Install / Upgrade / Uninstall

·         From Suite 2013 onward, the DirectAudit Easy Installer (setup.exe) will automatically write verbose level installation and configuration logs to the logged-in user's temporary folder (%TEMP%). All logs are written to a text file named DirectManage_Audit_Setup_YYYY_MM_DD.log and they can be used to troubleshoot errors encountered while running Easy Installer Wizard or Configuration Wizard or Database Maintenance Wizard. (Ref: 27647)

·         From Suite 2015 onward, DirectAudit component installers will try to automatically install and enable Microsoft .NET 3.5 on Windows 8 and Windows Server 2012 platforms using the Deployment Image Servicing and Management (DISM) tool. In previous version, the administrator needed to install and enable this feature manually before installing any of the DirectAudit components that relied on it. (Ref: 68246)

3.1.3       Collector

·         In previous releases, the Collector Control Panel message “Error: The ConnectionString property has not been initialized.” means no active database was attached to the Audit Store that the collector is associated with.  This release changes the message to “The Collector is not able to connect to Audit Store 'AuditStoreName': there is no active Audit Store database configured.” (Ref: 68158)

3.1.4       Audit Analyzer and Session Player

·         DirectAudit Session Player now remembers its previous screen location and size. (Ref: 62948)

·         In previous releases, audit sessions from Unix systems that are joined to NULL zone cannot be replayed in the Session Player.  This is fixed in this release. (Ref: 63368, 63946)

·         In DirectAudit Audit Analyzer options dialog, after you make changes in the “Log Settings” or “Player Settings” tab, you switch to the “SMTP Configuration” tab.  If all the fields in this tab are blank, the error message “Please specify sender email address” will be displayed.  This error message is unnecessary and it is removed.  (Ref: 71650)

3.1.5       Audit Manager

·         In the result pane of Audited Systems node of Audit Manager MMC console, a text filtering control is added for each column, so that you can select a subset of audited systems for display.  The filtering is case insensitive and uses "contains" as search criteria. For example, “w2k8x86-1.domain.test” and “W2K8X64-1.domain.test” both match “w2k8” entered in the filtering control, as both contain “w2k8” case insensitively. (Ref: 63080)

·         In previous releases, if an older version of Audit Manager console is used to connect to a newer version of DirectAudit installation, a popup box is shown suggesting user that Audit Manager console upgrade is available. From Suite 2015 onward, user can select a checkbox on this popup to prevent seeing this message in future. (Ref: 69334)

3.1.6       Centrify UNIX Agent for Audit

·         In previous releases, command auditing creates a symbolic link to replace the command under audit. These symbolic links are not compatible with mkinitrd which copies the actual executables. A new option is added to dacontrol which can be used by administrator to easily suspend all command auditing when he is doing mkinitrd and resume them afterwards. (Ref: 57842)

·         In previous releases, the DirectAudit NSS/LAM module returns Centrify DirectAudit shell (/bin/centrifyda) as the user’s shell, even when the user is listed in dash.user.skiplist.  This causes incompatibility issues with third party software that has different behaviors based on different login shells.  This bug is fixed in DirectAudit 3.2.2.  Users specified in dash.user.skiplist are not processed by the DirectAudit NSS/LAM module so the original login shell is returned in getpwnam() and getpwuid() calls.(Ref: 70081, 70142)

·         In previous releases, DirectAudit NSS/LAM module sets the pw_shell field in passwd struct to cdash (/bin/centrifyda) when it processes getpwuid()/getpwnam() calls.  This might not be desirable for some shell-name-dependent applications. In DirectAudit 3.2.2, DirectAudit NSS/LAM module is enhanced to reply back with a shell that has the same name as the user’s login shell residing in a subdirectory.  For example, if the user’s login shell is /bin/sh, the DirectAudit NSS module replies with /bin/cdax/sh. This helps DirectAudit integrates with those applications more seamlessly. dacontrol uses the file /etc/shells (and /etc/security/login.cfg) to determine the list of shells to enable for this feature.  When you install a new shell, please ensure that the shell in added to the files above, and run ‘dacontrol –e’ again.  Also, make sure that the path name specified in the user profile (which is not necessarily where the file is located when symlink is used) is added to the files.  For example, if /bin/bash is specified in the user profile and it is a symbolic link to /opt/shareware/bin/bash, make sure that /bin/bash is added. (Ref: 56920, 60838)

·         In previous releases, if the user tried to ‘su’ to a local account that had no shell specified in /etc/passwd (usually for a service account not allowing direct login), the user would receive an error message and be left with the emergency shell. This has been fixed. Such user can continue with the default system shell. In addition, auditing of the su session for such user depends on whether the original session is audited or not, instead of the audit level set for the user. The su session is audited only if the original session is audited. (Ref: 66910, 68076)

·         In previous releases, after a UNIX command is enabled for auditing, users with no permission to execute that command would be redirected to launch an emergency shell.  The user would also see a misleading error message, in which there is no hint about permission denied. This issue was fixed since DirectAudit 3.2.1.  User with no permission to execute the audited command will see a clear error message about permission denied and is not redirected to any other shell. (Ref: 52556)

·         For an Active Directory user whose Unix login session is audited, the username of the session uses the userPrincipalName instead of samAccountName@domain. (Ref: 64796, 68925)

·         The DirectAudit Installation configured by dacontrol was incorrectly saved into DirectControl's working directory in Suite 2014, and hence it would be wiped out by DirectControl agent after leaving a domain. This issue has been fixed by properly placing the Installation into DirectAudit's working directory. (Ref: 62759)

·         When “dainfo”, “dacontrol” or “dacontrol –q” is run and no command has been enabled for auditing, the utilities used to display the message “DirectAudit is not configured to audit individual commands” which is confusing. The message is changed to "DirectAudit is not configured for per command auditing.". (Ref: 69384)

·         Group policies specified using DirectAudit ADM templates shipped with DirectAudit 3.1.1 or prior releases use different locations that those shipped with DirectAudit Unix Agent 3.2.0 and 3.2.1; and cannot be used by DirectAudit Agent 3.2.0 and 3.2.1.  The DirectAudit Unix Agent now looks for the group policies specified in DirectAudit 3.1.1 or earlier locations if it cannot get the information.   (Ref: 75174)

·         In previous releases, you can enable NSS auditing in a sparse zone even though NSS auditing is disabled in global zone on Solaris machines.  Starting in Suite 2015, you must enable NSS auditing in global zone first, before enabling NSS auditing in sparse zone. (Ref: 75464, 75950)

·         There is a file descriptor leak when an audit trail event is logged in Solaris machines. This is now fixed. (Ref: 65106, 68204)

·         There is a memory leak in DirectAudit LAM module in AIX when getting attributes for a user.  This is now fixed. (Ref: 72194, 73570)

3.1.7       Database

·         This release addresses a security vulnerability that may result in data leakage in the DirectAudit component of Server Suite Enterprise Edition.  Security rating is low.   If you are using versions prior to Suite 2015, you need to apply the workaround described in KB-5070.  There is no need to apply the workaround if you are using DirectAudit 3.2.2 or later.  (Ref: 76167)

·         This release fixes the problem when AuditStore database’s File Autogrowth setting is set to “Restricted File Growth”, the collector state changes to “AuditStore database is full” and stops accepting audit data when the AuditStore database file size does not reach the limit (even when there is enough space in the volume for the database file to grow). (Ref: 67264)

·         In order to upgrade DirectAudit databases, the user performing the upgrade must have either sysadmin rights on the database server OR must be a member of db_owner database role on each of the databases being upgraded. Also, the user must be granted with EXTERNAL_ACCESS_ASSEMBLY privileges on the database server. In Suite 2014.1, this permission check was not enforced which resulted in Database Maintenance Wizard trying to create a database index two times and subsequently failing the database upgrade process. This issue has now been resolved. (Ref: 72097)

3.2    Bug Fixed in DirectAudit 3.2.1

·         Previously a non-interactive upgrade always disabled auditing (you would notice this line ‘DirectAudit NSS module: Inactive’ if you ran dainfo). This has been fixed by honoring the current auditing status when upgrading from Suite 2013 or later. Note: you may still override this behavior by explicitly setting the CLI option to –-enable-da/--disable-da. (Ref: 62547)

·         DirectAudit Windows Agent video capturing color depth used to be 16-bit. Now the default value has been changed to 8-bit to lower the disk space usage.  (Ref: 63466)

·         DirectAudit usually will not audit if (1) user preferred shell is executed in non-login scenario, and (2) an audited command is not executed in interactive login session. A defect that made DirectAudit audit in the above scenarios was introduced in DirectAudit 3.1.1. This issue has been fixed.  (Ref: 64521)

·         Cdash might generate a zombie process when a session was opened (login), or an ssh connection was used by rsync, sftp and scp. This issue has been fixed.  (Ref: 64025)

·         A problem regarding logging has been fixed. Previously DirectAudit would hijack the logging facility in the audited system affecting other programs, e.g. sendmail, through the NSS module. Now DirectAudit NSS module will write to syslog through DirectAudit daemon in order to preserve caller's syslog logging facility. Note: in case of communication failure with DirectAudit daemon, NSS module will still use caller's logging facility to do the logging. (Ref: 63241)

·         Previously if the local audit data spool file was corrupted, Agent would stop sending data to collector resulting in no session available to Audit Analyzer. We have now enhanced the logic to detect spool file corruption. In case a file corruption is detected, DirectAudit will backup the spool file to avoid data lost, and make a new spool file to hold new audit data. (Ref: 63568)

·         In some rare occasions, the local audit data spool file could run into a condition hindered DirectAudit to despool. This problem has been fixed. (Ref: 62265)

·         There was a bug in the upgrade logic resulting in failure to preserve the list of values in a configuration parameter, e.g. 'dash.user.skiplist: user1, user2', but incorrectly treating it as a single value, e.g. 'dash.user.skiplist: "user1, user2"'. This bug has been fixed. (Ref: 64646)

·         There was a problem that when an environment had issues hindering DirectAudit from working normally, login process could be hindered too. Improvement is done to ensure login is not blocked whenever possible. (Ref: 62402)

·         When a Group was added to an Audit role, members in the Group were not provided the correct Audit Role permissions. This problem has been fixed. (Ref: 62615)

·         A memory leak problem in the collector has been fixed. When an audited *NIX session was accepted by collector, memory was allocated in collector for this session. When the session ended, the memory was not released properly unless the *NIX agent machine switched to another collector in the DA Installation, if any. This was severe especially when there was only one collector and there were lots of sessions, or there were more than one collector, but there were lots of short sessions within the collector switching interval (default 2 hours). (Ref: 64009)

·         Unix 8-bit Western European characters are now captured correctly by DirectAudit.  However, note that some shells do not support 8-bit characters in HPUX (e.g. /bin/csh, /bin/sh, /sbin/sh).  (Ref: 62287, 64585)

·         FindSessions.exe might return error “The query processor ran out of internal resources” if the result contained a large number of sessions.  This problem is now fixed.  (Ref: 62522)

·         Change default auto-growth setting to 256MB from 1MB for newly created databases to reduce overhead. (Ref: 32208)

3.3    Bug Fixed in DirectAudit 3.2.0

·         When adding sites to audit store, the sites is now changed to be sorted in ascending order by default. User can change the sort order by clicking the columm header.  (Ref: 40977)

·         From Suite 2014 onward, if an audit event is associated with an audited user session, you can double click on the event in Audit Analyzer (Audit Events node) to replay the corresponding session.  (Ref: 49065)

·         Some session inputs were exported into one single record when using the FindSessions.exe option /export=UnixInputOutput.  This issue is fixed except one case.  The keystroke entered in cursor-based application like “man” is still going to be appended to the next command the user entered because there is no CRLF characters in the input stream so the tool cannot distinguish when to start the new line.  (Ref: 57457)

·         Fixed a problem on AIX systems where after enabling auditing with "dacontrol -e", Hardware Management Console (HMC) logons would not work until the system was rebooted. (Ref: 54553)

·         Fixed a problem where an entry in /etc/environment setting LIBPATH could interfere with being able to successfully start the DirectAudit deamon. (Ref: 55432)

·         Fixed a problem with patching the OS kernel while DA auditing is enabled which could cause the system to hang after rebooting or cause users logging in to receive an "emergency shell". (Ref: 21975, 24399)

·         Fixed the problem in Audit Manager Help shortcut. It was available under "All Programs\Centrify Suite 2013\Audit\Documentation" on the Windows Start menu, and now under "All Programs\Centrify Server Suite 2014\Audit" on the Windows Start menu. (Ref: 55851)

·         Fixed the problem of Centrify Windows Agent installer upgrade issue: Centrify Windows Agent uses a registry DWORD Value named AuditTrailTargets to determine whether the Audit Trail events should go to the DirectAudit database or Windows event log or both. Upgrading Centrify Windows Agent, this registry value will be preserved. (Ref: 58443)

3.4    Bug Fixed in DirectAudit 3.1.1

3.4.1       Collector

·         In previous releases, SQL Server authentication information that had been configured for the collector was not preserved after the collector was upgraded to a new version. This issue has been fixed. (Ref: 52263)

·         Collector service maintains a SQL Server connection pool with 300 connections in it.  When there are more than 300 machines sending data to the collector concurrently, collector cannot handle all the requests and it will stop completely.  To remedy the problem, more collectors should be added to the Audit Store or the number of connections in the SQL Server connection pool should be increased.  The number of connections in the SQL Server connection pool can be set using the following registry key with the type of DWORD

HKLM\Software\Centrify\DirectAudit\Collector\MaxPoolSize (Ref: 48452)

3.4.2       Centrify UNIX Agent for Audit

·         The default value of the regular expression used to match the password prompt has been updated. Some programs include the user name in the prompt for the user's password (for example: "Enter password for username:").  The regular expression used in previous releases was unable to match non-alphabetic user names, which caused STDIN auditing to capture the password unexpectedly. The regular expression used in this release will match all possible user names.  (Ref: 52618)

·         In previous releases of DirectAudit, the user might get the following error message when he or she invoked a command that was configured to be audited:

DirectAudit was unable to work out an appropriate shell based on the name xxx, defaulting to fallback shell: /bin/da.emergency.shell

where xxx is any character string.  This bug is now fixed in Suite 2013.3. (Ref: 44476)

·         In previous releases, the Centrify UNIX agent would stop auditing if no collectors could be contacted and there is was not enough disk space to spool the audited data.  This issue has been fixed.  In this release, under the same situation, a user whose effective audit level is “Audit required” will not be allowed to log in or enter any additional commands. (Ref: 48319)

·         On a SUSE machine with AppArmor enabled, DirectAudit needs to restart AppArmor to enable audit. The restart is done automatically. However, it could fail silently and audit is disabled. The bug is fixed. (Ref: 52605).

·         In previous releases, the DirectAudit shell is saved as /da/cdashmod.  From Suite 2013.3 onwards, it is saved as /bin/centrifyda to remove the need for another top level directory /da. If you enable command level auditing of dzdo and the users need to use the ‘-i’ option in dzdo, you need to set up a Unix command definition for ‘/da/cdashmod’ and grant this right to roles that can use ‘dzdo –i’.  Since /da/cdashmod is replaced by /bin/centrifyda in this release, you need to change the corresponding command right definition.  (Ref: 45346)

·         The cdashmod processes may use up additional unnecessary CPU resources when DirectAudit agent is stopped on UNIX computers.  This problem has been fixed. (Ref: 51576)

·         In AIX, NIS group memberships are not returned for local users after DirectAudit agent versions 3.0 to 3.1.  This problem has been fixed. (Ref: 53692)

3.5    Bug Fixed in DirectAudit 3.1.0

3.5.1       Audit Analyzer

·         Quick query used to find sessions containing all specified words.  A check box is added to allow user to find sessions containing any specified words.  For example, session A contains commands "ifconfig" and "vi".  Session B contains commands "vi" only.  Quick query on "vi ifconfig" returns session A only by default.  If the check box is checked, both session A and session B are returned. (Ref: 40564)

3.5.2       Collector

·         The current collector design assumes that the standard input (stdin) source contains only one input line. When there are multiple lines in one packet, the collector throws an exception. In this scenario, the audit agent would go offline and would keep spooling to the local disk until there was manual intervention. This issue is fixed. (Ref: 43738)

3.5.3       Centrify UNIX Agent for Audit

·         The memory leak issue has been fixed. (Ref: 39717)

·         In previous releases, the Centrify UNIX Agent for Audit was not handling the environment paths for root and regular users properly (in particular, in setting LIBPATH or LD_LIBRARY_PATH). This caused problems during installation or when a regular user executed the ‘dainfo’ command. This issue is resolved. (Ref: 40964, 41410, 41234, 44560).

·         If the Centrify UNIX Agent auditing service (dad) is stopped for any reason, there is a change in auditing behavior based on the “audit required” setting of the user’s role. (Ref: 43352)

-          If the user’s role has the audit setting “Audit if possible”, the session will continue. However, the user’s subsequent activities during the session will not be audited. No message is displayed to notify the user that auditing has stopped. Auditing will continue only after restarting the auditing service.

-          If the user’s role has the audit setting “Audit required”, a message is displayed informing the user that the auditing service has been stopped by an administrator and that the session cannot continue until the auditing service is restarted. The user can then terminate the session or attempt to resume. The attempt to resume will fail until the auditing service is restarted by the system administrator. In most cases, the user must terminate the session because no user activity is allowed until the auditing service is available.

3.6    Bug Fixed in DirectAudit 3.0.1

·         If both Audit and Access features were installed from Centrify Windows Agent, the logoff menu could not be shown on some machines.  This issue has been fixed in this release. (Ref: 34767)

4.   Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1    General

·         For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.

·         For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

·         From Suite 2014 onward, the user name in Audit Trail will be stored in UPN (user@domain) format. For domain users, the user name is stored in user@domain format; and for local users, the user name is stored in user@computer format. If you are upgrading to Suite 2014, the upgrade process will not automatically update the user information that already exists in the database. Auditors can continue to use the old formats (SHORT_DOMAIN_NAME\username or user@domain) to query Audit Trail events that were generated before the upgrade. (Ref: 54985a)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)

4.2    Windows Install / Upgrade / Uninstall

·         When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the Centrify Deployment Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

·         If you uninstall the Audit Collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the Audit Collector is successfully uninstalled when you click OK.

·         In Suite 2013.3 (or previous versions), the DirectAudit installation process used to automatically generate a 30 day evaluation license key. This process has now been removed. If you are creating a new DirectAudit installation using Suite 2014 or later release, when prompted, you must type the evaluation license key that you have received from Centrify. If you are upgrading an existing DirectAudit installation with an evaluation license key to Suite 2014, the existing evaluation license key is still usable. (Ref: 52259a)

·         If collector is using SQL authentication to communicate with the Audit Store database and you upgrade the collector to Suite 2015 using MSI installer, the upgrade may remove the encrypted SQL credentials from the local registry and collector may stop functioning. To work around this issue, please use the EXE installer to perform the upgrade or run the Collector Configuration wizard immediately after the upgrade and re-enter the SQL credentials when prompted. (Ref: 76459)

4.3    Collector

·         In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4    Audit Analyzer and Session Player

·         If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If the session player window is blank when you are replaying a session, and you are using a 32-bit SQL Server instance, it is possible that the SQL Server has run out of memory. Allocating more memory to the SQL Server by using the -g384 switch on the SQL Server should resolve the issue. To add more memory:

-          Open the SQL Server configuration manager.

-          Stop the instance.

-          Add the parameter "-g384".

-          Start the instance.

-          Reopen the failing session on the session player and it should now play normally.

·         If an audited Windows session is using multiple monitors in extended mode, it cannot be exported as WMV files. (Ref: 27003a).

·         When Windows agent machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly.  (Ref: 36818c)

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645b)

·         When specifying search criteria for a query in Audit Analyzer, in the “Unix Commands and Outputs” attribute, if you enter a string that includes a double-quote character, the query result is undefined. This is true for these criteria: “Contains any of,” “Does not contain,” and “Contains all of.” The workaround is not to use double-quote characters. (Ref: 46692a, 44813a)

·         If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command is also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)

·         By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From Suite 2014 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

4.5    Audit Manager

·         In the Notification tab of Installation Properties dialog, dynamic GIF file is not supported as the banner image file. (Ref: 32793c)

·         If you assign DirectAudit permissions to a Domain Local group which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.”   A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

·         Video recording was always turned on prior to DirectAudit 3.1.0.  DirectAudit 3.1.0 allows user to optionally turn off video recording.  This requires that both DirectAudit collectors and Windows agents be upgraded to version 3.1.0.  If any of DirectAudit collectors or Windows agents is an older version, video data may still be recorded even though you have turned it off in Audit Manager Version 3.1.0. (Ref: 44064a)

4.6    Centrify UNIX Agent for Audit

·         In DA 2.x, the configuration parameter ‘dash.user.alwaysallowed.list’ in centrifyda.conf specifies a list of users that DirectAudit will always allow the user to login even if the environment cannot do auditing. However, this parameter cannot be honored by DirectControl agent when DirectAudit is not functional for whatever reason.

In DA 3.x, a better integrated solution is implemented using the "rescue/always permit login" sysright. This sysright is honored by both DirectControl and DirectAudit and it deprecates the ‘dash.user.alwaysallowed.list’ parameter. Hence, in an upgrade scenario from DA 2.x to DA 3.x, please assign the users in ‘dash.user.alwaysallowed.list’ list to the "always permit login" role (if any one of these users have "audit required" in their roles) as one of the steps in the upgrade procedure. (Ref: 64841a)

·         On AIX and HP-UX using Suite 2014.1 agent with default settings, if login from GUI (for example, Xmanager), the terminal opened in the GUI will not be audited. The workaround would be to set the parameter 'dash.allinvoked:true'. (Ref: 66330b)

·         Starting from Suite 2014, dash.force.audit has been deprecated and is no longer needed in the configuration of command-level auditing for managed computers. As a result, it is no longer included in the configuration file (centrifyda.conf) by default. For details, please refer to the Configuration and Tuning Reference Guide. (Ref: 56822a)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.


-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036a)

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.

To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.

NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.

·         On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

1)  svcadm disable centrifyda

2)  svcadm enable centrifyda

Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override;

·         If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

·         DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulates the local user database (passwd file).  These commands include useradd, userdel and usermod. From Suite 2014 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259a)

·         Change in AIX root user behavior: By default, all releases starting with Suite 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a. Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b. Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c. If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d. Restart adclient (Ref: 56239a, 56604a)

   For AIX customers who upgrade from prior versions of Centrify Server Suite 2014 (DirectAudit 3.2.0), there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited. (Ref: 56235)

·         If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

If root is in user.ignore and DirectAudit agent is installed, login from Centrify OpenSSH is audited, login from telnet or stock ssh is not audited.

If root's audit level is "audit required" and DirectAudit agent is not installed, root can login if root is in user.ignore.  If root is not in user.ignore, root cannot login.

·         The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usre/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

4.7    Centrify Windows Agent for Audit

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit Windows agent software has not completed its setup. (Ref: 26286)

4.8    Database

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If you are using SQL Server 2005 Express, and you change the date and time format on the computer with your database to English (Singapore), some of the stored procedures respond with an error “Locale not supported” while other stored procedures continue to work fine. The workaround is to use a different English locale or upgrade SQL Server to 2008 or later versions.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:


·         SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The Centrify DirectManage Audit Collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)


·         Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold  DWORD in MB, not configured, default to 1024 MB.  If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s). (Ref: 75309a)

4.9    Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

4.10  FindSession tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

·         When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su  –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

5.   Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.