Centrify® Server Suite 2015.1 DirectAudit® 3.2.3 Release Notes (updated March 2016)

© 2007-2016 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1.         About DirectAudit 3

2.         Feature Changes 4

2.1       Feature Changes in DirectAudit 3.2.3 Update (March 2016) 4

2.2       Feature Changes in DirectAudit 3.2.3 4

2.2.1      General 4

2.2.2      Collector 5

2.2.3      Audit Analyzer and Session Player 6

2.2.4      Audit Manager 6

2.2.5      Centrify UNIX Agent for Audit 7

2.2.6      Database 9

2.2.7      FindSessions Tool 9

2.2.8      Windows Agent 9

2.2.9      Centrify Audit Module for PowerShell 10

2.2.10         Supported Platforms 10

2.3       Feature Changes in DirectAudit 3.2.2 11

2.3.1      General 11

2.3.2      Collector 12

2.3.3      Audit Analyzer and Session Player 13

2.3.4      Audit Manager 13

2.3.5      Centrify UNIX Agent for Audit 14

2.3.6      FindSessions Tool 16

2.3.7      Supported Platforms 16

2.4       Feature Changes in DirectAudit 3.2.1 18

2.5       Feature Changes in DirectAudit 3.2.0 21

3.         Bugs Fixed 24

3.1       Bug Fixed in DirectAudit 3.2.3 24

3.1.1      General 24

3.1.2      Windows Install / Upgrade / Uninstall 24

3.1.3      Collector 24

3.1.4      Audit Analyzer and Session Player 25

3.1.5      Audit Manager 25

3.1.6      Centrify UNIX Agent for Audit 25

3.1.7      Database 27

3.1.8      Centrify Audit Module for PowerShell 27

3.2       Bug Fixed in DirectAudit 3.2.2 27

3.2.1      General 27

3.2.2      Windows Install / Upgrade / Uninstall 27

3.2.3      Collector 27

3.2.4      Audit Analyzer and Session Player 28

3.2.5      Audit Manager 28

3.2.6      Centrify UNIX Agent for Audit 28

3.2.7      Database 30

3.3       Bug Fixed in DirectAudit 3.2.1 31

3.4       Bug Fixed in DirectAudit 3.2.0 32

4.         Known Issues 33

4.1       General 33

4.2       Windows Install / Upgrade / Uninstall 34

4.3       Collector 35

4.4       Audit Analyzer and Session Player 35

4.5       Audit Manager 37

4.6       Centrify UNIX Agent for Audit 37

4.7       Centrify Windows Agent for Audit 42

4.8       Database 42

4.9       Audit Management Server 43

4.10         FindSession tools 44

4.11         Windows Agent 44

4.12         Centrify Audit Module for PowerShell 44

5.         Additional Information and Support 45

 

1.   About DirectAudit

The Centrify DirectAudit feature set is a key component of Centrify Server Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see Centrify Server Suite Enterprise Edition in the document in www.centrify.com/platforms.

Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.4.4.

The DirectAudit SDK will be no longer supported after Suite 2016. Please use PowerShell support instead.

DirectAudit will be dropping support for all 32-bit Windows platforms in Suite 2016.

DirectAudit will be dropping support for SQL Server 2005 and all versions of 32-bit SQL Servers in Suite 2016.

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patents 7,591,005, 8,024,360, 8,321,523, and 9,015,103 B2.

 

2.   Feature Changes

2.1    Feature Changes in DirectAudit 3.2.3 Update (March 2016)

DirectAudit 3.2.3 is updated on March 2016 to fix the following issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in DirectAudit agent processing the incorrect response to its request. Note that this occurs only in DirectAudit *NIX agent when the DirectAudit NSS auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations. 

Centrify strongly recommends customers who use DirectAudit NSS Auditing capability upgrade to this version of DirectAudit and DirectControl across their organization. Also, for customers who need the “audit required” support for local users, Centrify recommends customers to add such local users to the user override list specified by the DirectAudit nss.user.override.userlist configuration parameter.  “audit_required” is now supported as the audit level specification in both the nss.user.override.auditlevel configuration parameter and the audit level specification for users in the override list.  For more information, please refer to the description for these parameters in the Configuration and Tuning Reference Guide.

2.2    Feature Changes in DirectAudit 3.2.3

2.2.1       General

o    Significant performance and scalability improvements were made to DirectAudit UNIX agents, collectors and audit store databases.

o    Fixed a problem with the syntax of parameter "dash.obfuscation.*", introduced in DirectAudit 3.2.2, which could cause a problem during upgrade. The syntax is now correct and will automatically be converted to the new syntax during upgrade without user intervention. Please note: When using the group policy “Defining information pattern in custom format to obfuscate sensitive information” and/or “Defining information pattern in regex format to obfuscate sensitive information” to set up these parameters, an upgrade DOES NOT convert the value of these parameters.  Please ensure you change the values of these two group policies or the obfuscation will not take effect on the DirectAudit 3.2.3 Unix agents. (77348).

o    Pre-announcement of deprecating the ADM format

This is the last release that group policies in ADM (Administrative Template File) format are shipped.  From next release onward, only ADMX (Administrative Template File XML based) format will be shipped. (Ref: 79114)

2.2.2       Collector

o    Added the following new performance counters:

Connected Agent: Number of agents currently connected;
Connected Agent Peak: Peak number of connected agents;
Dropped Agents: Number of agents disconnected due to no timely status updates;
Agent Connect Event:  Number of agent connect events;
Agent Disconnect Event:  Number of agent disconnect events;
Transient SQL Errors: Number of transient SQL errors;
Request Connection Packet: Number of request connection packets received;
Request Ack Packet: Number of request ack packets received;
Collector Info Request Packet: Number of collector information request packets received;
Start Unix Session Packet: Number of “Start Unix session” packets received;
Continue Unix Session Packet: Number of “Continue Unix session” packets received;
End Unix Session Packet: Number of “End Unix” session packets received;
STDIN Packet: Number of Unix stdin data packets received;
STDOUT Packet: Number of Unix stdout data packets received;
Unix Window Resize Packet:  Number of “Unix window resize” packets received;
List Active Unix Session Packet:  Number of “List Active Unix session” packets received;
Unix Meta Message Packet: Number of Unix “Meta message” packets received;
Unknown Unix Packet: Number of unsupported packets received from Unix agents;
Bytes STDIN Sent: Number of Unix stdin  data bytes received ;
Bytes STDOUT Sent:  Number of Unix stdout data bytes received;
Unix Command: Number of Unix commands recorded in database;
Bytes Unix Command: Unix command data in bytes recorded in database;
Unix Snapshot: Number of Unix snapshots recorded in database;
Bytes Unix Snapshot: Unix snapshot data stored in database in bytes.

The custom performance counters are installed at collector install time, and removed when collector is uninstalled.  The performance counters can also be created and removed using collector.config.exe /createcounter | /deletecounter. Note: Collector must be stopped prior to create or remove the counters. (78186).

2.2.3       Audit Analyzer and Session Player

o    When a report is generated, the current progress is shown in the status bar of the Audit Analyzer. (71640).

o    Added column filtering to the Audit Analyzer query result pane. (77984)

o    In the “session query results pane”, added the column “Account.” This shows the actual account used to login to the Windows/Unix system.  This is the same as the “user” column for users who directly login to the audited system.  For Centrify Privileged Services (CPS) users, this is the shared account being used to login; whereas the CPS user name is shown in the “user” column. For the session properties page, “Unix user name” and “Windows user name” were removed.  There are two new items instead, “Account” and “User.”  “Account” shows the account used to login to the system, and can be the shared account for CPS user, or what is actually used for others.  “User” shows the identity of the user who logs into the system.  For CPS user, this is the identity of the CPU user himself/herself.  In addition, the “TTY name” for Unix session shows “pass-through” if the session was logged into by the CPS user. (78371).

o    In the display of audit store databases, a new column, “Effective Size”, is added to show the size of data in the database. (75496)

o    Added more UI feedback when the Audit Analyzer is exporting a large number of sessions. As session details are fetched from AuditStore database, Audit Analyzer provides a progress bar dialog box when it exports the command/event list for a large number of sessions.  The user can also cancel the export operation while it is in progress.(46973)

o    Added the ability to search for audited sessions using a user's display name as search criteria when using the FindSessions utility or Audit Analyzer console. (78279)

 

2.2.4       Audit Manager

o    Added 2 new options the New Installation wizard in Audit Manager, "Do not allow any users to review their own sessions," and "Do not allow any users to delete their own sessions," allowing these options to be configured during a DirectAudit Installation. Previously, these options could only be configured after DirectAudit had been installed. (75560)

o    Added column filtering to the Audit Manager query result pane. (77984)

o    Added a new column in the Audit Manager Console, "Last Update Time" for Audited Systems and Collectors, which indicates when the last agent/collector update was recorded in the AuditStore database. (76118).

o    From DirectAudit 3.2.2 onward, a DirectAudit administrator can now define an audit role with Active Directory security group as one of the search criteria. This allows a DirectAudit auditor to search for audited sessions of users that belong to a particular Active Directory security group. (19378)

o    Introduced a new installation level permission named "View" in Audit Manager console. A DirectAudit administrator can now assign "View" permission to one or more users, which limits these users to read-only access to the Audit Manager console without assigning them any administrative rights over the DirectAudit installation. (71012,71563)

 

2.2.5       Centrify UNIX Agent for Audit

o    Added two new group policies "Centrify DirectAudit Setting\UNIX Agent Settings\DirectAuditDaemon Settings\Set client idle timeout" and "Centrify DirectAudit Setting\UNIX Agent Settings\DirectAuditDaemon Settings\Set update agent status timeout" for the following two parameters "dad.client.idle.timeout" and "dad.timer.update.agent.status" respectively. (76401).

o    Added a new resource monitor to the Centrify DirectAudit daemon to monitor the CPU, file descriptor and memory usage during runtime. Detection of usage over the configurable threshold will give INFO level log message and restart dad by watchdog if possible. (77041).

o    Added the new parameter, "spool.diskspace.logstate.reset.threshold", to centrifyda.conf, which along with the existing parameter, “spool.diskspace.min“ which configures the DIRECTAUDIT Daemon to log an error when it detects that the percentage of free space in the spool volume is less than spool.diskspace.min.  Though the Direct Audit daemon will continue to monitor free space in the spool volume, it will not log another error message unless the administrator first clears enough free space from the spool volume so that the percentage free space is higher than (spool.diskspace.min + spool.diskspace.logstate.reset.threshold).. (77739).

o    Added a new option to dainfo,  "-C" which will displays the current action counts of the Direct Audit daemon (dad). Usage: dainfo [-h] [-v] [-x] [-d] [-u] [-C] [-t] [-c] options: --dadactioncount, -C (78184).

o    Added a new parameter to centrifyda.conf,"nss.nologin.shell" to allow the administrator to specify shells that should be treated as no-login. A list can be specified. Default values: /sbin/nologin, /bin/false.  If the a user’s login shell is in this list, the DirectAudit NSS/LAM modules always returns the same login shell in getpwuid() and getpwnam() calls for such user as the user cannot login and will not be audited.(74844, 74522)

o    Added a new CLI argument to the dainfo command line utility: "suite-version" that will now output the version of the Centrify Server Suite and DirectAudit version currently running. Example usage and output: (75327)

# dainfo --suite-version

dainfo (CentrifyDA 3.2.3-309)

Centrify Server Suite 2015.1

# dainfo -x

dainfo (CentrifyDA 3.2.3-309)

Centrify Server Suite 2015.1

o    Centrify DirectAudit daemon (dad)is now managed by systemd, allowing more accurate control reporting of dad's state. (73960)

o    Improved local user NSS query performance. (79041)

o    Added a new Centrify Group Policy, "Set ignored programs" to modify the list of programs whose getpwnam() and getpwuid() requests will not be processed by Direct Audit NSS/LAM module located in "Centrify DirectAudit Settings" -> "Unix Agent Settings" -> "DirectAudit NSS Settings". (64645)

o    Added a new group policy, "Add centrifyda.conf properties", allowing modification of any Direct Audit Unix agent parameter located in "Centrify DirectAudit Settings" -> "Unix Agent Settings". (64645)

o    The following set of parameters were introduced centrifyda.conf to support new options and features:

dad.client.idle.timeout.min, dad.resource.timer, dad.resource.restart, dad.resource.memlimit, dad.resource.fdlimit, dad.resource.cpulimit, dad.resource.cpulimit.tolerance, nss.nologin.shell, spool.diskspace.logstate.reset.threshold

For details, please refer to the Configuration and Tuning Reference Guide.

 

 

 

2.2.6       Database

o    Until DirectAudit 3.2.2, all DirectAudit database stored procedures were forced to run under the database server's Local System account, NT AUTHORITY\SYSTEM, which may violate the security policies of some customers. From DirectAudit 3.2.3 onward, a DirectAudit administrator can choose a custom account to run these stored procedures. This custom account must be a member of sysadmin fixed server role on the database server and can be selected on the "Advanced Settings" page of the "Add database" wizard. (73252).

o    Database performance when storing audit session data has improved significantly.  This allows a higher number of Unix agents to be supported in an audit store database instance. (76950, 76399, 79106, 76465, 79171).

o    Improvement in the performance of updating session review status in Audit Analyzer (38157).

o    The default SQL Connection timeout is now 30 seconds. (79107).

o    Added a new scheduled task to the Audit Management Server component to calculate the approximate amount of disk space taken by an audited session on the database server, also known as the "session size." If the Audit Management Server component has been installed and configured correctly, it will automatically calculate size for all audited sessions in the "Completed" state. In addition, the session size is shown in Audit Analyzer console's query result pane. (71964)

o    Improvement in the performance of querying audit data in Audit Analyzer. (79361).

o    To address issues related to incompatible databases when an older version of SDK is used to perform database rotation, the DirectAudit SDK no longer performs a database rotation if the SDK's database version does not match the current version of DirectAudit database. Before creating a new database, the SDK compares its own version against  the version of installation's Management database and display an error if they don't match. (77364)

 

2.2.7       FindSessions Tool

o    The FindSessions utility's search result pane will now allow a user to copy the session URI and display the session's indexed commands/events list. (72109)

2.2.8       Windows Agent

o    AD users/groups who have the ability stop the DirectAudit Windows Agent. The Start/Stop/Restart buttons in the Windows Agent Control Panel are enabled for AD user configured via GP to stop/restart DirectAudit Windows Agent. If the GP is not configured, the buttons are hidden as in previous releases. As in previous releases, the Windows Agent cannot be stopped via Service Control Manager or by using commands such as "net stop".  You must use DirectAudit Agent Control Panel to start/stop the DirectAudit Windows Agent. (62474)

o    The DirectAudit Windows agent heartbeat rate default, "HKLM\Software\Centrify\DirectAudit\Agent\SessionPingInterval," was changed to 300 seconds from 60 seconds. Previously configured setting is preserved on upgrade. In addition, a new group policy "Set update agent status timeout", was added in centrifyda_settings.xml, and the default policy value, if enabled, is 300 seconds. (77077)

2.2.9       Centrify Audit Module for PowerShell

o    Added Remove-CdaDatabase cmdlet to physically remove the database files from the server. (Ref: 74532)

o    Added db_rotation.ps1 as a sample database rotation script.  Sample scripts are installed to Samples subdirectory. (Ref: 77591)

o    Added –DisplayName parameter to Get-CdaAuditSession cmdlet to search the sessions by user's display name. (Ref: 77552)

 

2.2.10     Supported Platforms

o    Centrify UNIX Agent for DirectAudit adds the support of the following operating systems (Ref: 72653, 73602):

o    CentOS 7.1 (x86_64)

o    Fedora 22 (x86, x86_64)

o    Debian Linux 8.x (x86, x86_64)

o    Oracle Enterprise Linux 7.1 (x86_64)

o    Red Hat Enterprise Linux Server 7.1 (x86_64)

o    Red Hat Enterprise Linux Desktop 7.1 (x86_64)

o    Scientific Linux 7.1 (x86_64)

o    Ubuntu Desktop 15.04 (x86, x86_64)

o    Ubuntu Server 15.04 (x86, x86_64)

o    Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

o    Fedora 20 (32-bit and 64-bit)

o    Debian Linux 6.x (32-bit and 64-bit)

o    Ubuntu Desktop 14.10 (x86, x86_64)

o    Ubuntu Server 14.10 (x86, x86_64)

o    Oracle Solaris 9 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

o    Centrify DirectAudit will no longer support the following platforms starting with the next release (Ref: 56644, 61795, 64457, 68948, 71092, 73138):

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    Oracle Solaris 8 SPARC

o    All 32-bit Windows platforms

o    The following operating systems are no longer supported (Ref: 56643, 61010, 66423, 69921):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 10.04 LTS (32-bit and 64-bit)

o    Ubuntu Server 10.04 LTS (32-bit and 64-bit)

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Windows 2003 (32 and 64 bit), Windows 2003R2 (32 and 64 bit) – Estimated vendor EOL: 2015-07-14

2.3    Feature Changes in DirectAudit 3.2.2

2.3.1       General

o    The Audit Trail feature has been enhanced with the following:

o    All audit trail events are now documented in an XML file. The document AuditTrailEvents.xml can be found on "Autorun">"Documentation" page, or in the Documentation folder of the ISO image. You can use it as a reference in integrating the audit trail events with other monitoring tools (Ref: 55847)

o    The Audit Trail feature of Suite 2015 has been redesigned to write a unique event ID also known as Centrify Event ID for each of the Audit Trail events. On Windows clients, the audit trail event is written in Windows Application Event Logs with the unique event ID as Event ID and a new Windows Event Source "Centrify AuditTrail V2". On Unix/Linux clients, the newly redesigned event IDs will be written to syslog in the centrifyEventID field. Please refer to the Centrify Audit Trail Events XML documentation for a complete list of Audit Trail events and their corresponding unique Centrify Event IDs. (Ref: 55847, 55849)

o     

2.3.2       Collector

o    A new group policy “Centrify DirectAudit Setting\Collector Setting\Do not audit output of specified UNIX commands” is added. When a command is detected, it's checked (using exact match) against the command list specified by group policy. If matches, the command's output is not saved to the AuditStore database. (Ref: 73763)

o    By default, command captured by a collector does not contain command prompt. This release adds a new option to enable command prompt as part of the command in Indexed Command List.  This feature is enabled by:

o    Setting the registry value of \\HKLM\Software\Centrify\DirectAudit\Collector\StripCommandPrompt (DWORD value, default 1) to 0 in all collectors; AND

o    Enable stdin capturing in DirectAudit Unix agent; or setting the registry value of \\HKLM\Software\Centrify\DirectAudit\Collector\SkipRecognizeCommandByPrompt (DWORD value, default 0) to 0 when stdin capturing in DirectAudit Unix agent is disabled. (Ref: 73818)

o    The default maximum SQL Server connection pool size has been increased from previous value of 300 to 1000 for collector. The new setting allows collector to serve more concurrent agents at a time without exhausting the connection pool. (Ref: 76410)

o    In Collector Configuration Wizard, a new wizard page is added to configure the maximum SQL connection pool size. Configured value is displayed in the Diagnostics output in the Collector Control Panel. (Ref: 67502, 64276)

 

2.3.3       Audit Analyzer and Session Player

o    Active Directory security group(s) can be used as session/AuditEvent/Report filtering criteria in queries and it can be specified as part of audit role definition.  This audit role definition can be assigned to other users/groups, so that the users of this audit role can only see the sessions/AuditEvents/Reports generated for users of the AD security group(s). This feature requires an instance of the audit management server that is configured and running in the DirectAudit Installation. (Ref: 54415)

o    New feature has been added in Audit Analyzer and the DirectAudit PowerShell module to allow querying sessions by Session ID (GUID string format) and Client Name. You can also specify the Session ID and client name as part of the AQL query in FindSessions.exe (Ref: 65952, 70351)

o    From Suite 2015 onward, the Audit Analyzer session result pane has a new column named "Display Name". For Unix session, it displays the GECOS field if it's available; otherwise, it displays the samAccountName of AD user, or Unix name of the Unix local user. For Windows session, it shows the AD display name (if available) or the samAccountName of the audited user. (Ref: 72644)

 

2.3.4       Audit Manager

o    In Suite 2015, DirectAudit administrator can enable policy that prevents any users from reviewing or deleting their own sessions. If you enable the policy to prevent users from reviewing their own sessions, users cannot update the review status or comment on their sessions regardless of the rights granted to their audit role. Similarly, if you enable the policy to prevent the users from deleting their own sessions, users cannot delete their own sessions regardless of the rights granted to their audit role. Both new policies are disabled by default which is the same behavior as in previous versions of DirectAudit.  The policy can be changed by changing the DirectAudit Installation properties using Audit Manager. (Ref: 72646)

o    VNC Viewer is not packaged with Audit Manager. User has to obtain VNC Viewer from RealVNC and install it. Audit Manager will try to locate the VNC Viewer on the local machine at the default deployment folder; if the VNC Viewer is not found, it asks user to provide its path and locate it thereafter. (Ref: 73312)

 

2.3.5       Centrify UNIX Agent for Audit

o    In DirectAudit 3.1.1, the default value of configuration parameter dash.allinvoked is changed to true.  However, this may lead to unintended capture of data transfer traffic over ssh connection (e.g., scp, rsync).  The default value of configuration parameter dash.allinvoked is changed in Suite 2014.1 to false as it applies only to command auditing only. (Ref: 65470)

o    Some sensitive output data in an audited session on a system may not be suitable to be viewed by auditor. DirectAudit allows administrator to specify patterns of such data to be masked. If a pattern is matched, the data is shown as '*' instead of plain text when it is shown in the Session Player, and the data is not searchable. The login user can still see the sensitive data in the terminal session. The patterns can be specified using the parameters dash.obfuscate.regex (using regular expression) and dash.obfuscate.pattern (using character patterns). (Ref: 60021)

o    A watchdog process, cdawatch, is now implemented to monitor the DirectAudit daemon (dad) to ensure that it is running all the time unless it is stopped by system administrator.  With this change, the Centrify Audit Shell (cdash) no longer automatically restarts dad.  Also, dad no longer needs to be a setuid program. (Ref: 61644, 69729, 72035)

o    A universal script, /usr/share/centrifydc/bin/centrifyda, is available to control the start and stop of DirectAudit daemon (dad). The script supports different variations of system service control in different Unix/Linux platforms. The use of dastop to stop the DirectAudit daemon is discouraged. (Ref: 72292)

o    There are several enhancements in the area of DirectAudit UNIX login and audit level control:

o    The DirectAudit NSS/LAM module now supports the user.ignore list as in DirectControl NSS/LAM module.  Notes about this parameter:

§  The default value is file:/etc/centrifydc/user.ignore, which is the same default value for the DirectControl parameter nss.user.ignore.  Centrify recommends customers to use the same list for both DirectControl and DirectAudit.

§  This parameter specifies the local users who must be able to login all the time even when the DirectAudit daemon is not running.    

§  The default audit level for users in this list is “audit_if_possible”.  The administrator can specify the audit level of users in this list using the nss.user.override.userlist; and specify the audit level individually in the list (or use the nss.user.override.auditlevel that specifies the default audit level for all users in the nss.user.override.userlist).    DO NOT set the audit level of users in the user.ignore list to “audit required” as such users may not be able to login when DirectAudit or DirectControl agent is not running.

§  When users in this list logins and the audit level is “audit_not_requested/required”, the “login successful” audit trail event (centrifyEventID 18200) is not generated.

o    Starting from Suite 2014.1, a new parameter, nss.user.override.userlist, explicitly specifies the explicit audit level for users in the following situations:

§  Non-hierarchical zone users who has different audit level from that specified in the configuration parameter nss.alt.zone.auditlevel (default: audit_if_possible)

§  Users in the user.ignore list whose audit level needs to be “audit_not_requested/required”

DO NOT set the audit level of users in this list to “audit required”, because “audit required” is not supported in non-hierarchical zone, or it contradicts the intent of the user.ignore list.

(Ref: 70150, 60160, 70129)

o    The Audit Trail feature has been enhanced with the following:

o    For command level auditing, an audit trail event is generated when an audited command is executed. This allows you to use SIEM monitoring tools to trigger review of the associated DirectAudit sessions. The collector from previous releases will not save this audit trail event to Audit Store database. To guarantee that this event is not missed in the Audit Store database, all of the collectors must be at or above version 3.2.2. (Ref: 73015)

o    dainfo has a new argument --config (-c). 'dainfo -c' prints parsed contents of DirectAudit Configuration file (/etc/centrifyda/centrifyda.conf). (Ref: 60502)

o    A set of new parameters are introduced in centrifyda.conf for various new feature support:

o    dash.obfuscate.regex - This parameter specifies the obfuscation pattern used by the Unix DirectAudit to detect output data for masking as a regular expression. Each regular expression should be enclosed by ‘/’ characters, for example, /[A-Z][0-9]{6}\\([0-9A-Z]\\)/. You may specify more than one pattern by separating multiple patterns using the space character (‘ ‘). The default is none. See centrifyda.conf for more details. (Ref: 60021, 73276)

o    dash.obfuscate.pattern – This parameter specifies the obfuscation pattern used by the Unix DirectAudit to detect output data for masking as a pattern string. Each pattern should be enclosed by ‘/’ character, for example,/nnnn-nnnn-nnnn-nnnn/. You may specify more than one pattern by separating multiple patterns using the space character (‘ ‘). The default is none. See centrifyda.conf for more details. (Ref: 60021, 73276)

o    dash.shell.env.var.set – This parameter specifies if cdash should set the SHELL environment variable to actual user shell. If false, SHELL environment variable will be set to the audited shell. The default is true. (Ref: 75540)

o    nss.user.conflict.auditlevel – This parameter is used to override a user's audit level when the user is listed in user.ignore. If you need to ensure that users in user.ignore list will always get the native login shell upon login and not audited, set this parameter to ‘no_audit’. The default is "audit_if_possible". (Ref: 60160, 70027)

o    spool.diskspace.softlimit – DirectAudit keeps audit data locally. If a system is running out of disk space (by default, less than 10% free, controlled by the parameter spool.diskspace.min), audit service will be affected. A soft-limit is introduced. When a system's disk space is less than a certain percentage free, DirectAudit will give a warning, but audit service is not affected. This parameter, spool.diskspace.softlimit, specifies the minimum percentage of available disk space on the partition containing the spool file without triggering diskspace warnings in the log.  Auditing will continue even if available disk space falls below this level, until the space falls below spool.diskspace.min. Hence, the value must be larger than or equal to the value of spool.diskspace.min. The default is 12%. (Ref: 58197)

For details, please refer to the Configuration and Tuning Reference Guide.

 

2.3.6       FindSessions Tool

o    A command line option /suppresswarnings (/sw) is added to FindSessions.exe to suppress the warning messages. (Ref: 63790)

2.3.7       Supported Platforms

o    Centrify UNIX Agent for DirectAudit adds the support of the following operating systems (Ref: 72653, 73602):

o    CentOS 5.11, 6.6 (x86, x86_64)

o    Debian Linux 7.7 (x86, x86_64)

o    Fedora 21 (x86, x86_64)

o    Linux Mint 17.1 (x86, x86_64)

o    OpenSUSE 13.1, 13.2 (x86, x86_64)

o    Oracle Linux 5.11, 6.6 (x86, x86_64)

o    Oracle Linux 7.0 (x86_64)

o    Oracle Solaris 11.2 (x86_64, Sparc 64-bit)

o    Red Hat Enterprise Linux Server 5.11, 6.6 (x86, x86_64)

o    Red Hat Enterprise Linux Desktop 5.11, 6.6 (x86, x86_64)

o    Scientific Linux 5.11, 6.6 (x86, x86_64)

o    Scientific Linux 7.0 (x86_64)

o    Ubuntu Desktop 14.10 (x86, x86_64)

o    Ubuntu Server 14.10 (x86, x86_64)

o    SUSE Enterprise Linux 12 (x86_64)

o    Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

o    Oracle Solaris 8 SPARC

o    Centrify DirectAudit will no longer support the following platforms starting with the next release (Ref: 56644, 61795, 64457, 68948, 71092, 73138):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

o    Ubuntu Server 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Windows 2003 (32 and 64 bit), Windows 2003R2 (32 and 64 bit) – Estimated vendor EOL: 2015-07-14

o    The following operating systems are no longer supported (Ref: 56643, 61010, 66423, 69921):

o    CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    Debian Linux 5 (32-bit and 64-bit x86)

o    Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

o    Linux Mint 12, 14 (32-bit and 64-bit x86)

o    OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

o    Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

o    Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    SUSE Enterprise Linux 8.0 (32-bit x86)

o    SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

o    Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

o    VMware ESX 3.5 (32-bit)

o    VMware ESX 4.0, 4.1 (64-bit)

o    Windows XP (32 and 64 bit)

o    Please refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list of supported platforms.

2.4    Feature Changes in DirectAudit 3.2.1

o    Added a new parameter, lang_setting, in DA configuration, centrifyda.conf, to support latin1 code set (Spanish). This parameter tells which codepage user are using. Available options are ISO8859-1 and UTF8. By default, it is UTF8. The corresponding GP, Centrify DirectAudit Settings->UNIX Agent Settings->DirectAudit Daemon Settings->Set codepage of audit client, is also added accordingly. (Ref: 64585)

o    Users can now find session by command and time. To support this new feature, two new search criteria, Unix Command Time and Unix Command Name, are added to the Edit Criteria page in the Query dialog in Audit Analyzer. Similarly, two new AQL predicates, inputcommand and inputcommandtime, are added to the tool, findsessions.exe, to provide the same support. (Ref: 63333, 65348)

o    A set of new parameters are introduced in centrifyda.conf for managing user’s audit level:

o    nss.user.override.userlist (which deprecates user.ignore) - This parameter specifies the list of users that will be overridden in the DA NSS module (i.e., DA will not go to AD to get the user profile and audit level information).

o    nss.user.override.auditlevel (which deprecates user.ignore.audit.level) - this parameter specifies the default audit level for the user(s) specified in the nss.user.override.userlist. The default is use_sysrights.

o    nss.alt.zone.auditlevel – This parameter specifies the default audit level for all other users in the non-hierarchical zones.

With a combination of the above parameters, users can easily deploy audit scenarios that cannot be done before, say, to have only a small group of users in a classic zone to be audited while all other users are not audited by default.

Please avoid using user.ignore and/or user.ignore.audit.level as they are deprecated. However, they will continue to be honored for backward compatibility in existing deployment.

For details, please refer to documentation. (Ref: 58753)

o    In DirectAudit 3.1.1, the default value of configuration parameter dash.allinvoked is changed to true.  However, this may lead to unintended capture of data transfer traffic over ssh connection (e.g., scp, rsync).  The default value of configuration parameter dash.allinvoked is changed in Suite 2014.1 to false as it applies only to command auditing only. (Ref: 65470)

o    Windows Server Core support is added in this release on the following platforms:

o    Windows 2008 R2 Server Core

o    Windows 2012 Server Core

o    Windows 2012 Minimal Server Interface

o    Windows 2012 R2 Server Core

o    Windows 2012 R2 Minimal Server Interface

Note: Due to its reduced feature set in Windows Server Core, certain specific functions are not supported such as Centrify shortcut menus. (Ref: 33467)

o    Centrify UNIX Agent for DirectAudit is now supporting the following operating systems:

o    CentOS Linux 7 (64-bit)

o    Debian Linux 7.5, 7.6 (32-bit and 64-bit)

o    Linux Mint 17 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201403 (32-bit and 64-bit)

o    Red Hat Enterprise Linux 7 (64-bit)

o    Ubuntu Desktop 14.04LTS (32-bit and 64-bit)

o    Ubuntu Server 14.04LTS (32-bit and 64-bit)

o    Centrify DirectAudit will no longer support the following platforms starting with the next release:

o    CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    Debian Linux 5 (32-bit and 64-bit x86)

o    Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

o    Linux Mint 12, 14 (32-bit and 64-bit x86)

o    OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

o    Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

o    Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    SUSE Enterprise Linux 8.0 (32-bit x86)

o    SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

o    VMware ESX 3.5 (32-bit)

o    VMware ESX 4.0, 4.1 (64-bit)

o    Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

o    Windows XP

o    Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56208, 56644, 61795, 68948):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Please refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list of supported platforms.

2.5    Feature Changes in DirectAudit 3.2.0

o    A number of Group Policies for DirectAudit are added.  These policies include DirectAudit shell, DirectAudit Daemon and other settings about DirectAudit UNIX agent. (Ref: 8146)

o    The information of applied Group Policy settings, contained in /var/centrifydc/reg/machine/gp.report, has been added into "dainfo -t".  (Ref: 55939)

o    dainfo is updated to include the following information. (Ref: 54779, 56594)

1.  Offline store size of audit trail

2.  Despool rate of audit trail

3.  the online status of audit trail channel

·         For file transfer commands like rsync, sftp, scp, where SSH connection is being used, DirectAudit would be unnecessarily recording all the binary data being sent to and from the server.  In Suite 2014, user can specify what SSH command to skip auditing by setting the dash.ssh.command.skiplist setting in centrifyda.conf.  By default, the SSH command rsync, sftp and scp will be skipped.  (Ref: 56166)

·         DirectAudit periodically monitors and repairs the NSS/LAM configuration files (/etc/nsswitch.conf for NSS; /etc/security/user and /usr/lib/security/methods.cfg for LAM).  The default monitoring interval is now increased from 60 seconds to one hour to reduce system load.   If there is any other software that modifies these configuration files (e.g., adjoin/adleave), the NSS/LAM configuration files will not be modified till the next monitoring interval.  Restarting DirectAudit immediately will set up the configuration files correctly.  (Ref: 58288)

·         DirectAudit is enhanced to allow specifying some local users to log in or run an audited command when it encounters environment setup issues, like not getting a pty. The users can be specified with dash.user.alwaysallowed.list in centrifyda.conf. Previously, only the root user is always allowed.  (Ref: 55995) P.S. it is better to use the "rescue/always permit login" sysright which is a better alternative supported by both DirectControl and DirectAudit moving forward.

·         A new configuration parameter is introduced for centrifyda.conf, namely cache.enable, which controls whether the dad process caches name service query results about users and groups. For details, please refer to Configuration and Tuning Reference Guide.  (ref: 56258)

·         You can specify a regular expression to detect command prompt. The custom command prompt regular expression can be specified by adding a new registry String Value named prompt under HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAudit\Collector on each of the systems where Centrify DirectManage Audit Collector component is installed and running. If this registry value is absent, the default regular expression ^[^#%>\$]*[#%>\$]\s* will be used to detect the command prompt.  (Ref: 56654)

·         FindSession is updated to support querying session for multiple users and computers.  For example, user can enter e.g. "user1; user2" in the User textbox, then both user1 and user2 sessions will be queried out.  The case is the same for Machine textbox. For no UI mode, run FindSessions /u="user1;user2", then both user1 and user2 sessions will be queried out. The case is the same for FindSessions /m="machine1; machine2".  (Ref: 55029)

·         New command line options, /role and /ticket, have been added to the FindSessions utility to export UNIX commands, UNIX input and output data.  You can use these new options.  Please refer to FindSessions.pdf in Audit Analyzer installed folder for more the option details.  (Ref: 48483)

·         FindSession is updated to also show the URL link when exporting the session list.  User can replay the audited session by passing the URL to daplayer.exe (i.e. DirectAudit Session Player) directly.  (Ref: 53449)

·         From Suite 2014 onward, multiple users and/or computers can be specified as search criteria when searching for Audit Events. To search for Audit Events from multiple users and/or computers, the user names and/or computer names can be specified as a semicolon separate list on the "Query Audit Events" dialog box. (Ref: 54984)

·         Centrify UNIX Agent for DirectAudit is now supporting the following operating systems:

-          Red Hat Enterprise Linux Server 5.10, 6.5 (32-bit and 64-bit)

-          Red Hat Enterprise Linux Desktop 5.10, 6.5 (32-bit and 64-bit)

-          CentOS 5.10, 6.5 (32-bit and 64-bit)

-          Oracle Linux 6.5 (32-bit and 64-bit)

-          Scientific Linux 5.10 (32-bit and 64-bit)

-          Fedora 20 (32-bit and 64-bit)

-          Debian Linux 7.2, 7.3 (32-bit and 64-bit)

-          Linux Mint 16 (32-bit and 64-bit)

-          Ubuntu Desktop 13.10 (32-bit and 64-bit)

-          Ubuntu Server 13.10 (32-bit and 64-bit)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56640, 59381):

-          Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

-          CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-          Debian Linux 5, 6 (32-bit and 64-bit x86)

-          Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

-          Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

-          Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

-          Linux Mint 12, 14 (32-bit and 64-bit x86)

-          OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

-          Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-          SUSE Enterprise Linux 8.0 (32-bit x86)

-          SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

-          VMware ESX 3.5 (32-bit)

-          VMware ESX 4.0, 4.1 (64-bit)

·         Centrify Windows Agent is now supporting the following platforms

-          Windows 8.1 (32-bit and 64-bit)

-          Windows 2012 R2 (64-bit)

3.   Bugs Fixed

3.1    Bug Fixed in DirectAudit 3.2.3

3.1.1       General

·         Fixed a problem with the syntax of parameter "dash.obfuscation.*", introduced in DirectAudit 3.2.2, which could cause a problem during upgrade. The syntax is now correct and will be converted to the new syntax during upgrade. Please note: When using the group policy “Defining information pattern in custom format to obfuscate sensitive information” and/or “Defining information pattern in regex format to obfuscate sensitive information” to set up these parameters, an upgrade DOES NOT convert the value of these parameters.  Please ensure you change the values of these two group policies or the obfuscation will not take effect on the DirectAudit 3.2.3 Unix agents. (77348)

·         In prior releases, if an audited Unix user displays the content of a random binary file in an interactive terminal session,  the whole session can be replay correctly but commands executed after the binary file display are not saved in the database and cannot be searched.  This is fixed in Suite 2015.1.  All the commands are now saved and can be searched.

3.1.2       Windows Install / Upgrade / Uninstall

·         N/A

3.1.3       Collector

·         Fixed a problem where the collector config wizard would always show the computer account under the "Windows authentication" radio button, which is not correct if the active Audit Store database is in the same machine as the collector. It will now show the Local System Account if the active Audit Store database is on the same machine as collector. (75261)

3.1.4       Audit Analyzer and Session Player

·         The review status tab of the “session properties” page is modified to show the change history of review status.  You can click on each review status change to find out who changed the session review status, the timestamp of the change and any associated comment.  Also, new session review comments will not overwrite previous review comments. (74110)

·         Fixed a problem where the Audit Analyzer console would display an error when attempting to connect to a DirectAudit installation from a different forest when the current forest did not have DirectAudit installed. (76633)

·         The Audit Analyzer now shows the total number of resulting sessions at the bottom of the console window when the scope node on left side panel is selected. (76852)

·         Fixed a problem where the Audit Analyzer console could become unresponsive when an Audit Events query returned a very large number of events. The Audit Analyzer console now fetches only the first 65535 items from the search result, which is the limit of MMC console display. If there are more than 65535 items, Audit Analyzer displays a message that there are more results.(77037)

·         Fixed a problem where exporting WMV video in excess of 2048x2048, such as when recording multiple monitors, would fail. The video is now trimmed to a maximum of 2048x2048 before saving it as a WMV file. (75163, 27003)

3.1.5       Audit Manager

 

·         When there are multiple audit stores in the same Direct Audit installation, and if a collector switches from one audit store to another; previously Audit Manager shows the same collector multiple times which is confusing. This is now fixed to only show the collector under the currently associated audit store. (56214)

3.1.6       Centrify UNIX Agent for Audit

·         Fixed a problem where, if collector configuration was changed (e.g., new collector is added), unless the DirectAudit daemon was restarted, the Unix agent could take up to 4 hours before it recognized the change. The dareload command now forces the DirectAudit daemon to recognize the new collector configuration. (79010).

·         Fixed an issue where a user with a nonexistent shell could momentarily log in to the system and get a warning message. Now a user with a nonexistent shell will not be able to log in at all to the system. (78560).

·         Fixed a problem where the contents of files were being captured in DirectAudit session logs. This problem has been fixed in DirectAudit 3.2.2 and later. (68190)

·         "dacontrol -d" now removes "/bin/centrifyda" from /etc/shells and /etc/security/login.cfg on AIX. (75118)

·         In DirectAudit 3.2.2, there are instances of unnecessary error and warning messages such as “Error encountered while opening audit database: DBQC is not open”, “Unable to move corrupt /var/centrifyda/spool-xxx out of the way: No such file or directory (error: 2)”.  Most of them are due to incorrect error detection in the DirectAudit daemon.  In reality, the spool files are all in good condition. These issues are now fixed.  (78073, 79304)

·         Fixed a problem where the DirectAudit daemon could fail to connect to collector if there is no Active Directory site information. (79384)

·         Fixed a problem where restarting syslog daemon could result in a system hang. (80107)

·         In prior releases, if an audited Unix user displays the content of a random binary file in an interactive terminal session,  the whole session can be replay correctly but commands executed after the binary file display are not saved in the database and cannot be searched.  This is fixed in DirectAudit 3.2.3.  All the commands are now saved and can be searched. (78663)

·         Fixed a problem in the upgrade where if a file reference was used in parameter value and the file was not located in /etc/centrifyda, the parameter value could become empty after the upgrade. Note that this bug fix requires DirectControl 5.2.3 in Suite 2015.1. (77773)

 

·         The Unix agent temporarily disconnects from the collector and is in disconnected state for a short time when the Kerberos context expires.  This issue is now fixed.  The Unix agent now automatically reconnects to a collector immediately when the Kerberos context expires. (79174)

 

·         In earlier versions of DirectAudit 3.x (prior to DirectAudit 3.2.3), if an application that calls getpwuid() and/or getpwnam() has more than 1024 open files and nscd/pwgrd is not running, the application may crash inside the getpwuid()/getpwnam() call.  This issue is fixed. (80532)

3.1.7       Database

·         Improvements to performance and scalability.

3.1.8       Centrify Audit Module for PowerShell

·         Get-CdaAuditSession cmdlet can now return the Zone value of the UNIX session correctly even if the UNIX agent is joined to Auto zone or Null zone. (Ref: 79550)

3.2    Bug Fixed in DirectAudit 3.2.2

3.2.1       General

·         The logger service for DirectAudit Windows component (agent, collector, etc.) now rotates logs if they are larger than 100M (in additional to the daily log rotation already there). The format of the filename for logs has been modified with extra index to accommodate this change. E.g. from previous filenames like, DirectAudit_2014_9_15_3.2.2.107.log, to the new filenames like, DirectAudit_2014_9_15_000_3.2.2.107.log, and DirectAudit_2014_9_15_001_3.2.2.107.log, etc. (Ref: 65726)

3.2.2       Windows Install / Upgrade / Uninstall

·         From Suite 2013 onward, the DirectAudit Easy Installer (setup.exe) will automatically write verbose level installation and configuration logs to the logged-in user's temporary folder (%TEMP%). All logs are written to a text file named DirectManage_Audit_Setup_YYYY_MM_DD.log and they can be used to troubleshoot errors encountered while running Easy Installer Wizard or Configuration Wizard or Database Maintenance Wizard. (Ref: 27647)

·         From Suite 2015 onward, DirectAudit component installers will try to automatically install and enable Microsoft .NET 3.5 on Windows 8 and Windows Server 2012 platforms using the Deployment Image Servicing and Management (DISM) tool. In previous version, the administrator needed to install and enable this feature manually before installing any of the DirectAudit components that relied on it. (Ref: 68246)

3.2.3       Collector

·         In previous releases, the Collector Control Panel message “Error: The ConnectionString property has not been initialized.” means no active database was attached to the Audit Store that the collector is associated with.  This release changes the message to “The Collector is not able to connect to Audit Store 'AuditStoreName': there is no active Audit Store database configured.” (Ref: 68158)

3.2.4       Audit Analyzer and Session Player

·         DirectAudit Session Player now remembers its previous screen location and size. (Ref: 62948)

·         In previous releases, audit sessions from Unix systems that are joined to NULL zone cannot be replayed in the Session Player.  This is fixed in this release. (Ref: 63368, 63946)

·         In DirectAudit Audit Analyzer options dialog, after you make changes in the “Log Settings” or “Player Settings” tab, you switch to the “SMTP Configuration” tab.  If all the fields in this tab are blank, the error message “Please specify sender email address” will be displayed.  This error message is unnecessary and it is removed.  (Ref: 71650)

·         The session list has a new column, "Account," which displays either UnixUser if it is available, or UserName. (78372).

3.2.5       Audit Manager

·         In the result pane of Audited Systems node of Audit Manager MMC console, a text filtering control is added for each column, so that you can select a subset of audited systems for display.  The filtering is case insensitive and uses "contains" as search criteria. For example, “w2k8x86-1.domain.test” and “W2K8X64-1.domain.test” both match “w2k8” entered in the filtering control, as both contain “w2k8” case insensitively. (Ref: 63080)

·         In previous releases, if an older version of Audit Manager console is used to connect to a newer version of DirectAudit installation, a popup box is shown suggesting user that Audit Manager console upgrade is available. From Suite 2015 onward, user can select a checkbox on this popup to prevent seeing this message in future. (Ref: 69334)

3.2.6       Centrify UNIX Agent for Audit

·         In previous releases, command auditing creates a symbolic link to replace the command under audit. These symbolic links are not compatible with mkinitrd which copies the actual executables. A new option is added to dacontrol which can be used by administrator to easily suspend all command auditing when he is doing mkinitrd and resume them afterwards. (Ref: 57842)

·         In previous releases, the DirectAudit NSS/LAM module returns Centrify DirectAudit shell (/bin/centrifyda) as the user’s shell, even when the user is listed in dash.user.skiplist.  This causes incompatibility issues with third party software that has different behaviors based on different login shells.  This bug is fixed in DirectAudit 3.2.2.  Users specified in dash.user.skiplist are not processed by the DirectAudit NSS/LAM module so the original login shell is returned in getpwnam() and getpwuid() calls.(Ref: 70081, 70142)

·         In previous releases, DirectAudit NSS/LAM module sets the pw_shell field in passwd struct to cdash (/bin/centrifyda) when it processes getpwuid()/getpwnam() calls.  This might not be desirable for some shell-name-dependent applications. In DirectAudit 3.2.2, DirectAudit NSS/LAM module is enhanced to reply back with a shell that has the same name as the user’s login shell residing in a subdirectory.  For example, if the user’s login shell is /bin/sh, the DirectAudit NSS module replies with /bin/cdax/sh. This helps DirectAudit integrates with those applications more seamlessly. dacontrol uses the file /etc/shells (and /etc/security/login.cfg) to determine the list of shells to enable for this feature.  When you install a new shell, please ensure that the shell in added to the files above, and run ‘dacontrol –e’ again.  Also, make sure that the path name specified in the user profile (which is not necessarily where the file is located when symlink is used) is added to the files.  For example, if /bin/bash is specified in the user profile and it is a symbolic link to /opt/shareware/bin/bash, make sure that /bin/bash is added. (Ref: 56920, 60838)

·         In previous releases, if the user tried to ‘su’ to a local account that had no shell specified in /etc/passwd (usually for a service account not allowing direct login), the user would receive an error message and be left with the emergency shell. This has been fixed. Such user can continue with the default system shell. In addition, auditing of the su session for such user depends on whether the original session is audited or not, instead of the audit level set for the user. The su session is audited only if the original session is audited. (Ref: 66910, 68076)

·         In previous releases, after a UNIX command is enabled for auditing, users with no permission to execute that command would be redirected to launch an emergency shell.  The user would also see a misleading error message, in which there is no hint about permission denied. This issue was fixed since DirectAudit 3.2.1.  User with no permission to execute the audited command will see a clear error message about permission denied and is not redirected to any other shell. (Ref: 52556)

·         For an Active Directory user whose Unix login session is audited, the username of the session uses the userPrincipalName instead of samAccountName@domain. (Ref: 64796, 68925)

·         The DirectAudit Installation configured by dacontrol was incorrectly saved into DirectControl's working directory in Suite 2014, and hence it would be wiped out by DirectControl agent after leaving a domain. This issue has been fixed by properly placing the Installation into DirectAudit's working directory. (Ref: 62759)

·         When “dainfo”, “dacontrol” or “dacontrol –q” is run and no command has been enabled for auditing, the utilities used to display the message “DirectAudit is not configured to audit individual commands” which is confusing. The message is changed to "DirectAudit is not configured for per command auditing.". (Ref: 69384)

·         Group policies specified using DirectAudit ADM templates shipped with DirectAudit 3.1.1 or prior releases use different locations that those shipped with DirectAudit Unix Agent 3.2.0 and 3.2.1; and cannot be used by DirectAudit Agent 3.2.0 and 3.2.1.  The DirectAudit Unix Agent now looks for the group policies specified in DirectAudit 3.1.1 or earlier locations if it cannot get the information.   (Ref: 75174)

·         In previous releases, you can enable NSS auditing in a sparse zone even though NSS auditing is disabled in global zone on Solaris machines.  Starting in Suite 2015, you must enable NSS auditing in global zone first, before enabling NSS auditing in sparse zone. (Ref: 75464, 75950)

·         There is a file descriptor leak when an audit trail event is logged in Solaris machines. This is now fixed. (Ref: 65106, 68204)

·         There is a memory leak in DirectAudit LAM module in AIX when getting attributes for a user.  This is now fixed. (Ref: 72194, 73570)

·         Fixed an issue where the NSS module would display incorrectly on sparse/whole zone when installing DirectAudit with NSS disabled on a global zone. (76572).

3.2.7       Database

·         This release addresses a security vulnerability that may result in data leakage in the DirectAudit component of Server Suite Enterprise Edition.  Security rating is low. If you are using versions prior to Suite 2015, you need to apply the workaround described in KB-5070.  There is no need to apply the workaround if you are using DirectAudit 3.2.2 or later.  (Ref: 76167)

·         This release fixes the problem when AuditStore database’s File Autogrowth setting is set to “Restricted File Growth”, the collector state changes to “AuditStore database is full” and stops accepting audit data when the AuditStore database file size does not reach the limit (even when there is enough space in the volume for the database file to grow). (Ref: 67264)

·         In order to upgrade DirectAudit databases, the user performing the upgrade must have either sysadmin rights on the database server OR must be a member of db_owner database role on each of the databases being upgraded. Also, the user must be granted with EXTERNAL_ACCESS_ASSEMBLY privileges on the database server. In Suite 2014.1, this permission check was not enforced which resulted in Database Maintenance Wizard trying to create a database index two times and subsequently failing the database upgrade process. This issue has now been resolved. (Ref: 72097)

3.3    Bug Fixed in DirectAudit 3.2.1

·         Previously a non-interactive upgrade always disabled auditing (you would notice this line ‘DirectAudit NSS module: Inactive’ if you ran dainfo). This has been fixed by honoring the current auditing status when upgrading from Suite 2013 or later. Note: you may still override this behavior by explicitly setting the CLI option to –-enable-da/--disable-da. (Ref: 62547)

·         DirectAudit Windows Agent video capturing color depth used to be 16-bit. Now the default value has been changed to 8-bit to lower the disk space usage.  (Ref: 63466)

·         DirectAudit usually will not audit if (1) user preferred shell is executed in non-login scenario, and (2) an audited command is not executed in interactive login session. A defect that made DirectAudit audit in the above scenarios was introduced in DirectAudit 3.1.1. This issue has been fixed.  (Ref: 64521)

·         Cdash might generate a zombie process when a session was opened (login), or an ssh connection was used by rsync, sftp and scp. This issue has been fixed.  (Ref: 64025)

·         A problem regarding logging has been fixed. Previously DirectAudit would hijack the logging facility in the audited system affecting other programs, e.g. sendmail, through the NSS module. Now DirectAudit NSS module will write to syslog through DirectAudit daemon in order to preserve caller's syslog logging facility. Note: in case of communication failure with DirectAudit daemon, NSS module will still use caller's logging facility to do the logging. (Ref: 63241)

·         Previously if the local audit data spool file was corrupted, Agent would stop sending data to collector resulting in no session available to Audit Analyzer. We have now enhanced the logic to detect spool file corruption. In case a file corruption is detected, DirectAudit will backup the spool file to avoid data lost, and make a new spool file to hold new audit data. (Ref: 63568)

·         In some rare occasions, the local audit data spool file could run into a condition hindered DirectAudit to despool. This problem has been fixed. (Ref: 62265)

·         There was a bug in the upgrade logic resulting in failure to preserve the list of values in a configuration parameter, e.g. 'dash.user.skiplist: user1, user2', but incorrectly treating it as a single value, e.g. 'dash.user.skiplist: "user1, user2"'. This bug has been fixed. (Ref: 64646)

·         There was a problem that when an environment had issues hindering DirectAudit from working normally, login process could be hindered too. Improvement is done to ensure login is not blocked whenever possible. (Ref: 62402)

·         When a Group was added to an Audit role, members in the Group were not provided the correct Audit Role permissions. This problem has been fixed. (Ref: 62615)

·         A memory leak problem in the collector has been fixed. When an audited *NIX session was accepted by collector, memory was allocated in collector for this session. When the session ended, the memory was not released properly unless the *NIX agent machine switched to another collector in the DA Installation, if any. This was severe especially when there was only one collector and there were lots of sessions, or there were more than one collector, but there were lots of short sessions within the collector switching interval (default 2 hours). (Ref: 64009)

·         Unix 8-bit Western European characters are now captured correctly by DirectAudit.  However, note that some shells do not support 8-bit characters in HPUX (e.g. /bin/csh, /bin/sh, /sbin/sh).  (Ref: 62287, 64585)

·         FindSessions.exe might return error “The query processor ran out of internal resources” if the result contained a large number of sessions.  This problem is now fixed.  (Ref: 62522)

·         Change default auto-growth setting to 256MB from 1MB for newly created databases to reduce overhead. (Ref: 32208)

3.4    Bug Fixed in DirectAudit 3.2.0

·         When adding sites to audit store, the sites is now changed to be sorted in ascending order by default. User can change the sort order by clicking the columm header.  (Ref: 40977)

·         From Suite 2014 onward, if an audit event is associated with an audited user session, you can double click on the event in Audit Analyzer (Audit Events node) to replay the corresponding session.  (Ref: 49065)

·         Some session inputs were exported into one single record when using the FindSessions.exe option /export=UnixInputOutput.  This issue is fixed except one case.  The keystroke entered in cursor-based application like “man” is still going to be appended to the next command the user entered because there is no CRLF characters in the input stream so the tool cannot distinguish when to start the new line.  (Ref: 57457)

·         Fixed a problem on AIX systems where after enabling auditing with "dacontrol -e", Hardware Management Console (HMC) logons would not work until the system was rebooted. (Ref: 54553)

·         Fixed a problem where an entry in /etc/environment setting LIBPATH could interfere with being able to successfully start the DirectAudit daemon. (Ref: 55432)

·         Fixed a problem with patching the OS kernel while DA auditing is enabled which could cause the system to hang after rebooting or cause users logging in to receive an "emergency shell". (Ref: 21975, 24399)

·         Fixed the problem in Audit Manager Help shortcut. It was available under "All Programs\Centrify Suite 2013\Audit\Documentation" on the Windows Start menu, and now under "All Programs\Centrify Server Suite 2014\Audit" on the Windows Start menu. (Ref: 55851)

·         Fixed the problem of Centrify Windows Agent installer upgrade issue: Centrify Windows Agent uses a registry DWORD Value named AuditTrailTargets to determine whether the Audit Trail events should go to the DirectAudit database or Windows event log or both. Upgrading Centrify Windows Agent, this registry value will be preserved. (Ref: 58443)

4.   Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1    General

·         For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.

·         For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

·         From Suite 2014 onward, the user name in Audit Trail will be stored in UPN (user@domain) format. For domain users, the user name is stored in user@domain format; and for local users, the user name is stored in user@computer format. If you are upgrading to Suite 2014, the upgrade process will not automatically update the user information that already exists in the database. Auditors can continue to use the old formats (SHORT_DOMAIN_NAME\username or user@domain) to query Audit Trail events that were generated before the upgrade. (Ref: 54985a)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)

·         When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell. It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing. Direct Audit also supports session auditing where the complete login session is audited and customers cannot bypass auditing of individual commands. Centrify recommends customers to use the session auditing feature.

·         For Solaris, please contact technical support if you disable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone during install. (Ref: 76572, 80616b)

·         For Solaris, please contact technical support if you are using sparse zone(s) and like to do one of the following:

o    Change session auditing status from disabled to enabled during upgrade.

o    Enable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone.  (Ref: 76572, 80616b)

·         After upgrading DirectControl but not DirectAudit as well, Centrify recommends rebooting the system. (54644)

 

4.2    Windows Install / Upgrade / Uninstall

·         When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the Centrify Deployment Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

·         If you uninstall the Audit Collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the Audit Collector is successfully uninstalled when you click OK.

·         In Suite 2013.3 (or previous versions), the DirectAudit installation process used to automatically generate a 30 day evaluation license key. This process has now been removed. If you are creating a new DirectAudit installation using Suite 2014 or later release, when prompted, you must type the evaluation license key that you have received from Centrify. If you are upgrading an existing DirectAudit installation with an evaluation license key to Suite 2014, the existing evaluation license key is still usable. (Ref: 52259a)

·         If collector is using SQL authentication to communicate with the Audit Store database and you upgrade the collector to DirectAudit 3.2.2 using MSI installer, the upgrade may remove the encrypted SQL credentials from the local registry and collector may stop functioning. To work around this issue, please use the EXE installer to perform the upgrade or run the Collector Configuration wizard immediately after the upgrade and re-enter the SQL credentials when prompted. (Ref: 76459)

4.3    Collector

·         In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4    Audit Analyzer and Session Player

·         If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If the session player window is blank when you are replaying a session, and you are using a 32-bit SQL Server instance, it is possible that the SQL Server has run out of memory. Allocating more memory to the SQL Server by using the -g384 switch on the SQL Server should resolve the issue. To add more memory:

-          Open the SQL Server configuration manager.

-          Stop the instance.

-          Add the parameter "-g384".

-          Start the instance.

-          Reopen the failing session on the session player and it should now play normally.

·         If an audited Windows session is using multiple monitors in extended mode in DirectAudit 3.2.2 or earlier, it cannot be exported as WMV files. In DirectAudit 3.2.3, it will be trimmed to 2048x2048 pixels before it is saved and can be exported as in WMV file in 2048x2048 resolution. (Ref: 27003a, 75163).

·         When Windows agent machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly.  (Ref: 36818c)

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645b)

·         When specifying search criteria for a query in Audit Analyzer, in the “Unix Commands and Outputs” attribute, if you enter a string that includes a double-quote character, the query result is undefined. This is true for these criteria: “Contains any of,” “Does not contain,” and “Contains all of.” The workaround is not to use double-quote characters. (Ref: 46692a, 44813a)

·         If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command are also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)

·         By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From DirectAudit 3.2.0 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

·         Obfuscation of session data has the following limitation: If the information is sent to stdout not as a whole, but piece by piece, the information will not be obfuscated. Example: A user wants to obfuscate a pattern "1234-5678". However, "1234-" is shown first and "5678" is shown 1 second later, this pattern will not be obfuscated. - Since the Cdash stdout buffer is 4KB, the obfuscation string is at most 4KB long. Note: this applies to stdout only. (80462)

4.5    Audit Manager

·         In the Notification tab of Installation Properties dialog, dynamic GIF file is not supported as the banner image file. (Ref: 32793c)

·         If you assign DirectAudit permissions to a Domain Local group, which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.”   A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

·         Video recording was always turned on prior to DirectAudit 3.1.0.  DirectAudit 3.1.0 allows user to optionally turn off video recording.  This requires that both DirectAudit collectors and Windows agents be upgraded to version 3.1.0.  If any of DirectAudit collectors or Windows agents is an older version, video data may still be recorded even though you have turned it off in Audit Manager Version 3.1.0. (Ref: 44064a)

4.6    Centrify UNIX Agent for Audit

·         Centrify recommends customers use the session auditing capability of DirectAudit to ensure the complete login session is audited vs. auditing individual commands.  When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell.  It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing.  Where as the likelihood of this happening is very minute, Centrify recommends session auditing be turned on to avoid the chance of this happening.

·         DirectAudit may not work properly on Debian and Ubuntu if AppArmor in also installed. DirectAudit does work with AppArmor on Suse. (53233).

·         On HPUX 11.31, system patch PHNE_40225 or newer must be installed for the proper operation of Centrify DirectAudit. (77054).

·         Fields <uid> and <usertype> in the “nss.user.override.userlist” parameter in centrifyda.conf are reserved for future use and should be left unspecified.  Centrify recommends that the customer uses only the <username> and <audit-level> fields in this parameter. (77543).

·         Using the CLI command, "dastop" to stop the DirectAudit daemon, "dad," can result in unpredictable behavior in some systems. Instead, the script, "/usr/share/centrifydc/bin/centrifyda" should be used by administrators to start and stop the DirectAudit Daemon. (72292).

·         In previous releases, DirectAudit NSS/LAM module set the pw_shell field in passwd struct to cdash (/bin/centrifyda) when it processed getpwuid()/getpwnam() calls.  This might not be desirable for some shell-name-dependent applications. In DirectAudit 3.2.2, DirectAudit NSS/LAM module is enhanced to reply back with a shell that has the same name as the user’s login shell residing in a subdirectory.  For example, if the user’s login shell is /bin/sh, the DirectAudit NSS module replies with /bin/cdax/sh. This helps DirectAudit integrates with those applications more seamlessly. dacontrol uses the file /etc/shells (and /etc/security/login.cfg) to determine the list of shells to enable for this feature.  When you install a new shell, please ensure that the shell is added to the files above, and run ‘dacontrol –e’ again.  Also, make sure that the path name specified in the user profile (which is not necessarily where the file is located when symlink is used) is added to the files.  For example, if /bin/bash is specified in the user profile and it is a symbolic link to /opt/shareware/bin/bash, make sure that /bin/bash is added. (76265).

·         In DirectAudit 2.x, the configuration parameter ‘dash.user.alwaysallowed.list’ in centrifyda.conf specifies a list of users that DirectAudit will always allow the user to login even if the environment cannot do auditing. However, this parameter cannot be honored by DirectControl agent when DirectAudit 3.X is installed and is not functional.

In DirectAudit 3.x, a better integrated solution is implemented using the "rescue/always permit login" sysright. This sysright is honored by both DirectControl and DirectAudit and it deprecates the ‘dash.user.alwaysallowed.list’ parameter. Hence, in an upgrade scenario from DirectAudit 2.x to DirectAudit 3.x, please assign the users in ‘dash.user.alwaysallowed.list’ list to the "always permit login" role (if any one of these users have "audit required" in their roles) as one of the steps in the upgrade procedure. (Ref: 64841a)

·         On AIX and HP-UX using DirectAudit 3.2.1 agent with default settings, if login from GUI (for example, Xmanager), the terminal opened in the GUI will not be audited. The workaround would be to set the parameter 'dash.allinvoked:true'. (Ref: 66330b)

·         Starting from DirectAudit 3.2.0, dash.force.audit has been deprecated and is no longer needed in the configuration of command-level auditing for managed computers. As a result, it is no longer included in the configuration file (centrifyda.conf) by default. For details, please refer to the Configuration and Tuning Reference Guide. (Ref: 56822a)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.

Workaround:

-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036a)

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.

To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.

NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.

·         On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

1)  svcadm disable centrifyda

2)  svcadm enable centrifyda

Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override;

·         If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

·         DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulate the local user database (passwd file).  These commands include useradd, userdel and usermod. From DirectAudit 3.2.0 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259a)

·         Change in AIX root user behavior: By default, all releases starting with Suite 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a.       Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b.       Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c.       If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d.       Restart adclient (Ref: 56239a, 56604a)

   For AIX customers who upgrade from prior versions of Centrify Server Suite 2014 (DirectAudit 3.2.0), there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited. (Ref: 56235)

·         If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

 

·                     The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usr/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

 

4.7    Centrify Windows Agent for Audit

·         Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit Windows agent software has not completed its setup. (Ref: 26286)

4.8    Database

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If you are using SQL Server 2005 Express, and you change the date and time format on the computer with your database to English (Singapore), some of the stored procedures respond with an error “Locale not supported” while other stored procedures continue to work fine. The workaround is to use a different English locale or upgrade SQL Server to 2008 or later versions.  Note that support for SQL Server 2005 will be dropped in Suite 2016.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:

http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/74a94f06-adf5-4059-bb92-57a99def37bd/

·         SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The Centrify DirectManage Audit Collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)

HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold

·         Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold  DWORD in MB, not configured, default to 1024 MB.  If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s).

 

4.9    Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

4.10  FindSession tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

·         When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su  –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

4.11  Windows Agent

·               In the DirectAudit Windows Agent control panel, the setting “Maximum size of the offline data file” actually means the minimum percentage free space available in the spool volume before the Direct Audit Windows agent spools audit data to disk when it cannot send audit data to collector.  Also, this threshold may be temporarily exceeded.  For example, if you set this to 10% and the Direct Audit Windows agent cannot send audit data to collector, it will write the audit data to local file system if the spool file system has at least 10% free space available.  However, it may continue to write temporarily even if free space falls below 10%. (78072)

 

4.12  Centrify Audit Module for PowerShell

·         Audit Module for PowerShell may take a long time to start because of the publisher's certificate verification.  To resolve the problem, disable the "Check for publisher's certificate revocation" option in System Control Panel\Internet Options\Advanced\Security. (Ref: 72499)

·         After installing Audit Module for PowerShell in a RDP session, PowerShell complains module "Centrify.DirectAudit.PowerShell" cannot be loaded.  This is because the installation package needs to modify system environment variables to let PowerShell know where to load the module.  This operation needed to be done in a "Console Session" if installation is done via RDP.  To resolve this problem, logout and re-login or run RDP with the "admin" option as "mstsc /admin" or "mstsc /console". (Ref: 72500)

5.   Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.