Centrify® Server Suite 2016.1 DirectAudit® 3.3.1 Release Notes

© 2007-2016 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1.        About DirectAudit 1

2.        Feature Changes 1

2.1         Feature Changes in DirectAudit 3.3.1 (Suite 2016.1) 1

2.1.1        General 1

2.1.2        Collector 1

2.1.3        Audit Analyzer and Session Player 1

2.1.4        Audit Manager 1

2.1.5        Centrify UNIX Agent for Audit 4

2.1.6        Database 4

2.1.7        FindSessions Tool 4

2.1.8        Windows Agent 4

2.1.9        Centrify Audit Module for PowerShell 4

2.1.10     Supported Platforms 4

2.2         Feature Changes in DirectAudit 3.3.0 Update (Suite 2016) 4

2.3         Feature Changes in DirectAudit 3.3.0 (Suite 2016) 4

2.3.1        General 4

2.3.2        Collector 5

2.3.3        Audit Analyzer and Session Player 5

2.3.4        Audit Manager 5

2.3.5        Centrify UNIX Agent for Audit 5

2.3.6        Database 5

2.3.7        FindSessions Tool 5

2.3.8        Windows Agent 5

2.3.9        Centrify Audit Module for PowerShell 5

2.3.10     Supported Platforms 6

2.4         Feature Changes in DirectAudit 3.2.3 (Suite 2015.1) 6

2.4.1        General 6

2.4.2        Collector 6

2.4.3        Audit Analyzer and Session Player 7

2.4.4        Audit Manager 7

2.4.5        Centrify UNIX Agent for Audit 7

2.4.6        Database 8

2.4.7        FindSessions Tool 8

2.4.8        Windows Agent 8

2.4.9        Centrify Audit Module for PowerShell 8

2.4.10     Supported Platforms 8

2.5         Feature Changes in DirectAudit 3.2.2 (Suite 2015) 9

2.5.1        General 9

2.5.2        Collector 9

2.5.3        Audit Analyzer and Session Player 10

2.5.4        Audit Manager 10

2.5.5        Centrify UNIX Agent for Audit 10

2.5.6        FindSessions Tool 11

2.5.7        Supported Platforms 11

3.        Bugs Fixed 12

3.1         Bug Fixed in DirectAudit 3.3.1 (Suite 2016.1) 12

3.1.1        General 12

3.1.2        Windows Install / Upgrade / Uninstall 12

3.1.3        Collector 12

3.1.4        Audit Analyzer and Session Player 12

3.1.5        Audit Manager 12

3.1.6        Centrify UNIX Agent for Audit 12

3.1.7        Database 12

3.1.8        Centrify Audit Module for PowerShell 12

3.2         Bug Fixed in DirectAudit 3.3.0 (Suite 2016) 13

3.2.1        General 13

3.2.2        Windows Install / Upgrade / Uninstall 13

3.2.3        Collector 13

3.2.4        Audit Analyzer and Session Player 13

3.2.5        Audit Manager 13

3.2.6        Centrify UNIX Agent for Audit 13

3.2.7        FindSessions Tool 13

3.2.8        Database 13

3.2.9        Centrify Audit Module for PowerShell 13

3.2.10     Windows Agent 13

3.3         Bug Fixed in DirectAudit 3.2.3 (Suite 2015.1) 14

3.3.1        General 14

3.3.2        Windows Install / Upgrade / Uninstall 14

3.3.3        Collector 14

3.3.4        Audit Analyzer and Session Player 14

3.3.5        Audit Manager 14

3.3.6        Centrify UNIX Agent for Audit 14

3.3.7        Database 15

3.3.8        Centrify Audit Module for PowerShell 15

3.4         Bug Fixed in DirectAudit 3.2.2 (Suite 2015) 15

3.4.1        General 15

3.4.2        Windows Install / Upgrade / Uninstall 15

3.4.3        Collector 15

3.4.4        Audit Analyzer and Session Player 15

3.4.5        Audit Manager 15

3.4.6        Centrify UNIX Agent for Audit 15

3.4.7        Database 16

4.        Known Issues 16

4.1         General 16

4.2         Windows Install / Upgrade / Uninstall 16

4.3         Collector 17

4.4         Audit Analyzer and Session Player 17

4.5         Audit Manager 17

4.6         Centrify UNIX Agent for Audit 17

4.7         Centrify Windows Agent for Audit 19

4.8         Database 19

4.9         Audit Management Server 19

4.10       FindSession Tools 19

4.11       Windows Agent 20

4.12       Centrify Audit Module for PowerShell 20

5.        Additional Information and Support 20

 

1.   About DirectAudit

The Centrify DirectAudit feature set is a key component of Centrify Server Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see Centrify Server Suite Enterprise Edition in the document in www.centrify.com/platforms.

Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.4.4 (Suite 2011.1).

Starting in Suite 2016, only ADMX format for group policies will be installed and ADM format will no longer be provided. (Ref: 6821)

Starting in Suite 2016, Centrify will no longer be adding new features to the Centrify DirectManage Audit SDK component. Centrify recommends all existing users of this component to start using Audit Module for PowerShell component, which is the intended replacement of the SDK. (Ref: CS-6713)

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40117)

 

2.   Feature Changes

2.1    Feature Changes in DirectAudit 3.3.1 (Suite 2016.1)

2.1.1       General

·         Starting in Suite 2016.1, the SQL Server 2008 R2 SP2 Express Edition that is installed by DirectManage Audit Easy Installer will have CENTRIFYSUITE as the default instance name, and the installer will enable the SQL Server Reporting Services (SSRS) feature for this instance and configure it in Native mode in order for the same instance to be used to host the Centrify Report Services database in an evaluation environment. Previously, the default instance name was DIRECTAUDIT and the installer did not enable the SQL Server Reporting Services feature for that instance. (Ref: CS-39438)

·         Centrify DirectManage Audit now supports hosting Management database and/or Audit Store databases in a SQL Server Availability Group. To benefit from all the features provided by a SQL Server Availability Group (such as multi subnet failover), Centrify recommends upgrading all DirectManage Audit components including Collectors, Audit Management Server service, Audit Manager console and Audit Analyzer console to the latest version. Note that there is no requirement to upgrade all the agents before using this new feature.(Ref: CS-38769)

2.1.2       Collector

 N/A

2.1.3       Audit Analyzer and Session Player

·         DirectManage Audit Audit Analyzer now allows exporting multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions. (Ref: CS-40031)

2.1.4       Audit Manager

N/A

2.1.5       Centrify UNIX Agent for Audit

·         The parameter, "dad.data.dir," defines the data directory path for DirectAudit.  This is depreciated in Suite 2016.1. Customers who need to use a different location to store DirectAudit data and spool files must follow the approaches described in KB-6548. Also, when alternate directory location is used, only the symbolic link to the data directory will be removed when DirectAudit is uninstalled. The actual data directory remains in the system.  Since this parameter is deprecated, the DirectAudit upgrade process aborts with an error message if it detects that this parameter is specified.  Please contact Centrify Technical Support in this case.(Ref:CS-39847)

·         Added a parameter, "dash.cmd.audit.blacklist", which allows a user to skip certain auditing command patterns using a regular expression. Command and arguments matching the expression will not be captured, but the “Audited command is executed” audit trail event will still be sent. (Ref: 39329)

·         Added a new script 'dacheck' which allows users to check for any potential problems in their DirectAudit environment. (Ref: 39274)

·         Enhanced the parameters "spool.diskspace.min" and "spool.diskspace.softlimit" allow a user to specify the value as  a percentage or  an exact size. (Ref: 38610)

·         Added a parameter in Unix agent so that Audit Analyzer can either show the original user that ran the audited command or the current user (the user identity after su/sudo/dzdo). In previous versions of DirectAudit, Audit Analyzer can only show the current user that runs an audited command, which may not be the real user identity (if the user uses su/sudo/dzdo to change identity).  In Suite 2016.1, the administrator can configure the Unix agents such that Audit Analyzer can show the identity of the original user.  This is controlled by the parameter dash.cmd.audit.show.actual.user in the Unix agent.  This parameter can also be configured by group policy “Show actual user running an audited command”.  Customers must upgrade the Unix agents (not Audit Analyzer) for this feature to be effective.  (Ref: CS-39764, CS-39672)

2.1.6       Database

 N/A

2.1.7       FindSessions Tool

 N/A

2.1.8       Windows Agent

·         The Group Policy "Centrify DirectAudit Settings/Windows Agent Settings/Set update agent status timeout" setting was enhanced to take effect immediately for the Windows agent. (CS-39282)

2.1.9       Centrify Audit Module for PowerShell

·         Added Get-CdaUserEvent cmdlet in powershell module which can be used to retrieve the user activity events for reporting purpose. Another existing cmdlet Get-CdaAuditEvent can be used to retrieve the user privileged activity events for reporting purpose. (Ref: CS-40146, CS-6885)

2.1.10     Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the suite release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the suite release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the “Centrify Server Suite, Enterprise Edition” section in the document available from www.centrify.com/platforms.

 

 

2.2    Feature Changes in DirectAudit 3.3.0 Update (Suite 2016)

DirectAudit 3.3.0 is updated on March 2016 to fix the following issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in DirectAudit agent processing the incorrect response to its request. Note that this occurs only in DirectAudit *NIX agent when the DirectAudit NSS auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations. 

Centrify strongly recommends customers who use DirectAudit NSS Auditing capability upgrade to this version of DirectAudit and DirectControl across their organization. Also, for customers who need the “audit required” support for local users, Centrify recommends customers to add such local users to the user override list specified by the DirectAudit nss.user.override.userlist configuration parameter, and run the “daflush” command after the file is modified.  “audit_required” is now supported as the audit level specification in both the nss.user.override.auditlevel configuration parameter and the audit level specification for users in the override list.  For more information, please refer to the description for these parameters in the Configuration and Tuning Reference Guide.

2.3    Feature Changes in DirectAudit 3.3.0 (Suite 2016)

2.3.1       General

·         DirectAudit and DirectAudit Powershell installations will no longer install documentation or release notes. All user manuals and releases are available in the “Documentation” folder of the ISO image. (Ref: CS-7134)

·         DirectAudit agent periodically sends its status to collector, which is used by the collector to determine the agent connection status.  In prior releases, a transient error results in a “disconnected” status, even though the agent quickly reconnects.  In Suite 2016, an agent determines that it is in “disconnected” state only after multiple attempts to connect to collector fail.   The configuration parameter “agent.max.missed.update.tolerance” specifies the maximum number of failed attempts before the agent becomes “disconnected”.  This parameter can also be controlled by  a new Group Policy, "Set maximum missed status update tolerance" in "Policies/Centrify DirectAudit Settings/Common Settings". (Ref: CS-7046, CS-7047)

·         In prior release, DirectAudit agents randomly choose any available collector to connect.  This may result in agents connecting to collectors in remote sites instead of nearby collectors, resulting in more WAN traffic and network latency.   In Suite 2016, the administrator can specify DirectAudit agent to consider collectors in the local Active Directory site first; and use collectors outside the local site only when there is no active collectors in the local site.  This can be specified on a per Audit Store basis.  This is specified by a new option checkbox "Agents must prefer collectors in the same site as the agent" in the Audit Manager Console / Audit Store / Advanced Properties page. (Ref: CS-6890, CS-7028, CS-7039,CS-7040)

·         In prior releases, you can specify to enable/disable video capture for all systems in a DirectAudit installation.   Suite 2016 adds support to enable or disable video capture on per system basis. This can be configured by the “agent.video.capture” configuration parameter. The parameter has 3 possible values, "default (uses the installation-wide setting), "enabled" and "disabled". A new Group Policy, “Set video capture auditing of user activity” in “Policies/Centrify DirectAudit Settings/Common Settings” can also be used to set up this parameter. (Ref: CS-7067, CS-7068)

·         In prior releases, the host names of audited sessions are determined by the collectors based on DNS lookup.   In environments where the DNS servers used by the collectors cannot reliably resolve IP address into host names (e.g., agents in NAT and/or DMZ environments), this causes incorrect host names to be shown for audited sessions.  A new configuration parameter, “agent.send.hostname”, is introduced in Suite 2016 to enable Audit Analyzer to display the host name specified by the agent on the audited computers, instead of the host name resolved by the collector using DNS.  This can be configurated by a new Centrify Group Policy setting: "Use the host name specified by the agent" in "Centrify DirectAudit Settings/Common Settings". (Ref: CS-6730, CS-7086)

·         The Suite 2016 ISO now bundles the 64-bit installer of Microsoft SQL Server 2008 R2 SP 2 Express with Advanced Services. (Ref: CS-6740)

·         Improved Audit Trail despooling performance. (Ref. CS-5914)

 

2.3.2       Collector

·         Added new collector registry setting, "SkipFirstSnapshot", to prevent storing the first snapshot of the session in database in order to reduce disk space consumed. This is useful for in smaller sessions. When set to 1, the collector will not save the first snapshot. By default, the SkipFirstSnapshot value will be 0 which means the first snapshot will be stored. Please note that skipping storage does not affect normal replay.  However, if you use the seek bar in the DirectAudit player to jump to the beginning of the session, it will not clear the screen first. (Ref: CS-6676)

·         If multiple Unix commands are entered using cut and paste, they are now recognized correctly in the “Indexed Command List”. (Ref: CS-6970)

 

2.3.3       Audit Analyzer and Session Player

·         Added the ability for an Auditor who has full control over a session to assign one or more Active Directory users as Reviewers of that session using Audit Analyzer console or using cmdlet from Audit Module for PowerShell. A user who is set as a Reviewer of a session will be allowed to replay and update the review status of that session even if that user was not assigned any Audit Role. In addition, a Reviewer will not have rights to delete a session. (Ref: CS-6351)

2.3.4       Audit Manager

N/A

2.3.5       Centrify UNIX Agent for Audit

·         Added the new parameter,"dad.collector.connect.timeout", to allow a user to specify how long the agent wait before it determines that it cannot connect to a collector. (Ref: CS-7119)

·         Added two options to the CLI command dareload: -p and -b. Option "-p" requests the DirectAudit daemon to reload properties from centrifyda.conf (This is a default option). Option "-b" requests DirectAudit daemon  to rebind to another collector. (Ref: CS-7025)

·         The commands “dacontrol –e” and “dacontrol –d” modify system configuration files (/etc/nsswitch.conf in Linux/HPUX/Solaris, /etc/security/user and /usr/lib/security/methods.cfg in AIX) to enable/disable session auditing. In the unlikely event that these files are empty because another application (such as vi) empties it, dacontrol displays an error message “execution of /usr/share/centrifydc/scripts/da/<xxx>.pl script failed.” (xxx is the file being modified). There will also be a message in syslog that looks like “Cannot backup <file> because it is empty”. This usually happens if a user tries to edit these files manually.  Centrify recommends you to keep a backup copy of these files first if you need to modify them.  If you see this message, please restore the file from your backup copy. (Ref: CS-6660)

·         Introduced a new parameter (-q) to the dainfo  command, to allow query of more specific information about Centrify DirectAudit daemon.  This makes it easier for scripts to parse the output and/or use command exit status to determine status. (Ref: CS-6642)

 

Usage of option query:

-----------------------------------------------------------------

[info]               Possible return values

-----------------------------------------------------------------

adclient_status            available, not_available

dad_status                 online, offline, not_available

collector_name             <host:port:spn>, not_available

spool_rate                 <Spool rate numerical part in bytes/sec>

spool_size                 <Spool size numerical part in bytes>

installation                <installation name>, not_available

installation_source  local, group_policy

nss_status                 active, inactive

command_audit               <audited commands, one command per line>

parameter_value:<parameter_name>  <parameter_value>

 

2.3.6       Database

·         Added a new scheduled task to the Audit Management Server service to collect DirectAudit license and deployment information from DirectAudit databases and store it in Active Directory.  This allows any authenticated user to run Deployment Report. (Ref: CS-6786)

·         Added new database indexes and enhanced some existing indexes to improve query performance and reduce load on CPU of the SQL server. (Ref: CS-6633)

 

2.3.7       FindSessions Tool

·         Improved the performance of the FindSessions utility when searching and exporting sessions by role and/or ticket in a DirectAudit installation when multiple Audit Store databases are attached. (Ref: CS-38604)

2.3.8       Windows Agent

·         Added two new Group Policy settings, "Set maximum size of the offline data file" and "Set maximum recorded color quality" in "Centrify DirectAudit Settings / Windows Agent Settings" to control the agent's spool file size and video capture color quality. (Ref: CS-6967)

2.3.9       Centrify Audit Module for PowerShell

·         Added 2 new Cmdlets: "Set-CdaAuditSessionReviewer", allowing administrators to delegate session review directly to an Active Directory user or group and "Get-CdaAuditSessionReviewer", which gets the active Directory users and groups who have been designated as session reviewers. (Ref: CS-7147)

2.3.10     Supported Platforms

·         Supported Platforms - Centrify UNIX Agent for DirectAudit has added support to the following operating systems:

o Fedora 23 (x86, x86_64) (Ref: CS-7117)

o CentOS 6.7 (x86, x86_64)

o Oracle Enterprise Linux 6.7 (x86, x86_64)

o Red Hat Enterprise Linux Server 6.7 (x86, x86_64, PPC - NO Power8 support)

o Red Hat Enterprise Linux Server 7.0 (x86_64, PPC - NO Power8 support)

o Red Hat Enterprise Linux Desktop 7.2 (x86_64)

o Red Hat Enterprise Linux Server 7.1 (x86_64, PPC - NO Power8 support)

o Red Hat Enterprise Linux Server 7.2 (x86_64, PPC - NO Power8 support) (Ref: CS-7155)

o Scientific Linux 6.7 (x86, x86_64)

o Ubuntu Desktop 15.10 (x86, x86_64)

o Ubuntu Server 15.10 (x86, x86_64)

o SuSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

o SuSE Linux Enterprise Server 11 SP3 and SP4 (x86, x86_64, PPC) (Ref: CS-7155)

o Oracle Solaris 11.3 (x86_64, SPARC)

 

·         Supported Platforms – for all DirectAudit Windows Components (64-bit only)

o    Windows 7 SP1 and above

o    Windows 8 or 8.1

o    Windows Server 2008 R2 SP1

o    Windows 10

o    Windows Server 2012

o    Windows Server 2012 R2

 

Note: DirectAudit Windows components do not support 32-bit Windows

Note: DirectAudit Windows components do not support 64-bit Windows Server 2008

 

·         SQL Server – DirectAudit supports 64 bit versions of following editions of Microsoft SQL server (Ref: CS-7048)

o    SQL Server 2008 Express with Advanced Services

o    SQL Server 2008 Standard or Enterprise

o    SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)

o    SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)

o    SQL Server 2012 Express with Advanced Services

o    SQL Server 2012 Standard or Enterprise

o    SQL Server 2014 Express with Advanced Services

o    SQL Server 2014 Standard or Enterprise

 

Note: SQL Server 2008 and 2008 R2 are not compatible with Windows 10

 

Note: DirectAudit is dropping support for SQL Server 2005 and all versions of 32-bit SQL Servers in this release

·         Support has been removed for the following operating systems for Centrify UNIX Agent for DirectAudit (Ref: 73750):

o    All 32-bit Windows platforms

o    64-bit Windows 2008 Server

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    Oracle Solaris 8 SPARC

·         This is the last release for the support of the following operating systems for Centrify UNIX Agent for DirectAudit (Ref: 77904):

o    Debian Linux 6.x (32-bit and 64-bit)

o    Fedora 20 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

o    Oracle Solaris 9 (32-bit and 64-bit)

o    Ubuntu Desktop 14.10 (32-bit and 64-bit)

o    Ubuntu Server 14.10 (32-bit and 64-bit)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems for Centrify UNIX Agent for DirectAudit:

o    Fedora 21 (32-bit and 64-bit)

o    Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)

o    Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)

o    SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)

o    SUSE Linux Enterprise Server 10 (32-bit and 64-bit)

o    openSUSE 13.1 (32-bit and 64-bit)

2.4    Feature Changes in DirectAudit 3.2.3 (Suite 2015.1)

2.4.1       General

·         Significant performance and scalability improvements were made to DirectAudit UNIX agents, collectors and audit store databases.

·         Fixed a problem with the syntax of parameter "dash.obfuscation.*", introduced in DirectAudit 3.2.2, which could cause a problem during upgrade. The syntax is now correct and will automatically be converted to the new syntax during upgrade without user intervention. Please note: When using the group policy “Defining information pattern in custom format to obfuscate sensitive information” and/or “Defining information pattern in regex format to obfuscate sensitive information” to set up these parameters, an upgrade DOES NOT convert the value of these parameters.  Please ensure you change the values of these two group policies or the obfuscation will not take effect on the DirectAudit 3.2.3 Unix agents. (77348).

·         Pre-announcement of deprecating the ADM format

This is the last release that group policies in ADM (Administrative Template File) format are shipped.  From next release onward, only ADMX (Administrative Template File XML based) format will be shipped. (Ref: 79114)

2.4.2       Collector

·         Added the following new performance counters:

Connected Agent: Number of agents currently connected;
Connected Agent Peak: Peak number of connected agents;
Dropped Agents: Number of agents disconnected due to no timely status updates;
Agent Connect Event:  Number of agent connect events;
Agent Disconnect Event:  Number of agent disconnect events;
Transient SQL Errors: Number of transient SQL errors;
Request Connection Packet: Number of request connection packets received;
Request Ack Packet: Number of request ack packets received;
Collector Info Request Packet: Number of collector information request packets received;
Start Unix Session Packet: Number of “Start Unix session” packets received;
Continue Unix Session Packet: Number of “Continue Unix session” packets received;
End Unix Session Packet: Number of “End Unix” session packets received;
STDIN Packet: Number of Unix stdin data packets received;
STDOUT Packet: Number of Unix stdout data packets received;
Unix Window Resize Packet:  Number of “Unix window resize” packets received;
List Active Unix Session Packet:  Number of “List Active Unix session” packets received;
Unix Meta Message Packet: Number of Unix “Meta message” packets received;
Unknown Unix Packet: Number of unsupported packets received from Unix agents;
Bytes STDIN Sent: Number of Unix stdin  data bytes received ;
Bytes STDOUT Sent:  Number of Unix stdout data bytes received;
Unix Command: Number of Unix commands recorded in database;
Bytes Unix Command: Unix command data in bytes recorded in database;
Unix Snapshot: Number of Unix snapshots recorded in database;
Bytes Unix Snapshot: Unix snapshot data stored in database in bytes.

The custom performance counters are installed at collector install time, and removed when collector is uninstalled.  The performance counters can also be created and removed using collector.config.exe /createcounter | /deletecounter. Note: Collector must be stopped prior to create or remove the counters. (78186).

2.4.3       Audit Analyzer and Session Player

·         When a report is generated, the current progress is shown in the status bar of the Audit Analyzer. (71640).

·         Added column filtering to the Audit Analyzer query result pane. (77984)

·         In the “session query results pane”, added the column “Account.” This shows the actual account used to login to the Windows/Unix system.  This is the same as the “user” column for users who directly login to the audited system.  For Centrify Privileged Services (CPS) users, this is the shared account being used to login; whereas the CPS user name is shown in the “user” column. For the session properties page, “Unix user name” and “Windows user name” were removed.  There are two new items instead, “Account” and “User.”  “Account” shows the account used to login to the system, and can be the shared account for CPS user, or what is actually used for others.  “User” shows the identity of the user who logs into the system.  For CPS user, this is the identity of the CPU user himself/herself.  In addition, the “TTY name” for Unix session shows “pass-through” if the session was logged into by the CPS user. (78371).

·         In the display of audit store databases, a new column, “Effective Size”, is added to show the size of data in the database. (75496)

·         Added more UI feedback when the Audit Analyzer is exporting a large number of sessions. As session details are fetched from AuditStore database, Audit Analyzer provides a progress bar dialog box when it exports the command/event list for a large number of sessions.  The user can also cancel the export operation while it is in progress.(46973)

·         Added the ability to search for audited sessions using a user's display name as search criteria when using the FindSessions utility or Audit Analyzer console. (78279)

 

2.4.4       Audit Manager

·         Added 2 new options the New Installation wizard in Audit Manager, "Do not allow any users to review their own sessions," and "Do not allow any users to delete their own sessions," allowing these options to be configured during a DirectAudit Installation. Previously, these options could only be configured after DirectAudit had been installed. (75560)

·         Added column filtering to the Audit Manager query result pane. (77984)

·         Added a new column in the Audit Manager Console, "Last Update Time" for Audited Systems and Collectors, which indicates when the last agent/collector update was recorded in the AuditStore database. (76118).

·         From DirectAudit 3.2.2 onward, a DirectAudit administrator can now define an audit role with Active Directory security group as one of the search criteria. This allows a DirectAudit auditor to search for audited sessions of users that belong to a particular Active Directory security group. (19378)

·         Introduced a new installation level permission named "View" in Audit Manager console. A DirectAudit administrator can now assign "View" permission to one or more users, which limits these users to read-only access to the Audit Manager console without assigning them any administrative rights over the DirectAudit installation. (71012,71563)

 

2.4.5       Centrify UNIX Agent for Audit

·         Added two new group policies "Centrify DirectAudit Setting\UNIX Agent Settings\DirectAuditDaemon Settings\Set client idle timeout" and "Centrify DirectAudit Setting\UNIX Agent Settings\DirectAuditDaemon Settings\Set update agent status timeout" for the following two parameters "dad.client.idle.timeout" and "dad.timer.update.agent.status" respectively. (76401).

·         Added a new resource monitor to the Centrify DirectAudit daemon to monitor the CPU, file descriptor and memory usage during runtime. Detection of usage over the configurable threshold will give INFO level log message and restart dad by watchdog if possible. (77041).

·         Added the new parameter, "spool.diskspace.logstate.reset.threshold", to centrifyda.conf, which along with the existing parameter, “spool.diskspace.min“ which configures the DIRECTAUDIT Daemon to log an error when it detects that the percentage of free space in the spool volume is less than spool.diskspace.min.  Though the Direct Audit daemon will continue to monitor free space in the spool volume, it will not log another error message unless the administrator first clears enough free space from the spool volume so that the percentage free space is higher than (spool.diskspace.min + spool.diskspace.logstate.reset.threshold).. (77739).

·         Added a new option to dainfo,  "-C" which will displays the current action counts of the Direct Audit daemon (dad). Usage: dainfo [-h] [-v] [-x] [-d] [-u] [-C] [-t] [-c] options: --dadactioncount, -C (78184).

·         Added a new parameter to centrifyda.conf,"nss.nologin.shell" to allow the administrator to specify shells that should be treated as no-login. A list can be specified. Default values: /sbin/nologin, /bin/false.  If the a user’s login shell is in this list, the DirectAudit NSS/LAM modules always returns the same login shell in getpwuid() and getpwnam() calls for such user as the user cannot login and will not be audited.(74844, 74522)

·         Added a new CLI argument to the dainfo command line utility: "suite-version" that will now output the version of the Centrify Server Suite and DirectAudit version currently running. Example usage and output: (75327)

# dainfo --suite-version

dainfo (CentrifyDA 3.2.3-309)

Centrify Server Suite 2015.1

# dainfo -x

dainfo (CentrifyDA 3.2.3-309)

Centrify Server Suite 2015.1

·         Centrify DirectAudit daemon (dad)is now managed by systemd, allowing more accurate control reporting of dad's state. (73960)

·         Improved local user NSS query performance. (79041)

·         Added a new Centrify Group Policy, "Set ignored programs" to modify the list of programs whose getpwnam() and getpwuid() requests will not be processed by Direct Audit NSS/LAM module located in "Centrify DirectAudit Settings" -> "Unix Agent Settings" -> "DirectAudit NSS Settings". (64645)

·         Added a new group policy, "Add centrifyda.conf properties", allowing modification of any Direct Audit Unix agent parameter located in "Centrify DirectAudit Settings" -> "Unix Agent Settings". (64645)

·         The following set of parameters were introduced centrifyda.conf to support new options and features:

dad.client.idle.timeout.min, dad.resource.timer, dad.resource.restart, dad.resource.memlimit, dad.resource.fdlimit, dad.resource.cpulimit, dad.resource.cpulimit.tolerance, nss.nologin.shell, spool.diskspace.logstate.reset.threshold

For details, please refer to the Configuration and Tuning Reference Guide.

 

2.4.6       Database

·         Until DirectAudit 3.2.2, all DirectAudit database stored procedures were forced to run under the database server's Local System account, NT AUTHORITY\SYSTEM, which may violate the security policies of some customers. From DirectAudit 3.2.3 onward, a DirectAudit administrator can choose a custom account to run these stored procedures. This custom account must be a member of sysadmin fixed server role on the database server and can be selected on the "Advanced Settings" page of the "Add database" wizard. (73252).

·         Database performance when storing audit session data has improved significantly.  This allows a higher number of Unix agents to be supported in an audit store database instance. (76950, 76399, 79106, 76465, 79171).

·         Improvement in the performance of updating session review status in Audit Analyzer (38157).

·         The default SQL Connection timeout is now 30 seconds. (79107).

·         Added a new scheduled task to the Audit Management Server component to calculate the approximate amount of disk space taken by an audited session on the database server, also known as the "session size." If the Audit Management Server component has been installed and configured correctly, it will automatically calculate size for all audited sessions in the "Completed" state. In addition, the session size is shown in Audit Analyzer console's query result pane. (71964)

·         Improvement in the performance of querying audit data in Audit Analyzer. (79361).

·         To address issues related to incompatible databases when an older version of SDK is used to perform database rotation, the DirectAudit SDK no longer performs a database rotation if the SDK's database version does not match the current version of DirectAudit database. Before creating a new database, the SDK compares its own version against  the version of installation's Management database and display an error if they don't match. (77364)

 

2.4.7       FindSessions Tool

·         The FindSessions utility's search result pane will now allow a user to copy the session URI and display the session's indexed commands/events list. (72109)

2.4.8       Windows Agent

·         AD users/groups who have the ability stop the DirectAudit Windows Agent. The Start/Stop/Restart buttons in the Windows Agent Control Panel are enabled for AD user configured via GP to stop/restart DirectAudit Windows Agent. If the GP is not configured, the buttons are hidden as in previous releases. As in previous releases, the Windows Agent cannot be stopped via Service Control Manager or by using commands such as "net stop".  You must use DirectAudit Agent Control Panel to start/stop the DirectAudit Windows Agent. (62474)

·         The DirectAudit Windows agent heartbeat rate default, "HKLM\Software\Centrify\DirectAudit\Agent\SessionPingInterval," was changed to 300 seconds from 60 seconds. Previously configured setting is preserved on upgrade. In addition, a new group policy "Set update agent status timeout", was added in centrifyda_settings.xml, and the default policy value, if enabled, is 300 seconds. (77077)

2.4.9       Centrify Audit Module for PowerShell

·         Added Remove-CdaDatabase cmdlet to physically remove the database files from the server. (Ref: 74532)

·         Added db_rotation.ps1 as a sample database rotation script.  Sample scripts are installed to Samples subdirectory. (Ref: 77591)

·         Added –DisplayName parameter to Get-CdaAuditSession cmdlet to search the sessions by user's display name. (Ref: 77552)

 

2.4.10     Supported Platforms

·         Centrify UNIX Agent for DirectAudit adds the support of the following operating systems (Ref: 72653, 73602):

o    CentOS 7.1 (x86_64)

o    Fedora 22 (x86, x86_64)

o    Debian Linux 8.x (x86, x86_64)

o    Oracle Enterprise Linux 7.1 (x86_64)

o    Red Hat Enterprise Linux Server 7.1 (x86_64)

o    Red Hat Enterprise Linux Desktop 7.1 (x86_64)

o    Scientific Linux 7.1 (x86_64)

o    Ubuntu Desktop 15.04 (x86, x86_64)

o    Ubuntu Server 15.04 (x86, x86_64)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

o    Fedora 20 (32-bit and 64-bit)

o    Debian Linux 6.x (32-bit and 64-bit)

o    Ubuntu Desktop 14.10 (x86, x86_64)

o    Ubuntu Server 14.10 (x86, x86_64)

o    Oracle Solaris 9 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

·         Centrify DirectAudit will no longer support the following platforms starting with the next release (Ref: 56644, 61795, 64457, 68948, 71092, 73138):

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    Oracle Solaris 8 SPARC

o    All 32-bit Windows platforms

·         The following operating systems are no longer supported (Ref: 56643, 61010, 66423, 69921):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 10.04 LTS (32-bit and 64-bit)

o    Ubuntu Server 10.04 LTS (32-bit and 64-bit)

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Windows 2003 (32 and 64 bit), Windows 2003R2 (32 and 64 bit) – Estimated vendor EOL: 2015-07-14

2.5    Feature Changes in DirectAudit 3.2.2 (Suite 2015)

2.5.1       General

·         The Audit Trail feature has been enhanced with the following:

o    All audit trail events are now documented in an XML file. The document AuditTrailEvents.xml can be found on "Autorun">"Documentation" page, or in the Documentation folder of the ISO image. You can use it as a reference in integrating the audit trail events with other monitoring tools (Ref: 55847)

o    The Audit Trail feature of Suite 2015 has been redesigned to write a unique event ID also known as Centrify Event ID for each of the Audit Trail events. On Windows clients, the audit trail event is written in Windows Application Event Logs with the unique event ID as Event ID and a new Windows Event Source "Centrify AuditTrail V2". On Unix/Linux clients, the newly redesigned event IDs will be written to syslog in the centrifyEventID field. Please refer to the Centrify Audit Trail Events XML documentation for a complete list of Audit Trail events and their corresponding unique Centrify Event IDs. (Ref: 55847, 55849)

2.5.2       Collector

·         A new group policy “Centrify DirectAudit Setting\Collector Setting\Do not audit output of specified UNIX commands” is added. When a command is detected, it's checked (using exact match) against the command list specified by group policy. If matches, the command's output is not saved to the AuditStore database. (Ref: 73763)

·         By default, command captured by a collector does not contain command prompt. This release adds a new option to enable command prompt as part of the command in Indexed Command List.  This feature is enabled by:

o    Setting the registry value of \\HKLM\Software\Centrify\DirectAudit\Collector\StripCommandPrompt (DWORD value, default 1) to 0 in all collectors; AND

o    Enable stdin capturing in DirectAudit Unix agent; or setting the registry value of \\HKLM\Software\Centrify\DirectAudit\Collector\SkipRecognizeCommandByPrompt (DWORD value, default 0) to 0 when stdin capturing in DirectAudit Unix agent is disabled. (Ref: 73818)

·         The default maximum SQL Server connection pool size has been increased from previous value of 300 to 1000 for collector. The new setting allows collector to serve more concurrent agents at a time without exhausting the connection pool. (Ref: 76410)

·         In Collector Configuration Wizard, a new wizard page is added to configure the maximum SQL connection pool size. Configured value is displayed in the Diagnostics output in the Collector Control Panel. (Ref: 67502, 64276)

 

2.5.3       Audit Analyzer and Session Player

·         Active Directory security group(s) can be used as session/AuditEvent/Report filtering criteria in queries and it can be specified as part of audit role definition.  This audit role definition can be assigned to other users/groups, so that the users of this audit role can only see the sessions/AuditEvents/Reports generated for users of the AD security group(s). This feature requires an instance of the audit management server that is configured and running in the DirectAudit Installation. (Ref: 54415)

·         New feature has been added in Audit Analyzer and the DirectAudit PowerShell module to allow querying sessions by Session ID (GUID string format) and Client Name. You can also specify the Session ID and client name as part of the AQL query in FindSessions.exe (Ref: 65952, 70351)

·         From Suite 2015 onward, the Audit Analyzer session result pane has a new column named "Display Name". For Unix session, it displays the GECOS field if it's available; otherwise, it displays the samAccountName of AD user, or Unix name of the Unix local user. For Windows session, it shows the AD display name (if available) or the samAccountName of the audited user. (Ref: 72644)

 

2.5.4       Audit Manager

·         In Suite 2015, DirectAudit administrator can enable policy that prevents any users from reviewing or deleting their own sessions. If you enable the policy to prevent users from reviewing their own sessions, users cannot update the review status or comment on their sessions regardless of the rights granted to their audit role. Similarly, if you enable the policy to prevent the users from deleting their own sessions, users cannot delete their own sessions regardless of the rights granted to their audit role. Both new policies are disabled by default which is the same behavior as in previous versions of DirectAudit.  The policy can be changed by changing the DirectAudit Installation properties using Audit Manager. (Ref: 72646)

·         VNC Viewer is not packaged with Audit Manager. User has to obtain VNC Viewer from RealVNC and install it. Audit Manager will try to locate the VNC Viewer on the local machine at the default deployment folder; if the VNC Viewer is not found, it asks user to provide its path and locate it thereafter. (Ref: 73312)

 

2.5.5       Centrify UNIX Agent for Audit

·         In DirectAudit 3.1.1, the default value of configuration parameter dash.allinvoked is changed to true.  However, this may lead to unintended capture of data transfer traffic over ssh connection (e.g., scp, rsync).  The default value of configuration parameter dash.allinvoked is changed in Suite 2014.1 to false as it applies only to command auditing only. (Ref: 65470)

·         Some sensitive output data in an audited session on a system may not be suitable to be viewed by auditor. DirectAudit allows administrator to specify patterns of such data to be masked. If a pattern is matched, the data is shown as '*' instead of plain text when it is shown in the Session Player, and the data is not searchable. The login user can still see the sensitive data in the terminal session. The patterns can be specified using the parameters dash.obfuscate.regex (using regular expression) and dash.obfuscate.pattern (using character patterns). (Ref: 60021)

·         A watchdog process, cdawatch, is now implemented to monitor the DirectAudit daemon (dad) to ensure that it is running all the time unless it is stopped by system administrator.  With this change, the Centrify Audit Shell (cdash) no longer automatically restarts dad.  Also, dad no longer needs to be a setuid program. (Ref: 61644, 69729, 72035)

·         A universal script, /usr/share/centrifydc/bin/centrifyda, is available to control the start and stop of DirectAudit daemon (dad). The script supports different variations of system service control in different Unix/Linux platforms. The use of dastop to stop the DirectAudit daemon is discouraged. (Ref: 72292)

·         There are several enhancements in the area of DirectAudit UNIX login and audit level control:

·         The DirectAudit NSS/LAM module now supports the user.ignore list as in DirectControl NSS/LAM module.  Notes about this parameter:

§   The default value is file:/etc/centrifydc/user.ignore, which is the same default value for the DirectControl parameter nss.user.ignore.  Centrify recommends customers to use the same list for both DirectControl and DirectAudit.

§   This parameter specifies the local users who must be able to login all the time even when the DirectAudit daemon is not running.    

§   The default audit level for users in this list is “audit_if_possible”.  The administrator can specify the audit level of users in this list using the nss.user.override.userlist; and specify the audit level individually in the list (or use the nss.user.override.auditlevel that specifies the default audit level for all users in the nss.user.override.userlist).    DO NOT set the audit level of users in the user.ignore list to “audit required” as such users may not be able to login when DirectAudit or DirectControl agent is not running.

§   When users in this list logins and the audit level is “audit_not_requested/required”, the “login successful” audit trail event (centrifyEventID 18200) is not generated.

·         Starting from Suite 2014.1, a new parameter, nss.user.override.userlist, explicitly specifies the explicit audit level for users in the following situations:

§  Non-hierarchical zone users who has different audit level from that specified in the configuration parameter nss.alt.zone.auditlevel (default: audit_if_possible)

§  Users in the user.ignore list whose audit level needs to be “audit_not_requested/required”

DO NOT set the audit level of users in this list to “audit required”, because “audit required” is not supported in non-hierarchical zone, or it contradicts the intent of the user.ignore list.

(Ref: 70150, 60160, 70129)

·         The Audit Trail feature has been enhanced with the following:

o    For command level auditing, an audit trail event is generated when an audited command is executed. This allows you to use SIEM monitoring tools to trigger review of the associated DirectAudit sessions. The collector from previous releases will not save this audit trail event to Audit Store database. To guarantee that this event is not missed in the Audit Store database, all of the collectors must be at or above version 3.2.2. (Ref: 73015)

·         dainfo has a new argument --config (-c). 'dainfo -c' prints parsed contents of DirectAudit Configuration file (/etc/centrifyda/centrifyda.conf). (Ref: 60502)

·         A set of new parameters are introduced in centrifyda.conf for various new feature support:

o    dash.obfuscate.regex - This parameter specifies the obfuscation pattern used by the Unix DirectAudit to detect output data for masking as a regular expression. Each regular expression should be enclosed by ‘/’ characters, for example, /[A-Z][0-9]{6}\\([0-9A-Z]\\)/. You may specify more than one pattern by separating multiple patterns using the space character (‘ ‘). The default is none. See centrifyda.conf for more details. (Ref: 60021, 73276)

o    dash.obfuscate.pattern – This parameter specifies the obfuscation pattern used by the Unix DirectAudit to detect output data for masking as a pattern string. Each pattern should be enclosed by ‘/’ character, for example,/nnnn-nnnn-nnnn-nnnn/. You may specify more than one pattern by separating multiple patterns using the space character (‘ ‘). The default is none. See centrifyda.conf for more details. (Ref: 60021, 73276)

o    dash.shell.env.var.set – This parameter specifies if cdash should set the SHELL environment variable to actual user shell. If false, SHELL environment variable will be set to the audited shell. The default is true. (Ref: 75540)

o    nss.user.conflict.auditlevel – This parameter is used to override a user's audit level when the user is listed in user.ignore. If you need to ensure that users in user.ignore list will always get the native login shell upon login and not audited, set this parameter to ‘no_audit’. The default is "audit_if_possible". (Ref: 60160, 70027)

o    spool.diskspace.softlimit – DirectAudit keeps audit data locally. If a system is running out of disk space (by default, less than 10% free, controlled by the parameter spool.diskspace.min), audit service will be affected. A soft-limit is introduced. When a system's disk space is less than a certain percentage free, DirectAudit will give a warning, but audit service is not affected. This parameter, spool.diskspace.softlimit, specifies the minimum percentage of available disk space on the partition containing the spool file without triggering diskspace warnings in the log.  Auditing will continue even if available disk space falls below this level, until the space falls below spool.diskspace.min. Hence, the value must be larger than or equal to the value of spool.diskspace.min. The default is 12%. (Ref: 58197)

For details, please refer to the Configuration and Tuning Reference Guide.

 

2.5.6       FindSessions Tool

·         A command line option /suppresswarnings (/sw) is added to FindSessions.exe to suppress the warning messages. (Ref: 63790)

2.5.7       Supported Platforms

·         Centrify UNIX Agent for DirectAudit adds the support of the following operating systems (Ref: 72653, 73602):

o    CentOS 5.11, 6.6 (x86, x86_64)

o    Debian Linux 7.7 (x86, x86_64)

o    Fedora 21 (x86, x86_64)

o    Linux Mint 17.1 (x86, x86_64)

o    OpenSUSE 13.1, 13.2 (x86, x86_64)

o    Oracle Linux 5.11, 6.6 (x86, x86_64)

o    Oracle Linux 7.0 (x86_64)

o    Oracle Solaris 11.2 (x86_64, Sparc 64-bit)

o    Red Hat Enterprise Linux Server 5.11, 6.6 (x86, x86_64)

o    Red Hat Enterprise Linux Desktop 5.11, 6.6 (x86, x86_64)

o    Scientific Linux 5.11, 6.6 (x86, x86_64)

o    Scientific Linux 7.0 (x86_64)

o    Ubuntu Desktop 14.10 (x86, x86_64)

o    Ubuntu Server 14.10 (x86, x86_64)

o    SUSE Enterprise Linux 12 (x86_64)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

o    Oracle Solaris 8 SPARC

·         Centrify DirectAudit will no longer support the following platforms starting with the next release (Ref: 56644, 61795, 64457, 68948, 71092, 73138):

o    AIX 5.3 (32-bit and 64-bit)

o    Linux Mint 15, 16 (32-bit and 64-bit)

o    Ubuntu Desktop 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

o    Ubuntu Server 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

o    Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

o    Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

o    Windows 2003 (32 and 64 bit), Windows 2003R2 (32 and 64 bit) – Estimated vendor EOL: 2015-07-14

·         The following operating systems are no longer supported (Ref: 56643, 61010, 66423, 69921):

o    CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    Debian Linux 5 (32-bit and 64-bit x86)

o    Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

o    Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

o    Linux Mint 12, 14 (32-bit and 64-bit x86)

o    OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

o    Red Hat Enterprise Linux 3 (32-bit and 64-bit x86)

o    Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

o    SUSE Enterprise Linux 8.0 (32-bit x86)

o    SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86)

o    Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

o    VMware ESX 3.5 (32-bit)

o    VMware ESX 4.0, 4.1 (64-bit)

o    Windows XP (32 and 64 bit)

·         Please refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list of supported platforms.

3.   Bugs Fixed

3.1    Bug Fixed in DirectAudit 3.3.1 (Suite 2016.1)

3.1.1       General

·         Fixed a bug introduced in Suite 2015.1 where, when Centrify daemons were not responsive for any reason such as a system overload, communication between DirectControl and DirectAudit could timeout, and during the recovery of the connection, vestigial data remaining might not be removed, causing communication problems between the DirectControl daemon and DirectAudit daemon and DirectAudit using the wrong user profile from DirectControl. This issue was also addressed in the recent update of Suite 2016. (Ref: CS-39728)

·         In prior versions, if the SQL Server service hosting the Management database is run under a virtual service account (e.g., NT SERVICE\MSSQLSERVER), all Audit Store databases are shown as offline in Audit Manager, and Audit Analyzer cannot display results from those Audit Store databases.  This issue is fixed in this release. (Ref: CS-39546)

·         In prior versions, if there is any DirectAudit installations in Active Directory that are not recognized (e.g., DirectAudit installations created by newer versions of DirectAudit), the “Connect to DirectAudit” dialog box in both Audit Manager and Audit Analyzer stop searching for more DirectAudit installations.  This results in missing DirectAudit installations for selection.   This issue is fixed in this release.  The “Connect to DirectAudit” dialog box just skips the DirectAudit installations that it cannot recognize and continue to search for other DirectAudit installations in Active Directory. (Ref: CS-39832)

3.1.2       Windows Install / Upgrade / Uninstall

·         N/A

3.1.3       Collector

·         In prior versions, DirectAudit limits the audit store database size to 4GB even when SQL Server 2014 Express Edition is used.  This issue is fixed to allow the audit database to reach 10GB which is the maximum for SQL Server 2014 Express Edition. (Ref: 39634)

3.1.4       Audit Analyzer and Session Player

·          N/A

3.1.5       Audit Manager

·         In prior versions, if the server collation of SQL Server that hosts the Audit Store database is set to “Turkish_CI_AS”, Audit Manager cannot add a new Audit Store database. This issue is fixed in this release. (Ref: CS-39497)

·         Fixed an issue in the Add Audit Store Database Wizard that results in an incorrect SPN getting stamped when the SQL Server hosting the Audit Store database is listening on more than one port. (Ref: CS-39969)

3.1.6       Centrify UNIX Agent for Audit

·         In Suite 2016.1, to allow for better control of ssh session capturing, DirectAudit will now always capture sessions using "ssh -T" option, with the following limitations in the recorded session:

1.  There is no command recognition and indexing for the session.

2.  The left panel of the session player will be blank.

3.  When the session is replayed, the entered command will not be shown; however, output from the command will be shown.

The ssh -T option does not create a pseudo-terminal for the ssh session and is primary used for remote command/script execution. In releases prior to Suite 2016.1, such sessions were not captured by DirectAudit unless the configuration parameter dash.allinvoked was set to true (which captures all sshd traffic, regardless of whether the ssh session has a pseudo-terminal or not). Please contact Centrify Technical Support if you want to preserve the previous behavior. (Ref: CS-39421)

·         Removed an unnecessary warning when enabling/disabling NSS on Solaris 11 or newer.  (Ref: 6955)

·         DirectAudit NSS now returns no login shell for audited user if DirectAudit daemon is down or busy and no login shell can be configured in centrifydc.conf. When the DirectAudit daemon is not available (e.g., when it is stopped or cannot audit user due to overload condition), the DirectAudit NSS module returns a no login shell for “audit required” user.   In prior versions, this shell is not configurable.  In Suite 2016.1, the administrator can configure this nologin shell using the DirectControl parameter nss.shell.nologin. (Ref: 39857)

 

3.1.7       Database

·          N/A

3.1.8       Centrify Audit Module for PowerShell

·          N/A

3.2    Bug Fixed in DirectAudit 3.3.0 (Suite 2016)

3.2.1       General

3.2.2       Windows Install / Upgrade / Uninstall

·         Fixed an issue where the Database Maintenance Wizard was not checking if the logged-in user had enough database privileges to finish the entire upgrade process, which could result in an incomplete upgrade of DirectAudit databases. This was resolved by enforcing a permission check before the wizard proceeds with upgrading the databases. (Ref: CS-6710)

3.2.3       Collector

·         If the collector’s system locale is Turkish(Turkey) and the domain name contains the letter “i”, the collector sets up the SPN (Service Principal Name) incorrectly in the Active Directory computer object, , resulting in DirectAudit Unix/Linux agents being unable to connect to this collector.  This issue is fixed in Suite 2016 (Ref: CS-7116)

·         There was a memory leak issue with Collector under certain stress conditions in releases prior to Suite 2015.1.  This memory leak issue is fixed in Suite 2015.1. (Ref: CS-6788)

3.2.4       Audit Analyzer and Session Player

·          Fixed an issue in the Audit Analyzer console where an unexpected error could be generated when connecting to a newer version of a DirectAudit installation with a query result containing one or more reviewed sessions. (Ref: CS-5893, CS-7135)

·         Fixed an issue in the Audit Analyzer console where roles "<none>" and "<self>" were not included when exporting results of an Audit Events query (All, Grouped by Role) to an HTML file. (Ref: CS-7114)

·         Fixed an issue introduced in Suite 2015.1 where a quick query could fail when a Version 1 (V1) DirectAudit database was attached to an Audit Store. (Ref: CS-7096)

3.2.5       Audit Manager

·         Fixed an issue where the Audit Notification message window could show unrecognizable characters if the source message text file contained Latin characters. (Ref: CS-6547)

·         Fixed an issue in Audit Manager  where databases could show a status of "Loading..." for an extended period of time when Audit Analyzer console was deleting large sessions in the background. (Ref: CS-7023)

3.2.6       Centrify UNIX Agent for Audit

·         Fixed an issue where dadebug does not use the settings of “logger.facility.*” parameters in /etc/centrifyda/centrifyda.conf. (Ref: CS-7088)

·         In Solaris, if the passwd stanza in nsswitch.conf is set up as “passwd: compat centrifyda contrifydc”, nscd may crash.   This issue is fixed in Suite 2016. Note that this is not a supported configuration as all local users are NOT audited Also,  note that "dainfo -u <local user> will report an incorrect audit level because compat is before centrifyda/centrifydc. (Ref: CS-6976)

·         Fixed a command recognition issue where, the output from the "man" command could be falsely identified as user commands. (Ref: CS-6839)

·         Fixed an issue where a user reboot would fail when DirectAudit's debug level was set to DEBUG or higher.  (Ref: CS-38508)

·         In Solaris, dainfo may return incorrect status about session auditing (NSS) in sparse zone when session auditing is disabled in global zone.  This is fixed in Suite 2016. (Ref: CS-6981)

·         When dzdo/sudo is enabled for command auditing and the output is sent to a pipe, some keystrokes may be missing when the session is exported by Audit Analyzer.  This issue is fixed in Suite 2016.(Ref: CS-38812)

·         Starting in Suite 2015.1, DirectAudit also support AppArmor in Debian and Ubuntu systems.  AppArmor in SuSE Linux is supported since Suite2013.3.  (CS-5156)

·         In SuSE Linux Enterprise Server 11 and newer, users (except root) may become unaudited after rejoining a zone. This problem was caused by improper handling of AppArmor security settings. It has been fixed in Suite 2016. (Ref: CS-7163)

 

3.2.7       FindSessions Tool

·         Fixed an issue where in a DirectAudit FindSessions utility, exporting session to a file would fail if session user's name contained one or more special characters, for example characters, "<”, or”>". (Ref: CS-38935)

·         Fixed an issue where the DirectAudit FindSessions utility would throw an un-handled exception when searching sessions from an Audit Store that has ten or more Audit Store databases attached to it. (Ref: CS-7174)

 

 

3.2.8       Database

·         Fixed a database issue where an authorization failure could occur when the required database permissions of an outgoing account were delegated indirectly via an Active Directory group. (Ref: CS-6838)

 

3.2.9       Centrify Audit Module for PowerShell

·         N/A

3.2.10     Windows Agent

 

·         Video capture for Metro UI and tile applications in Windows 8 and Windows Server 2012 works correctly in Suite 2016. (Ref: CS-5241)

·         If the DirectAudit Windows agent is installed by a user who is not a member of local administrator group, the Audit Notification window does not appear when user logs in.  This is fixed in Suite 2016. (Ref: CS-7157)

·         Fixed an issue where the Audit Notification message window could show unrecognizable characters if the source message text file contained Latin characters. (Ref: CS-6547)

 

 

3.3    Bug Fixed in DirectAudit 3.2.3 (Suite 2015.1)

3.3.1       General

·         Fixed a problem with the syntax of parameter "dash.obfuscation.*", introduced in DirectAudit 3.2.2, which could cause a problem during upgrade. The syntax is now correct and will be converted to the new syntax during upgrade. Please note: When using the group policy “Defining information pattern in custom format to obfuscate sensitive information” and/or “Defining information pattern in regex format to obfuscate sensitive information” to set up these parameters, an upgrade DOES NOT convert the value of these parameters.  Please ensure you change the values of these two group policies or the obfuscation will not take effect on the DirectAudit 3.2.3 Unix agents. (77348)

·         In prior releases, if an audited Unix user displays the content of a random binary file in an interactive terminal session,  the whole session can be replay correctly but commands executed after the binary file display are not saved in the database and cannot be searched.  This is fixed in Suite 2015.1.  All the commands are now saved and can be searched.

3.3.2       Windows Install / Upgrade / Uninstall

·         N/A

3.3.3       Collector

·         Fixed a problem where the collector config wizard would always show the computer account under the "Windows authentication" radio button, which is not correct if the active Audit Store database is in the same machine as the collector. It will now show the Local System Account if the active Audit Store database is on the same machine as collector. (75261)

3.3.4       Audit Analyzer and Session Player

·         The review status tab of the “session properties” page is modified to show the change history of review status.  You can click on each review status change to find out who changed the session review status, the timestamp of the change and any associated comment.  Also, new session review comments will not overwrite previous review comments. (74110)

·         Fixed a problem where the Audit Analyzer console would display an error when attempting to connect to a DirectAudit installation from a different forest when the current forest did not have DirectAudit installed. (76633)

·         The Audit Analyzer now shows the total number of resulting sessions at the bottom of the console window when the scope node on left side panel is selected. (76852)

·         Fixed a problem where the Audit Analyzer console could become unresponsive when an Audit Events query returned a very large number of events. The Audit Analyzer console now fetches only the first 65535 items from the search result, which is the limit of MMC console display. If there are more than 65535 items, Audit Analyzer displays a message that there are more results.(77037)

·         Fixed a problem where exporting WMV video in excess of 2048x2048, such as when recording multiple monitors, would fail. The video is now trimmed to a maximum of 2048x2048 before saving it as a WMV file. (75163, 27003)

3.3.5       Audit Manager

 

·         When there are multiple audit stores in the same Direct Audit installation, and if a collector switches from one audit store to another; previously Audit Manager shows the same collector multiple times which is confusing. This is now fixed to only show the collector under the currently associated audit store. (56214)

3.3.6       Centrify UNIX Agent for Audit

·         Fixed a problem where, if collector configuration was changed (e.g., new collector is added), unless the DirectAudit daemon was restarted, the Unix agent could take up to 4 hours before it recognized the change. The dareload command now forces the DirectAudit daemon to recognize the new collector configuration. (79010).

·         Fixed an issue where a user with a nonexistent shell could momentarily log in to the system and get a warning message. Now a user with a nonexistent shell will not be able to log in at all to the system. (78560).

·         Fixed a problem where the contents of files were being captured in DirectAudit session logs. This problem has been fixed in DirectAudit 3.2.2 and later. (68190)

·         "dacontrol -d" now removes "/bin/centrifyda" from /etc/shells and /etc/security/login.cfg on AIX. (75118)

·         In DirectAudit 3.2.2, there are instances of unnecessary error and warning messages such as “Error encountered while opening audit database: DBQC is not open”, “Unable to move corrupt /var/centrifyda/spool-xxx out of the way: No such file or directory (error: 2)”.  Most of them are due to incorrect error detection in the DirectAudit daemon.  In reality, the spool files are all in good condition. These issues are now fixed.  (78073, 79304)

·         Fixed a problem where the DirectAudit daemon could fail to connect to collector if there is no Active Directory site information. (79384)

·         Fixed a problem where restarting syslog daemon could result in a system hang. (80107)

·         In prior releases, if an audited Unix user displays the content of a random binary file in an interactive terminal session,  the whole session can be replay correctly but commands executed after the binary file display are not saved in the database and cannot be searched.  This is fixed in DirectAudit 3.2.3.  All the commands are now saved and can be searched. (78663)

·         Fixed a problem in the upgrade where if a file reference was used in parameter value and the file was not located in /etc/centrifyda, the parameter value could become empty after the upgrade. Note that this bug fix requires DirectControl 5.2.3 in Suite 2015.1. (77773)

 

·         The Unix agent temporarily disconnects from the collector and is in disconnected state for a short time when the Kerberos context expires.  This issue is now fixed.  The Unix agent now automatically reconnects to a collector immediately when the Kerberos context expires. (79174)

 

·         In earlier versions of DirectAudit 3.x (prior to DirectAudit 3.2.3), if an application that calls getpwuid() and/or getpwnam() has more than 1024 open files and nscd/pwgrd is not running, the application may crash inside the getpwuid()/getpwnam() call.  This issue is fixed. (80532)

3.3.7       Database

·         Improvements to performance and scalability.

3.3.8       Centrify Audit Module for PowerShell

·         Get-CdaAuditSession cmdlet can now return the Zone value of the UNIX session correctly even if the UNIX agent is joined to Auto zone or Null zone. (Ref: 79550)

 

3.4    Bug Fixed in DirectAudit 3.2.2 (Suite 2015)

3.4.1       General

·         The logger service for DirectAudit Windows component (agent, collector, etc.) now rotates logs if they are larger than 100M (in additional to the daily log rotation already there). The format of the filename for logs has been modified with extra index to accommodate this change. E.g. from previous filenames like, DirectAudit_2014_9_15_3.2.2.107.log, to the new filenames like, DirectAudit_2014_9_15_000_3.2.2.107.log, and DirectAudit_2014_9_15_001_3.2.2.107.log, etc. (Ref: 65726)

3.4.2       Windows Install / Upgrade / Uninstall

·         From Suite 2013 onward, the DirectAudit Easy Installer (setup.exe) will automatically write verbose level installation and configuration logs to the logged-in user's temporary folder (%TEMP%). All logs are written to a text file named DirectManage_Audit_Setup_YYYY_MM_DD.log and they can be used to troubleshoot errors encountered while running Easy Installer Wizard or Configuration Wizard or Database Maintenance Wizard. (Ref: 27647)

·         From Suite 2015 onward, DirectAudit component installers will try to automatically install and enable Microsoft .NET 3.5 on Windows 8 and Windows Server 2012 platforms using the Deployment Image Servicing and Management (DISM) tool. In previous version, the administrator needed to install and enable this feature manually before installing any of the DirectAudit components that relied on it. (Ref: 68246)

3.4.3       Collector

·         In previous releases, the Collector Control Panel message “Error: The ConnectionString property has not been initialized.” means no active database was attached to the Audit Store that the collector is associated with.  This release changes the message to “The Collector is not able to connect to Audit Store 'AuditStoreName': there is no active Audit Store database configured.” (Ref: 68158)

3.4.4       Audit Analyzer and Session Player

·         DirectAudit Session Player now remembers its previous screen location and size. (Ref: 62948)

·         In previous releases, audit sessions from Unix systems that are joined to NULL zone cannot be replayed in the Session Player.  This is fixed in this release. (Ref: 63368, 63946)

·         In DirectAudit Audit Analyzer options dialog, after you make changes in the “Log Settings” or “Player Settings” tab, you switch to the “SMTP Configuration” tab.  If all the fields in this tab are blank, the error message “Please specify sender email address” will be displayed.  This error message is unnecessary and it is removed.  (Ref: 71650)

·         The session list has a new column, "Account," which displays either UnixUser if it is available, or UserName. (78372).

3.4.5       Audit Manager

·         In the result pane of Audited Systems node of Audit Manager MMC console, a text filtering control is added for each column, so that you can select a subset of audited systems for display.  The filtering is case insensitive and uses "contains" as search criteria. For example, “w2k8x86-1.domain.test” and “W2K8X64-1.domain.test” both match “w2k8” entered in the filtering control, as both contain “w2k8” case insensitively. (Ref: 63080)

·         In previous releases, if an older version of Audit Manager console is used to connect to a newer version of DirectAudit installation, a popup box is shown suggesting user that Audit Manager console upgrade is available. From Suite 2015 onward, user can select a checkbox on this popup to prevent seeing this message in future. (Ref: 69334)

3.4.6       Centrify UNIX Agent for Audit

·         In previous releases, command auditing creates a symbolic link to replace the command under audit. These symbolic links are not compatible with mkinitrd which copies the actual executables. A new option is added to dacontrol which can be used by administrator to easily suspend all command auditing when he is doing mkinitrd and resume them afterwards. (Ref: 57842)

·         In previous releases, the DirectAudit NSS/LAM module returns Centrify DirectAudit shell (/bin/centrifyda) as the user’s shell, even when the user is listed in dash.user.skiplist.  This causes incompatibility issues with third party software that has different behaviors based on different login shells.  This bug is fixed in DirectAudit 3.2.2.  Users specified in dash.user.skiplist are not processed by the DirectAudit NSS/LAM module so the original login shell is returned in getpwnam() and getpwuid() calls.(Ref: 70081, 70142)

·         In previous releases, DirectAudit NSS/LAM module sets the pw_shell field in passwd struct to cdash (/bin/centrifyda) when it processes getpwuid()/getpwnam() calls.  This might not be desirable for some shell-name-dependent applications. In DirectAudit 3.2.2, DirectAudit NSS/LAM module is enhanced to reply back with a shell that has the same name as the user’s login shell residing in a subdirectory.  For example, if the user’s login shell is /bin/sh, the DirectAudit NSS module replies with /bin/cdax/sh. This helps DirectAudit integrates with those applications more seamlessly. dacontrol uses the file /etc/shells (and /etc/security/login.cfg) to determine the list of shells to enable for this feature.  When you install a new shell, please ensure that the shell in added to the files above, and run ‘dacontrol –e’ again.  Also, make sure that the path name specified in the user profile (which is not necessarily where the file is located when symlink is used) is added to the files.  For example, if /bin/bash is specified in the user profile and it is a symbolic link to /opt/shareware/bin/bash, make sure that /bin/bash is added. (Ref: 56920, 60838)

·         In previous releases, if the user tried to ‘su’ to a local account that had no shell specified in /etc/passwd (usually for a service account not allowing direct login), the user would receive an error message and be left with the emergency shell. This has been fixed. Such user can continue with the default system shell. In addition, auditing of the su session for such user depends on whether the original session is audited or not, instead of the audit level set for the user. The su session is audited only if the original session is audited. (Ref: 66910, 68076)

·         In previous releases, after a UNIX command is enabled for auditing, users with no permission to execute that command would be redirected to launch an emergency shell.  The user would also see a misleading error message, in which there is no hint about permission denied. This issue was fixed since DirectAudit 3.2.1.  User with no permission to execute the audited command will see a clear error message about permission denied and is not redirected to any other shell. (Ref: 52556)

·         For an Active Directory user whose Unix login session is audited, the username of the session uses the userPrincipalName instead of samAccountName@domain. (Ref: 64796, 68925)

·         The DirectAudit Installation configured by dacontrol was incorrectly saved into DirectControl's working directory in Suite 2014, and hence it would be wiped out by DirectControl agent after leaving a domain. This issue has been fixed by properly placing the Installation into DirectAudit's working directory. (Ref: 62759)

·         When “dainfo”, “dacontrol” or “dacontrol –q” is run and no command has been enabled for auditing, the utilities used to display the message “DirectAudit is not configured to audit individual commands” which is confusing. The message is changed to "DirectAudit is not configured for per command auditing.". (Ref: 69384)

·         Group policies specified using DirectAudit ADM templates shipped with DirectAudit 3.1.1 or prior releases use different locations that those shipped with DirectAudit Unix Agent 3.2.0 and 3.2.1; and cannot be used by DirectAudit Agent 3.2.0 and 3.2.1.  The DirectAudit Unix Agent now looks for the group policies specified in DirectAudit 3.1.1 or earlier locations if it cannot get the information.   (Ref: 75174)

·         In previous releases, you can enable NSS auditing in a sparse zone even though NSS auditing is disabled in global zone on Solaris machines.  Starting in Suite 2015, you must enable NSS auditing in global zone first, before enabling NSS auditing in sparse zone. (Ref: 75464, 75950)

·         There is a file descriptor leak when an audit trail event is logged in Solaris machines. This is now fixed. (Ref: 65106, 68204)

·         There is a memory leak in DirectAudit LAM module in AIX when getting attributes for a user.  This is now fixed. (Ref: 72194, 73570)

·         Fixed an issue where the NSS module would display incorrectly on sparse/whole zone when installing DirectAudit with NSS disabled on a global zone. (76572).

3.4.7       Database

·         This release addresses a security vulnerability that may result in data leakage in the DirectAudit component of Server Suite Enterprise Edition.  Security rating is low. If you are using versions prior to Suite 2015, you need to apply the workaround described in KB-5070.  There is no need to apply the workaround if you are using DirectAudit 3.2.2 or later.  (Ref: 76167)

·         This release fixes the problem when AuditStore database’s File Autogrowth setting is set to “Restricted File Growth”, the collector state changes to “AuditStore database is full” and stops accepting audit data when the AuditStore database file size does not reach the limit (even when there is enough space in the volume for the database file to grow). (Ref: 67264)

·         In order to upgrade DirectAudit databases, the user performing the upgrade must have either sysadmin rights on the database server OR must be a member of db_owner database role on each of the databases being upgraded. Also, the user must be granted with EXTERNAL_ACCESS_ASSEMBLY privileges on the database server. In Suite 2014.1, this permission check was not enforced which resulted in Database Maintenance Wizard trying to create a database index two times and subsequently failing the database upgrade process. This issue has now been resolved. (Ref: 72097)

 

4.   Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1    General

·         For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.

·         For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

·         In an environment with one or more DirectAudit installations already deployed using Suite 2015.1 or older releases, if a new DirectAudit installation with one or more databases participating in a SQL Server Availability Group is deployed, certain scenarios may not work and may cause older Audit Manager, Audit Analyzer  and collectors to fail to discover all DirectAudit installations in the environment. These issues  affect environments where multi-subnet failover feature of SQL Availability Group are used for the newly created DirectAudit installation. Please contact Centrify support to provide a solution best suited to your environment. (Ref: CS-40017)

·         Some versions of AIX sshd do not function reliably with Centrify products. When possible, Centrify recommends using sshd included in Centrify openSSH on AIX platforms. (Ref: CS-7098)

·         From Suite 2014 onward, the user name in Audit Trail events is stored in UPN (user@domain) format. For domain users, the user name is stored in user@domain format; and for local users, the user name is stored in user@computer format. If you are upgrading from releases prior to Suite 2014, the upgrade process will not automatically update the user information that already exists in the database. Auditors can continue to use the old formats (SHORT_DOMAIN_NAME\username or user@domain) to query Audit Trail events that were generated before the upgrade. (Ref: 54985a)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)

 

4.2    Windows Install / Upgrade / Uninstall

·         When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the Centrify Deployment Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

·         If you uninstall the  collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the  collector is successfully uninstalled when you click OK.

·         If collector is using SQL authentication to communicate with the Audit Store database and you upgrade the collector to the latest version of DirectAudit using the MSI installer, the upgrade may remove the encrypted SQL credentials from the local registry and collector may stop functioning. To work around this issue, please use the EXE installer to perform the upgrade or run the Collector Configuration wizard immediately after the upgrade and re-enter the SQL credentials when prompted. (Ref: 76459, CS-6566)

4.3    Collector

·         In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4    Audit Analyzer and Session Player

·         If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If an audited Windows session is using multiple monitors in extended mode in DirectAudit 3.2.2 or earlier, it cannot be exported as WMV files. In DirectAudit 3.2.3 or later, it will be trimmed to 2048x2048 pixels before it is saved and can be exported as in WMV file in 2048x2048 resolution. (Ref: 27003a, 75163, CS-6450, CS-3265).

·         When Windows agent machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly.  (Ref: 36818c)

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645b)

·         In Audit Analyzer, you can specify double-quote enclosed strings in the query that searches for “Unix Commands and Outputs” attribute.  However, if a double-quote character is inside the double-quote enclosed string, the query result is undefined.  (Ref: CS-39348)

·         If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command are also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)

·         By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From DirectAudit 3.2.0 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

4.5    Audit Manager

·         In the Notification tab of Installation Properties dialog, dynamic GIF file is not supported as the banner image file. (Ref: 32793c)

·         If you assign DirectAudit permissions to a Domain Local group, which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.”   A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

4.6    Centrify UNIX Agent for Audit

·         Centrify recommends customers use the session auditing capability of DirectAudit to ensure the complete login session is audited vs. auditing individual commands.  When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell.  It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing.  Whereas the likelihood of this happening is very minute, Centrify recommends session auditing be turned on to avoid the chance of this happening.

·         If a user is logged in to AIX and HP-UX via a GUI, for example Xmanager, a terminal opened in the GUI will not be audited. To workaround this issue, set the centrifyda.conf parameter 'dash.allinvoked' to true. (Ref: 66330, CS-5876)

·         Uninstalling Centrify DirectAudit on a Solaris 10 with sparse zone configured will fail unless Solaris 10 patch 119255-66 has been installed. (Ref: CS-6912)

·         For Solaris, please contact technical support if you are using sparse zone(s) and like to do one of the following:

o    Change session auditing status from disabled to enabled during upgrade.

o    Enable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone.  (Ref: 76572, 80616b)

·         If you upgrade DirectControl but not DirectAudit, Centrify recommends rebooting the system after upgrade. (Ref: 54644)

·         Obfuscation of session data has the following limitation: If the information is sent to stdout not as a whole, but piece by piece, the information will not be obfuscated. Example: A user wants to obfuscate a pattern "1234-5678". However, "1234-" is shown first and "5678" is shown 1 second later, this pattern will not be obfuscated.  Since the stdout buffer in the audit shell is 4KB, the obfuscation string is at most 4KB long. Note: this applies to stdout only. (80462a)

·         On HPUX 11.31, system patch PHNE_40225 or newer must be installed for the proper operation of Centrify DirectAudit. (Ref: 77054a)

·         Fields <uid> and <usertype> in the “nss.user.override.userlist” parameter in centrifyda.conf are reserved for future use and should be left unspecified.  Centrify recommends that the customer uses only the <username> and <audit-level> fields in this parameter. (77543).

·         Using the CLI command, "dastop" to stop the DirectAudit daemon, "dad," can result in unpredictable behavior in some systems. Instead, the script, "/usr/share/centrifydc/bin/centrifyda" should be used by administrators to start and stop the DirectAudit Daemon. (72292).

·         In releases previous to Suite 2015, DirectAudit NSS/LAM module set the pw_shell field in passwd struct to cdash (/bin/centrifyda) when it processed getpwuid()/getpwnam() calls.  This might not be desirable for some shell-name-dependent applications. In DirectAudit 3.2.2, DirectAudit NSS/LAM module is enhanced to reply back with a shell that has the same name as the user’s login shell residing in a subdirectory.  For example, if the user’s login shell is /bin/sh, the DirectAudit NSS module replies with /bin/cdax/sh. This helps DirectAudit integrates with those applications more seamlessly. dacontrol uses the file /etc/shells (and /etc/security/login.cfg) to determine the list of shells to enable for this feature.  When you install a new shell, please ensure that the shell is added to the files above, and run ‘dacontrol –e’ again.  Also, make sure that the path name specified in the user profile (which is not necessarily where the file is located when symlink is used) is added to the files.  For example, if /bin/bash is specified in the user profile and it is a symbolic link to /opt/shareware/bin/bash, make sure that /bin/bash is added. (Ref: 76265)

·         In DirectAudit 2.x, the configuration parameter ‘dash.user.alwaysallowed.list’ in centrifyda.conf specifies a list of users that DirectAudit will always allow the user to login even if the environment cannot do auditing. However, this parameter cannot be honored by DirectControl agent when DirectAudit 3.X is installed and is not functional.

In DirectAudit 3.x, a better integrated solution is implemented using the "rescue/always permit login" sysright. This sysright is honored by both DirectControl and DirectAudit and it deprecates the ‘dash.user.alwaysallowed.list’ parameter. Hence, in an upgrade scenario from DirectAudit 2.x to DirectAudit 3.x, please assign the users in ‘dash.user.alwaysallowed.list’ list to the "always permit login" role (if any one of these users have "audit required" in their roles) as one of the steps in the upgrade procedure. (Ref: 64841a)

·         Starting from DirectAudit 3.2.0, dash.force.audit has been deprecated and is no longer needed in the configuration of command-level auditing for managed computers. As a result, it is no longer included in the configuration file (centrifyda.conf) by default. For details, please refer to the Configuration and Tuning Reference Guide. (Ref: 56822a)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.

Workaround:

-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036a)

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.

To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.

NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.

·         On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

1)  svcadm disable centrifyda

2)  svcadm enable centrifyda

Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override.

·         If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

·         DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulate the local user database (passwd file).  These commands include useradd, userdel and usermod. From DirectAudit 3.2.0 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259a)

·         Change in AIX root user behavior: By default, all releases starting with Suite 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a.       Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b.       Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c.       If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d.       Restart adclient (Ref: 56239a, 56604a)

   For AIX customers who upgrade from prior versions of Centrify Server Suite 2014 (DirectAudit 3.2.0), there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited. (Ref: 56235)

o    If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

 

o    The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usr/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

 

4.7    Centrify Windows Agent for Audit

o    Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit Windows agent software has not completed its setup. (Ref: 26286a)

4.8    Database

·         When adding an Audit Store database to a SQL Server Availability Group with the multi subnet failover feature, the SQL Server that hosts the management database must be SQL Server 2012 or above. In addition, when upgrading an existing DirectAudit installation to use the SQL Server Availability Group feature, Centrify recommends upgrading Collectors, Audit Management Server service, Audit Manager consoles and Audit Analyzer consoles to the latest version to benefit from this feature. (Ref: CS-39872)

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:

http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/74a94f06-adf5-4059-bb92-57a99def37bd/

·         SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)

HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold

·         Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold  DWORD in MB, not configured, default to 1024 MB.  If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s).

4.9    Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

4.10  FindSession Tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

·         When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su  –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

4.11  Windows Agent

o    In the DirectAudit Windows Agent control panel, the setting “Maximum size of the offline data file” indicates the minimum amount of disk space (in percentage) that must be available/free in the spool volume in order to continue auditing users (especially when the DirectAudit Windows agent cannot send audit data to collector).  The DirectAudit Windows Agent makes its best attempt to pause auditing when the specified amount of disk space is no longer available and in certain cases may continue to write to spool volume for a few minutes before eventually pausing the auditing activity. (78072,  CS-6718)

4.12  Centrify Audit Module for PowerShell

·         Audit Module for PowerShell may take a long time to start because of the publisher's certificate verification.  To resolve the problem, disable the "Check for publisher's certificate revocation" option in System Control Panel\Internet Options\Advanced\Security. (Ref: 72499)

·         After installing Audit Module for PowerShell in a RDP session, PowerShell complains module "Centrify.DirectAudit.PowerShell" cannot be loaded.  This is because the installation package needs to modify system environment variables to let PowerShell know where to load the module.  This operation needed to be done in a "Console Session" if installation is done via RDP.  To resolve this problem, logout and re-login or run RDP with the "admin" option as "mstsc /admin" or "mstsc /console". (Ref: 72500a)

5.   Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.