Centrify® Server Suite 2017 DirectAudit® 3.4.0 Release Notes

© 2007-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Contents

1.        About DirectAudit 1

2.        Feature Changes 1

2.1         Feature Changes in DirectAudit 3.4.0 (Suite 2017) 1

2.1.1        General 1

2.1.2        Collector 1

2.1.3        Audit Analyzer and Session Player 1

2.1.4        Audit Manager 1

2.1.5        Centrify UNIX Agent for Audit 1

2.1.6        Database 1

2.1.7        FindSessions Tool 1

2.1.8        Windows Agent 1

2.1.9        Centrify Audit Module for PowerShell 1

2.1.10     Supported Platforms 1

2.2         Feature Changes in DirectAudit 3.3.1 (Suite 2016.1) 1

2.2.1        General 1

2.2.2        Collector 1

2.2.3        Audit Analyzer and Session Player 1

2.2.4        Audit Manager 1

2.2.5        Centrify UNIX Agent for Audit 1

2.2.6        Database 1

2.2.7        FindSessions Tool 1

2.2.8        Windows Agent 1

2.2.9        Centrify Audit Module for PowerShell 1

2.2.10     Supported Platforms 1

2.3         Feature Changes in DirectAudit 3.3.0 Update (Suite 2016) 1

2.4         Feature Changes in DirectAudit 3.3.0 (Suite 2016) 1

2.4.1        General 1

2.4.2        Collector 1

2.4.3        Audit Analyzer and Session Player 1

2.4.4        Audit Manager 1

2.4.5        Centrify UNIX Agent for Audit 1

2.4.6        Database 1

2.4.7        FindSessions Tool 1

2.4.8        Windows Agent 1

2.4.9        Centrify Audit Module for PowerShell 1

2.4.10     Supported Platforms 1

3.        Bugs Fixed 1

3.1         Bug Fixed in DirectAudit 3.4.0 (Suite 2017) 1

3.1.1        General 1

3.1.2        Windows Install / Upgrade / Uninstall 1

3.1.3        Collector 1

3.1.4        Audit Analyzer and Session Player 1

3.1.5        Audit Manager 1

3.1.6        Centrify UNIX Agent for Audit 1

3.1.7        Database 1

3.1.8        Centrify Audit Module for PowerShell 1

3.2         Bug Fixed in DirectAudit 3.3.1 (Suite 2016.1) 1

3.2.1        General 1

3.2.2        Windows Install / Upgrade / Uninstall 1

3.2.3        Collector 1

3.2.4        Audit Analyzer and Session Player 1

3.2.5        Audit Manager 1

3.2.6        Centrify UNIX Agent for Audit 1

3.2.7        Database 1

3.2.8        Centrify Audit Module for PowerShell 1

3.3         Bug Fixed in DirectAudit 3.3.0 (Suite 2016) 1

3.3.1        General 1

3.3.2        Windows Install / Upgrade / Uninstall 1

3.3.3        Collector 1

3.3.4        Audit Analyzer and Session Player 1

3.3.5        Audit Manager 1

3.3.6        Centrify UNIX Agent for Audit 1

3.3.7        FindSessions Tool 1

3.3.8        Database 1

3.3.9        Centrify Audit Module for PowerShell 1

3.3.10     Windows Agent 1

4.        Known Issues 1

4.1         General 1

4.2         Windows Install / Upgrade / Uninstall 1

4.3         Collector 1

4.4         Audit Analyzer and Session Player 1

4.5         Audit Manager 1

4.6         Centrify UNIX Agent for Audit 1

4.7         Database 1

4.8         Audit Management Server 1

4.9         FindSession Tools 1

4.10       Centrify  Agent for Windows 1

4.11       Centrify Audit Module for PowerShell 1

5.        Additional Information and Support 1

 

 

1.   About DirectAudit

The Centrify DirectAudit feature set is a key component of Centrify Server Suite Enterprise Edition. DirectAudit enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With DirectAudit, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Centrify Windows Agent records user activity on the Windows computer when it is installed. DirectAudit supports auditing of over 400 different UNIX, Linux, and Windows operating systems. For a complete list of the platforms supported, see Centrify Server Suite Enterprise Edition in the document in www.centrify.com/platforms.

In Unix and Linux agents, Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).

Starting in Suite 2016, only ADMX format for group policies will be installed and ADM format will no longer be provided. (Ref: 6821)

Starting in Suite 2016, Centrify will no longer be adding new features to the Centrify DirectManage Audit SDK component. Centrify recommends all existing users of this component to start using Audit Module for PowerShell component, which is the intended replacement of the SDK. (Ref: CS-6713)

This is the last release for the support of the DirectAudit Version 1 databases. Post Suite 2017, you will no longer be able to attach Version 1 databases to an existing DirectAudit installation. (Ref: CS-41219)

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40117)

 

2.   Feature Changes

2.1    Feature Changes in DirectAudit 3.4.0 (Suite 2017)

2.1.1       General

·         In Unix and Linux agents, Centrify DirectControl is a pre-requisite for Centrify DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).

·         From Suite 2017 onward, DirectManage Audit installer's New Installation Wizard will configure the SQL Server Reporting Service's (SSRS) startup type to manual if user elects to install a new instance of Microsoft SQL Server. If the user later decides to use the same SQL Server instance to host databases of other products (e.g., Centrify Report Services) that may need SSRS, he/she must change the startup type to Automatic and start the service manually. (CS-42291)

·         Centrify DirectAudit Audit Manager and Audit Analyzer consoles now read the license usage information from Active Directory instead of probing the database resulting in faster loading when a user opens the console and connects to the DirectAudit installation for the first time. (Ref: CS-7045)

·         DirectAudit now reports aggregated license usage across multiple DirectAudit installations.

·         New “advanced monitoring” feature is introduced in Suite 2017.   This feature adds three new functionalities:

o    Generate audit trail events when specific programs are executed by any user. The list of programs is specified by the configuration parameter event.monitor.commands.

o    Generate audit trail events when any file in the directories /etc, /var/centrifyda and /var/centrifydc is modified by a non-root user.

o    Get history of programs executed in an audited session, including programs that are executed by scripts.  Since this feature may result in additional audit information which will increase the storage size of the audit store database, this feature must be enabled by setting the parameter event.execution.monitor.

o    The “advanced monitoring” feature is enabled/disabled by the command “dacontrol –m/-n”.  In Suite 2017, this feature is only available in the RedHat Linux family.   It will be available in other versions of Linux in subsequent releases.  Please refer to “Auditing with Centrify Server Suite Administrator’s Guide” for more information about this feature.

·         Added a new category of audit trail events, “DirectAudit Advanced Monitoring” which include the following 6 Centrify event IDs. Please refer to Audit Event Administrators’ Guide for details. (Ref: CS-39537)

o    57200: Monitored program is executed is started.

o    57201: Monitored program execution fails to execute.

o    57300: Monitored file modification attempted.

o    57301: Monitored file modification attempt failed

o    57400: Command execution is started. (Centrify use only)

o    57401: Command execution fails to start. (Centrify use only)

The last two events (57400 and 57401) are for used by DirectAudit software components.  They are not stored in the Audit Store databases and are not available in audit trail event reports.

·         Two new audit trail events are added to the “Centrify Commands” category for the “DirectAudit Advanced Monitoring” feature: (Ref: CS-41556)

o    20900: Advanced monitoring enabled

o    20901: Advanced monitoring not enabled

o    20910: Advanced monitoring disabled

o    20911: Advanced monitoring not disabled

·         The “advanced monitoring” feature requires the backend databases (Management and AuditStore databases), all collectors and Audit Analyzer be upgraded to Suite 2017 or later versions.

·         Added two new common parameters, "DAInst" (for DirectAudit Installation name) and "DASessID" (for DirectAudit session ID) to all audit trail events written to syslog/Windows Event log to allow better SIEM integration for session replay. (Ref: CS-5698, CS-5711, CS-41995)

2.1.2       Collector

·         DirectManage Audit Collector now caches the DNS information of connected Audited Systems to avoid frequent DNS lookups that previously generated network traffic and in some cases affected despooling performance. (Ref: CS-41571)

·         If you want to use the “advanced monitoring” feature in Suite 2017, you MUST upgrade all the collectors and the database to Suite 2017.

 

2.1.3       Audit Analyzer and Session Player

·         DirectManage Audit Analyzer now allows exporting multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions. (Ref: CS-40031)

·         DirectManage Audit Analyzer now supports searching sessions based on size. User can now specify search criteria that will allow returning sessions that, in size, are greater than or less than the specified value (in kilobytes). (Ref: CS-39568)

·         Three new reports are added to support the advanced monitoring feature:

o    Detailed Execution Report

o    Monitored Execution Report

o    File Monitor Report

Also, two items are added to the session context menu, “Monitored Execution List…”, “Export Detailed Executions” for advanced monitoring features related to a session.   (Ref: CS-40715, CS-40716, CS-40838)

2.1.4       Audit Manager

·         Added new feature in Audit Manager to validate the database patch/security level and ensure it's up to date before attaching an existing Audit Store database. A warning will be shown if user tries to attach an Audit Store database that may not have the latest Centrify patch installed. (Ref: CS-41712)

·         Fixed a bug in DirectManage Audit Manager where a user without administrative rights on the SQL Server setting a pre-created Audit Store database as active could fail. (Ref: CS-40754)

·         DirectManage Audit Manager now shows a list of all Audit Management Servers configured for the connected installation along with the last known status of each of them. (Ref: CS-6663)

·         The system that runs the Centrify License Service is shown in the license summary page in Audit Manager.

·         The ability to add/remove DirectAudit licenses from Audit Manager will be deprecated in future releases.  To add/remove licenses in Suite 2017 and later, you should use Centrify Licensing Service Control Panel on the system where Centrify Licensing Service is running.

2.1.5       Centrify UNIX Agent for Audit

·         IMPORTANT:  The minimum version of DirectControl required by this version of DirectAudit is 5.4.0 (Suite 2017).

·         The DirectAudit AIX package is now 64-bit to support AIX VIOS versions >= 2.2.2. (Ref: CS-40110)

·         The default value of event.execution.monitor option in centrifyda.conf has been changed from 'true' (in early access release) to 'false' (in this release), therefore detailed execution monitoring is disabled by default in CentrifyDA advanced monitoring. (Ref: CS-42302)

·         Added sequence number and process ID verification to internal interprocess communication process for more robust transaction control. (Ref: CS-40774)

·         A new configuration parameter, preferred.audit.store, is introduced.  When a Unix agent has multiple IP addresses that belong to the scope of different auditstores, this parameter is used to specify which auditstore to use. A new group policy, “Set the preferred Audit Store”, is introduced to support this setting. (Ref: CS-40112)

2.1.6       Database

·         The security fix identified in KB-7865 was incorporated in this release.  Customers are encouraged to upgrade to this release; or apply the patches mentioned in the KB.

·         When generating script files for upgrading databases, the DirectManage Audit's Database Maintenance Wizard now appends corresponding database's name to each file's name so that the user can easily co-relate a script file with the database it's going to upgrade. (Ref: CS-40428)

2.1.7       FindSessions Tool

 N/A

2.1.8       Windows Agent

 N/A

2.1.9       Centrify Audit Module for PowerShell

 N/A

2.1.10     Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the suite release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the suite release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the “Centrify Server Suite, Enterprise Edition” section in the document available from www.centrify.com/platforms.

 

 

2.2    Feature Changes in DirectAudit 3.3.1 (Suite 2016.1)

2.2.1       General

·         Starting in Suite 2016.1, the SQL Server 2008 R2 SP2 Express Edition that is installed by DirectManage Audit Easy Installer will have CENTRIFYSUITE as the default instance name, and the installer will enable the SQL Server Reporting Services (SSRS) feature for this instance and configure it in Native mode in order for the same instance to be used to host the Centrify Report Services database in an evaluation environment. Previously, the default instance name was DIRECTAUDIT and the installer did not enable the SQL Server Reporting Services feature for that instance. (Ref: CS-39438)

·         Centrify DirectManage Audit now supports hosting Management database and/or Audit Store databases in a SQL Server Availability Group. To benefit from all the features provided by a SQL Server Availability Group (such as multi subnet failover), Centrify recommends upgrading all DirectManage Audit components including Collectors, Audit Management Server service, Audit Manager console and Audit Analyzer console to the latest version. Note that there is no requirement to upgrade all the agents before using this new feature.(Ref: CS-38769)

2.2.2       Collector

 N/A

2.2.3       Audit Analyzer and Session Player

·         DirectManage Audit Audit Analyzer now allows exporting multiple sessions to a single text file. When a user chooses the option of single file export, the user name and machine name are prefixed to each line of the exported file for easier parsing. In addition, a blank line is added as a delimiter to separate data from different sessions. (Ref: CS-40031)

2.2.4       Audit Manager

N/A

2.2.5       Centrify UNIX Agent for Audit

·         The parameter, "dad.data.dir," defines the data directory path for DirectAudit.  This is depreciated in Suite 2016.1. Customers who need to use a different location to store DirectAudit data and spool files must follow the approaches described in KB-6548. Also, when alternate directory location is used, only the symbolic link to the data directory will be removed when DirectAudit is uninstalled. The actual data directory remains in the system.  Since this parameter is deprecated, the DirectAudit upgrade process aborts with an error message if it detects that this parameter is specified.  Please contact Centrify Technical Support in this case.(Ref:CS-39847)

·         Added a parameter, "dash.cmd.audit.blacklist", which allows a user to skip certain auditing command patterns using a regular expression. Command and arguments matching the expression will not be captured, but the “Audited command is executed” audit trail event will still be sent. (Ref: 39329)

·         Added a new script 'dacheck' which allows users to check for any potential problems in their DirectAudit environment. (Ref: 39274)

·         Enhanced the parameters "spool.diskspace.min" and "spool.diskspace.softlimit" allow a user to specify the value as  a percentage or  an exact size. (Ref: 38610)

·         Added a parameter in Unix agent so that Audit Analyzer can either show the original user that ran the audited command or the current user (the user identity after su/sudo/dzdo). In previous versions of DirectAudit, Audit Analyzer can only show the current user that runs an audited command, which may not be the real user identity (if the user uses su/sudo/dzdo to change identity).  In Suite 2016.1, the administrator can configure the Unix agents such that Audit Analyzer can show the identity of the original user.  This is controlled by the parameter dash.cmd.audit.show.actual.user in the Unix agent.  This parameter can also be configured by group policy “Show actual user running an audited command”.  Customers must upgrade the Unix agents (not Audit Analyzer) for this feature to be effective.  (Ref: CS-39764, CS-39672)

2.2.6       Database

 N/A

2.2.7       FindSessions Tool

 N/A

2.2.8       Windows Agent

·         The Group Policy "Centrify DirectAudit Settings/Windows Agent Settings/Set update agent status timeout" setting was enhanced to take effect immediately for the Windows agent. (CS-39282)

2.2.9       Centrify Audit Module for PowerShell

·         Added Get-CdaUserEvent cmdlet in powershell module which can be used to retrieve the user activity events for reporting purpose. Another existing cmdlet Get-CdaAuditEvent can be used to retrieve the user privileged activity events for reporting purpose. (Ref: CS-40146, CS-6885)

2.2.10     Supported Platforms

For the list of the supported platforms by this release, refer to the “Supported Platforms” section in the suite release notes.

For the platforms to be removed support in coming releases, refer to the “Notice of Termination Support” section in the suite release notes.

For a complete list of supported platforms in all DirectAudit releases, refer to the “Centrify Server Suite, Enterprise Edition” section in the document available from www.centrify.com/platforms.

 

 

2.3    Feature Changes in DirectAudit 3.3.0 Update (Suite 2016)

DirectAudit 3.3.0 is updated on March 2016 to fix the following issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in DirectAudit agent processing the incorrect response to its request. Note that this occurs only in DirectAudit *NIX agent when the DirectAudit NSS auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations. 

Centrify strongly recommends customers who use DirectAudit NSS Auditing capability upgrade to this version of DirectAudit and DirectControl across their organization. Also, for customers who need the “audit required” support for local users, Centrify recommends customers to add such local users to the user override list specified by the DirectAudit nss.user.override.userlist configuration parameter, and run the “daflush” command after the file is modified.  “audit_required” is now supported as the audit level specification in both the nss.user.override.auditlevel configuration parameter and the audit level specification for users in the override list.  For more information, please refer to the description for these parameters in the Configuration and Tuning Reference Guide.

2.4    Feature Changes in DirectAudit 3.3.0 (Suite 2016)

2.4.1       General

·         DirectAudit and DirectAudit Powershell installations will no longer install documentation or release notes. All user manuals and releases are available in the “Documentation” folder of the ISO image. (Ref: CS-7134)

·         DirectAudit agent periodically sends its status to collector, which is used by the collector to determine the agent connection status.  In prior releases, a transient error results in a “disconnected” status, even though the agent quickly reconnects.  In Suite 2016, an agent determines that it is in “disconnected” state only after multiple attempts to connect to collector fail.   The configuration parameter “agent.max.missed.update.tolerance” specifies the maximum number of failed attempts before the agent becomes “disconnected”.  This parameter can also be controlled by  a new Group Policy, "Set maximum missed status update tolerance" in "Policies/Centrify DirectAudit Settings/Common Settings". (Ref: CS-7046, CS-7047)

·         In prior release, DirectAudit agents randomly choose any available collector to connect.  This may result in agents connecting to collectors in remote sites instead of nearby collectors, resulting in more WAN traffic and network latency.   In Suite 2016, the administrator can specify DirectAudit agent to consider collectors in the local Active Directory site first; and use collectors outside the local site only when there is no active collectors in the local site.  This can be specified on a per Audit Store basis.  This is specified by a new option checkbox "Agents must prefer collectors in the same site as the agent" in the Audit Manager Console / Audit Store / Advanced Properties page. (Ref: CS-6890, CS-7028, CS-7039,CS-7040)

·         In prior releases, you can specify to enable/disable video capture for all systems in a DirectAudit installation.   Suite 2016 adds support to enable or disable video capture on per system basis. This can be configured by the “agent.video.capture” configuration parameter. The parameter has 3 possible values, "default (uses the installation-wide setting), "enabled" and "disabled". A new Group Policy, “Set video capture auditing of user activity” in “Policies/Centrify DirectAudit Settings/Common Settings” can also be used to set up this parameter. (Ref: CS-7067, CS-7068)

·         In prior releases, the host names of audited sessions are determined by the collectors based on DNS lookup.   In environments where the DNS servers used by the collectors cannot reliably resolve IP address into host names (e.g., agents in NAT and/or DMZ environments), this causes incorrect host names to be shown for audited sessions.  A new configuration parameter, “agent.send.hostname”, is introduced in Suite 2016 to enable Audit Analyzer to display the host name specified by the agent on the audited computers, instead of the host name resolved by the collector using DNS.  This can be configurated by a new Centrify Group Policy setting: "Use the host name specified by the agent" in "Centrify DirectAudit Settings/Common Settings". (Ref: CS-6730, CS-7086)

·         The Suite 2016 ISO now bundles the 64-bit installer of Microsoft SQL Server 2008 R2 SP 2 Express with Advanced Services. (Ref: CS-6740)

·         Improved Audit Trail despooling performance. (Ref. CS-5914)

 

2.4.2       Collector

·         Added new collector registry setting, "SkipFirstSnapshot", to prevent storing the first snapshot of the session in database in order to reduce disk space consumed. This is useful for in smaller sessions. When set to 1, the collector will not save the first snapshot. By default, the SkipFirstSnapshot value will be 0 which means the first snapshot will be stored. Please note that skipping storage does not affect normal replay.  However, if you use the seek bar in the DirectAudit player to jump to the beginning of the session, it will not clear the screen first. (Ref: CS-6676)

·         If multiple Unix commands are entered using cut and paste, they are now recognized correctly in the “Indexed Command List”. (Ref: CS-6970)

 

2.4.3       Audit Analyzer and Session Player

·         Added the ability for an Auditor who has full control over a session to assign one or more Active Directory users as Reviewers of that session using Audit Analyzer console or using cmdlet from Audit Module for PowerShell. A user who is set as a Reviewer of a session will be allowed to replay and update the review status of that session even if that user was not assigned any Audit Role. In addition, a Reviewer will not have rights to delete a session. (Ref: CS-6351)

2.4.4       Audit Manager

N/A

2.4.5       Centrify UNIX Agent for Audit

·         Added the new parameter,"dad.collector.connect.timeout", to allow a user to specify how long the agent wait before it determines that it cannot connect to a collector. (Ref: CS-7119)

·         Added two options to the CLI command dareload: -p and -b. Option "-p" requests the DirectAudit daemon to reload properties from centrifyda.conf (This is a default option). Option "-b" requests DirectAudit daemon  to rebind to another collector. (Ref: CS-7025)

·         The commands “dacontrol –e” and “dacontrol –d” modify system configuration files (/etc/nsswitch.conf in Linux/HPUX/Solaris, /etc/security/user and /usr/lib/security/methods.cfg in AIX) to enable/disable session auditing. In the unlikely event that these files are empty because another application (such as vi) empties it, dacontrol displays an error message “execution of /usr/share/centrifydc/scripts/da/<xxx>.pl script failed.” (xxx is the file being modified). There will also be a message in syslog that looks like “Cannot backup <file> because it is empty”. This usually happens if a user tries to edit these files manually.  Centrify recommends you to keep a backup copy of these files first if you need to modify them.  If you see this message, please restore the file from your backup copy. (Ref: CS-6660)

·         Introduced a new parameter (-q) to the dainfo  command, to allow query of more specific information about Centrify DirectAudit daemon.  This makes it easier for scripts to parse the output and/or use command exit status to determine status. (Ref: CS-6642)

 

Usage of option query:

-----------------------------------------------------------------

[info]               Possible return values

-----------------------------------------------------------------

adclient_status             available, not_available

dad_status                 online, offline, not_available

collector_name             <host:port:spn>, not_available

spool_rate                 <Spool rate numerical part in bytes/sec>

spool_size                 <Spool size numerical part in bytes>

installation                <installation name>, not_available

installation_source  local, group_policy

nss_status                 active, inactive

command_audit               <audited commands, one command per line>

parameter_value:<parameter_name>  <parameter_value>

 

2.4.6       Database

·         Added a new scheduled task to the Audit Management Server service to collect DirectAudit license and deployment information from DirectAudit databases and store it in Active Directory.  This allows any authenticated user to run Deployment Report. (Ref: CS-6786)

·         Added new database indexes and enhanced some existing indexes to improve query performance and reduce load on CPU of the SQL server. (Ref: CS-6633)

 

2.4.7       FindSessions Tool

·         Improved the performance of the FindSessions utility when searching and exporting sessions by role and/or ticket in a DirectAudit installation when multiple Audit Store databases are attached. (Ref: CS-38604)

2.4.8       Windows Agent

·         Added two new Group Policy settings, "Set maximum size of the offline data file" and "Set maximum recorded color quality" in "Centrify DirectAudit Settings / Windows Agent Settings" to control the agent's spool file size and video capture color quality. (Ref: CS-6967)

2.4.9       Centrify Audit Module for PowerShell

·         Added 2 new Cmdlets: "Set-CdaAuditSessionReviewer", allowing administrators to delegate session review directly to an Active Directory user or group and "Get-CdaAuditSessionReviewer", which gets the active Directory users and groups who have been designated as session reviewers. (Ref: CS-7147)

2.4.10     Supported Platforms

·         Supported Platforms - Centrify UNIX Agent for DirectAudit has added support to the following operating systems:

o Fedora 23 (x86, x86_64) (Ref: CS-7117)

o CentOS 6.7 (x86, x86_64)

o Oracle Enterprise Linux 6.7 (x86, x86_64)

o Red Hat Enterprise Linux Server 6.7 (x86, x86_64, PPC - NO Power8 support)

o Red Hat Enterprise Linux Server 7.0 (x86_64, PPC - NO Power8 support)

o Red Hat Enterprise Linux Desktop 7.2 (x86_64)

o Red Hat Enterprise Linux Server 7.1 (x86_64, PPC - NO Power8 support)

o Red Hat Enterprise Linux Server 7.2 (x86_64, PPC - NO Power8 support) (Ref: CS-7155)

o Scientific Linux 6.7 (x86, x86_64)

o Ubuntu Desktop 15.10 (x86, x86_64)

o Ubuntu Server 15.10 (x86, x86_64)

o SuSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

o SuSE Linux Enterprise Server 11 SP3 and SP4 (x86, x86_64, PPC) (Ref: CS-7155)

o Oracle Solaris 11.3 (x86_64, SPARC)

 

·         Supported Platforms – for all DirectAudit Windows Components (64-bit only)

o    Windows 7 SP1 and above

o    Windows 8 or 8.1

o    Windows Server 2008 R2 SP1

o    Windows 10

o    Windows Server 2012

o    Windows Server 2012 R2

 

Note: DirectAudit Windows components do not support 32-bit Windows

Note: DirectAudit Windows components do not support 64-bit Windows Server 2008

 

·         SQL Server – DirectAudit supports 64 bit versions of following editions of Microsoft SQL server (Ref: CS-7048)

o    SQL Server 2008 Express with Advanced Services

o    SQL Server 2008 Standard or Enterprise

o    SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)

o    SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)

o    SQL Server 2012 Express with Advanced Services

o    SQL Server 2012 Standard or Enterprise

o    SQL Server 2014 Express with Advanced Services

o    SQL Server 2014 Standard or Enterprise

 

Note: SQL Server 2008 and 2008 R2 are not compatible with Windows 10

 

Note: DirectAudit is dropping support for SQL Server 2005 and all versions of 32-bit SQL Servers in this release

·         Support has been removed for the following operating systems for Centrify UNIX Agent for DirectAudit (Ref: 73750):

o    All 32-bit Windows platforms

o    64-bit Windows 2008 Server

o    Fedora 19 (32-bit and 64-bit)

o    Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o    openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o    Oracle Solaris 8 SPARC

·         This is the last release for the support of the following operating systems for Centrify UNIX Agent for DirectAudit (Ref: 77904):

o    Debian Linux 6.x (32-bit and 64-bit)

o    Fedora 20 (32-bit and 64-bit)

o    HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o    HP-UX 11.23 Itanium (Normal and Trusted modes)

o    Oracle Solaris 9 (32-bit and 64-bit)

o    Ubuntu Desktop 14.10 (32-bit and 64-bit)

o    Ubuntu Server 14.10 (32-bit and 64-bit)

·         Support will be discontinued soon (the next release will be the last release with support) for the following operating systems for Centrify UNIX Agent for DirectAudit:

o    Fedora 21 (32-bit and 64-bit)

o    Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)

o    Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)

o    SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)

o    SUSE Linux Enterprise Server 10 (32-bit and 64-bit)

o    openSUSE 13.1 (32-bit and 64-bit)

3.   Bugs Fixed

3.1    Bug Fixed in DirectAudit 3.4.0 (Suite 2017)

3.1.1       General

·         N/A

3.1.2       Windows Install / Upgrade / Uninstall

·         N/A

3.1.3       Collector

·         Fixed a bug in DirectAudit Collector that resulted in incorrectly detecting low disk space when the active Audit Store database's files are pre-allocated or if the files are hosted on multiple physical drives. (Ref: CS-41043)

3.1.4       Audit Analyzer and Session Player

·         Fixed an issue in DirectAudit Collector that resulted int incorrect command detection in all sessions initiated by Centrify Privilege Service's housekeeping operations. (Ref: CS-40378)

3.1.5       Audit Manager

·         N/A

3.1.6       Centrify UNIX Agent for Audit

·         In prior releases, if the command su is audited and user uses su to run a command or script in background, the command/script will NOT run to completion.   For example, the command su - <run_as_user> -c “/opt/bin/testscript arg1 arg2 &”, the script /opt/bin/testscript may be aborted before it completes.  This bug is fixed in Suite 2017 where the script /opt/bin/testscript will run to completion. (Ref: CS-6909)

·         In prior release, if a script uses the runuser command to run a script in background as an audited user, the script does not run to completion if auditing is suspended (e.g., not enough free space in the spool volume). Since Oracle service startup script usually uses the runuser command, this results in Oracle service not started at all without any error/warning.  This issue is fixed in this release.  (Ref: CS-41026)

·         Added support to allow local user login when stock Openssh is used in  AIX 6.1. However the local user still cannot be audited in this case.  If you want to audit local users in AIX,  Centrify-openssh should be used. (Ref: CS-42039)

·         Fixed an issue where using "runuser" to run a script (in foreground) as audited user could not be terminated by control-C. (Ref: CS-40554)

·         Fixed an issue where the Direct Audit Daemon (DAD) would not reliably stop when issuing a service control command, such as "/etc/init.d/centrifyda stop", "service centrifyda stop" or "systemctl start centrifyda.service". (Ref: CS-40640)

·         Fixed an issue where 2 audit sessions might incorrectly be created when an audited command was spawned by another audited command. (Ref: CS-40499)

·         Fixed an issue which could cause the audit per command feature to malfunction when the Direct Audit parent process pid and ppid were identical in a Solaris whole zone/sparse zone environment.  (Ref: CS-42191)

·         Fixed an issue where the CLI command adflush might induce a zombie nscdrestart.sh processes in when in a busy state.  (Ref: CS-41610)

·         Fixed an issue where the Ubuntu version 14.x or 16.x GUI would display the error message: "The system is running in low-graphics mode ..." (Ref: CS-38823)

 

3.1.7       Database

·         Fixed an issue in DirectManage Audit that previously resulted into inoperative databases if the sysadmin rights of the backend service account (default - Local System) were revoked and replaced with ownership rights on individual databases. (Ref: CS-41351)

·         Fixed an issue where the Database Maintenance Wizard may fail if total number of databases to upgrade is greater than 64. (Ref: CS-40276)

3.1.8       Centrify Audit Module for PowerShell

·          N/A

3.2    Bug Fixed in DirectAudit 3.3.1 (Suite 2016.1)

3.2.1       General

·         Fixed a bug introduced in Suite 2015.1 where, when Centrify daemons were not responsive for any reason such as a system overload, communication between DirectControl and DirectAudit could timeout, and during the recovery of the connection, vestigial data remaining might not be removed, causing communication problems between the DirectControl daemon and DirectAudit daemon and DirectAudit using the wrong user profile from DirectControl. This issue was also addressed in the recent update of Suite 2016. (Ref: CS-39728)

·         In prior versions, if the SQL Server service hosting the Management database is run under a virtual service account (e.g., NT SERVICE\MSSQLSERVER), all Audit Store databases are shown as offline in Audit Manager, and Audit Analyzer cannot display results from those Audit Store databases.  This issue is fixed in this release. (Ref: CS-39546)

·         In prior versions, if there is any DirectAudit installations in Active Directory that are not recognized (e.g., DirectAudit installations created by newer versions of DirectAudit), the “Connect to DirectAudit” dialog box in both Audit Manager and Audit Analyzer stop searching for more DirectAudit installations.  This results in missing DirectAudit installations for selection.   This issue is fixed in this release.  The “Connect to DirectAudit” dialog box just skips the DirectAudit installations that it cannot recognize and continue to search for other DirectAudit installations in Active Directory. (Ref: CS-39832)

3.2.2       Windows Install / Upgrade / Uninstall

·         N/A

3.2.3       Collector

·         In prior versions, DirectAudit limits the audit store database size to 4GB even when SQL Server 2014 Express Edition is used.  This issue is fixed to allow the audit database to reach 10GB which is the maximum for SQL Server 2014 Express Edition. (Ref: 39634)

3.2.4       Audit Analyzer and Session Player

·          N/A

3.2.5       Audit Manager

·         In prior versions, if the server collation of SQL Server that hosts the Audit Store database is set to “Turkish_CI_AS”, Audit Manager cannot add a new Audit Store database. This issue is fixed in this release. (Ref: CS-39497)

·         Fixed an issue in the Add Audit Store Database Wizard that results in an incorrect SPN getting stamped when the SQL Server hosting the Audit Store database is listening on more than one port. (Ref: CS-39969)

3.2.6       Centrify UNIX Agent for Audit

·         In Suite 2016.1, to allow for better control of ssh session capturing, DirectAudit will now always capture sessions using "ssh -T" option, with the following limitations in the recorded session:

1.  There is no command recognition and indexing for the session.

2.  The left panel of the session player will be blank.

3.  When the session is replayed, the entered command will not be shown; however, output from the command will be shown.

The ssh -T option does not create a pseudo-terminal for the ssh session and is primary used for remote command/script execution. In releases prior to Suite 2016.1, such sessions were not captured by DirectAudit unless the configuration parameter dash.allinvoked was set to true (which captures all sshd traffic, regardless of whether the ssh session has a pseudo-terminal or not). Please contact Centrify Technical Support if you want to preserve the previous behavior. (Ref: CS-39421)

·         Removed an unnecessary warning when enabling/disabling NSS on Solaris 11 or newer.  (Ref: 6955)

·         DirectAudit NSS now returns no login shell for audited user if DirectAudit daemon is down or busy and no login shell can be configured in centrifydc.conf. When the DirectAudit daemon is not available (e.g., when it is stopped or cannot audit user due to overload condition), the DirectAudit NSS module returns a no login shell for “audit required” user.   In prior versions, this shell is not configurable.  In Suite 2016.1, the administrator can configure this nologin shell using the DirectControl parameter nss.shell.nologin. (Ref: 39857)

 

3.2.7       Database

·          N/A

3.2.8       Centrify Audit Module for PowerShell

·          N/A

3.3    Bug Fixed in DirectAudit 3.3.0 (Suite 2016)

3.3.1       General

3.3.2       Windows Install / Upgrade / Uninstall

·         Fixed an issue where the Database Maintenance Wizard was not checking if the logged-in user had enough database privileges to finish the entire upgrade process, which could result in an incomplete upgrade of DirectAudit databases. This was resolved by enforcing a permission check before the wizard proceeds with upgrading the databases. (Ref: CS-6710)

3.3.3       Collector

·         If the collector’s system locale is Turkish(Turkey) and the domain name contains the letter “i”, the collector sets up the SPN (Service Principal Name) incorrectly in the Active Directory computer object, , resulting in DirectAudit Unix/Linux agents being unable to connect to this collector.  This issue is fixed in Suite 2016 (Ref: CS-7116)

·         There was a memory leak issue with Collector under certain stress conditions in releases prior to Suite 2015.1.  This memory leak issue is fixed in Suite 2015.1. (Ref: CS-6788)

3.3.4       Audit Analyzer and Session Player

·          Fixed an issue in the Audit Analyzer console where an unexpected error could be generated when connecting to a newer version of a DirectAudit installation with a query result containing one or more reviewed sessions. (Ref: CS-5893, CS-7135)

·         Fixed an issue in the Audit Analyzer console where roles "<none>" and "<self>" were not included when exporting results of an Audit Events query (All, Grouped by Role) to an HTML file. (Ref: CS-7114)

·         Fixed an issue introduced in Suite 2015.1 where a quick query could fail when a Version 1 (V1) DirectAudit database was attached to an Audit Store. (Ref: CS-7096)

3.3.5       Audit Manager

·         Fixed an issue where the Audit Notification message window could show unrecognizable characters if the source message text file contained Latin characters. (Ref: CS-6547)

·         Fixed an issue in Audit Manager  where databases could show a status of "Loading..." for an extended period of time when Audit Analyzer console was deleting large sessions in the background. (Ref: CS-7023)

3.3.6       Centrify UNIX Agent for Audit

·         Fixed an issue where dadebug does not use the settings of “logger.facility.*” parameters in /etc/centrifyda/centrifyda.conf. (Ref: CS-7088)

·         In Solaris, if the passwd stanza in nsswitch.conf is set up as “passwd: compat centrifyda contrifydc”, nscd may crash.   This issue is fixed in Suite 2016. Note that this is not a supported configuration as all local users are NOT audited Also,  note that "dainfo -u <local user> will report an incorrect audit level because compat is before centrifyda/centrifydc. (Ref: CS-6976)

·         Fixed a command recognition issue where, the output from the "man" command could be falsely identified as user commands. (Ref: CS-6839)

·         Fixed an issue where a user reboot would fail when DirectAudit's debug level was set to DEBUG or higher.  (Ref: CS-38508)

·         In Solaris, dainfo may return incorrect status about session auditing (NSS) in sparse zone when session auditing is disabled in global zone.  This is fixed in Suite 2016. (Ref: CS-6981)

·         When dzdo/sudo is enabled for command auditing and the output is sent to a pipe, some keystrokes may be missing when the session is exported by Audit Analyzer.  This issue is fixed in Suite 2016.(Ref: CS-38812)

·         Starting in Suite 2015.1, DirectAudit also support AppArmor in Debian and Ubuntu systems.  AppArmor in SuSE Linux is supported since Suite2013.3.  (CS-5156)

·         In SuSE Linux Enterprise Server 11 and newer, users (except root) may become unaudited after rejoining a zone. This problem was caused by improper handling of AppArmor security settings. It has been fixed in Suite 2016. (Ref: CS-7163)

 

3.3.7       FindSessions Tool

·         Fixed an issue where in a DirectAudit FindSessions utility, exporting session to a file would fail if session user's name contained one or more special characters, for example characters, "<”, or”>". (Ref: CS-38935)

·         Fixed an issue where the DirectAudit FindSessions utility would throw an un-handled exception when searching sessions from an Audit Store that has ten or more Audit Store databases attached to it. (Ref: CS-7174)

 

 

3.3.8       Database

·         Fixed a database issue where an authorization failure could occur when the required database permissions of an outgoing account were delegated indirectly via an Active Directory group. (Ref: CS-6838)

 

3.3.9       Centrify Audit Module for PowerShell

·         N/A

3.3.10     Windows Agent

 

·         Video capture for Metro UI and tile applications in Windows 8 and Windows Server 2012 works correctly in Suite 2016. (Ref: CS-5241)

·         If the DirectAudit Windows agent is installed by a user who is not a member of local administrator group, the Audit Notification window does not appear when user logs in.  This is fixed in Suite 2016. (Ref: CS-7157)

·         Fixed an issue where the Audit Notification message window could show unrecognizable characters if the source message text file contained Latin characters. (Ref: CS-6547)

 

 

4.   Known Issues

The following sections describe known issues, suggestions, and limitations associated with DirectAudit.

4.1    General

·         For more information on known issues with individual UNIX or Linux platforms, see the release notes included with each platform agent bundle.

·         For the most up-to-date list of known issues, refer to the knowledge base articles in the Centrify Support Portal.

·         Due to a limitation of some implementations of audispd (audit dispatcher daemon provided by the operating system), DirectAudit advanced monitoring feature may not work if “dacontrol –n/-m” was run multiple times and over the limit specified in the parameter max_restarts in /etc/audisp/audispd.conf (default 10).  If you enable the DirectAudit Advacned monitoring feature and it does not generate the audit trail events as expected, you can run dainfo to check on the status of advanced monitoring feature.   If the program /usr/share/centrifydc/bin/dadispatcher is not running, dainfo will show “DirectAudit advanced monitoring status” as “not running”.  In this case, you need to restart the system audit daemon using the command “service auditd restart”.  This will re-activate the advanced monitoring feature. (Ref: CS-41267)

·         In an environment with one or more DirectAudit installations already deployed using Suite 2015.1 or older releases, if a new DirectAudit installation with one or more databases participating in a SQL Server Availability Group is deployed, certain scenarios may not work and may cause older Audit Manager, Audit Analyzer and collectors to fail to discover all DirectAudit installations in the environment. These issues  affect environments where multi-subnet failover feature of SQL Availability Group are used for the newly created DirectAudit installation. Please contact Centrify support to provide a solution best suited to your environment. (Ref: CS-40017)

·         Some versions of AIX sshd do not function reliably with Centrify products. When possible, Centrify recommends using sshd included in Centrify openSSH on AIX platforms. (Ref: CS-7098)

·         From Suite 2014 onward, the user name in Audit Trail events is stored in UPN (user@domain) format. For domain users, the user name is stored in user@domain format; and for local users, the user name is stored in user@computer format. If you are upgrading from releases prior to Suite 2014, the upgrade process will not automatically update the user information that already exists in the database. Auditors can continue to use the old formats (SHORT_DOMAIN_NAME\username or user@domain) to query Audit Trail events that were generated before the upgrade. (Ref: 54985a)

·         The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands.   They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)

·         Advanced monitoring feature is not supported in Fedora 24.

 

4.2    Windows Install / Upgrade / Uninstall

·         If a DirectManage Audit installation has been configured with multiple Audit Management Servers and some of the servers are running on an older version, the Audit Manager may not list these older servers because the new servers' list supersedes the older ones. (Ref: CS-40818)

·         When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other Centrify components such as Centrify Deployment Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the Centrify Deployment Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

·         If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

·         If you uninstall the  collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

The specified domain either does not exist or could not be contacted.

(Exception from HRESULT: 0x8007054B)

Despite the alert message, the collector is successfully uninstalled when you click OK.

·         If collector is using SQL authentication to communicate with the Audit Store database and you upgrade the collector to the latest version of DirectAudit using the MSI installer, the upgrade may remove the encrypted SQL credentials from the local registry and collector may stop functioning. To work around this issue, please use the EXE installer to perform the upgrade or run the Collector Configuration wizard immediately after the upgrade and re-enter the SQL credentials when prompted. (Ref: 76459, CS-6566)

4.3    Collector

·         In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

4.4    Audit Analyzer and Session Player

·         When detaching and re-attaching an Audit Store database from an Audit Store, Centrify recommends refreshing the query results for all open queries in Audit Analyzer console prior to replaying a session from that database. Failure to do so may result into a database error. (Ref: CS-42125)

·         The user name shown in detailed execution report of advance monitoring is unixname@hostname instead of UPN (they may be different) for AD user, this is an known issue to be fixed in a future release. (Ref: CS-42294, CS-42309)

·         If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”

·         If an audited Windows session is using multiple monitors in extended mode in DirectAudit 3.2.2 or earlier, it cannot be exported as WMV files. In DirectAudit 3.2.3 or later, it will be trimmed to 2048x2048 pixels before it is saved and can be exported as in WMV file in 2048x2048 resolution. (Ref: 27003a, 75163, CS-6450, CS-3265).

·         When Windows agent machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly.  (Ref: 36818c)

·         Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE | Microsoft® Windows® Operating System | Windows Explorer | Microsoft Corporation | 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer".  This issue will be addressed in an upcoming release. (Ref: 39645b)

·         In Audit Analyzer, you can specify double-quote enclosed strings in the query that searches for “Unix Commands and Outputs” attribute.  However, if a double-quote character is inside the double-quote enclosed string, the query result is undefined.  (Ref: CS-39348)

·         If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command are also not captured.  Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)

·         If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)

·         By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From DirectAudit 3.2.0 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

4.5    Audit Manager

·         User and group criteria should not be combined in an Audit Role or it may result into inconsistent results, the workaround is for users to use two different audit roles (one for groups, another for users) if they want to mix users and groups in audit role assignment. (Ref: CS-38968)

·         In the Notification tab of Installation Properties dialog, dynamic GIF file is not supported as the banner image file. (Ref: 32793c)

·         When creating an AuditRole with "ClientName" Audit Manager's Role Properties / Criteria will display an empty value rather than "ClientName = <IP address>" (Ref: CS-41803)

·         If you assign DirectAudit permissions to a Domain Local group, which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.”   A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

4.6    Centrify UNIX Agent for Audit

·         Centrify recommends customers use the session auditing capability of DirectAudit to ensure the complete login session is audited vs. auditing individual commands.  When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell.  It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing.  Whereas the likelihood of this happening is very minute, Centrify recommends session auditing be turned on to avoid the chance of this happening.

·         Local "audit required" users need to be listed in nss.user.override.userlist and specify "audit_required" as the audit level. Currently "audit_required" is not listed as a supported value for this and the parameter "nss.user.override.auditlevel". (Ref: CS-39830)

·         Turning dadebug off when disk is full will result in an empty Centrifyda.conf file. (Ref: CS-41308)

·         If a user is logged in to AIX and HP-UX via a GUI, for example Xmanager, a terminal opened in the GUI will not be audited. To workaround this issue, set the centrifyda.conf parameter 'dash.allinvoked' to true. (Ref: 66330, CS-5876)

·         Uninstalling Centrify DirectAudit on a Solaris 10 with sparse zone configured will fail unless Solaris 10 patch 119255-66 has been installed. (Ref: CS-6912)

·         For Solaris, please contact technical support if you are using sparse zone(s) and like to do one of the following:

o    Change session auditing status from disabled to enabled during upgrade.

o    Enable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone.  (Ref: 76572, 80616b)

·         Obfuscation of session data has the following limitation: If the information is sent to stdout not as a whole, but piece by piece, the information will not be obfuscated. Example: A user wants to obfuscate a pattern "1234-5678". However, "1234-" is shown first and "5678" is shown 1 second later, this pattern will not be obfuscated.  Since the stdout buffer in the audit shell is 4KB, the obfuscation string is at most 4KB long. Note: this applies to stdout only. (80462a)

·         On HPUX 11.31, system patch PHNE_40225 or newer must be installed for the proper operation of Centrify DirectAudit. (Ref: 77054a)

·         Fields <uid> and <usertype> in the “nss.user.override.userlist” parameter in centrifyda.conf are reserved for future use and should be left unspecified.  Centrify recommends that the customer uses only the <username> and <audit-level> fields in this parameter. (77543).

·         Using the CLI command, "dastop" to stop the DirectAudit daemon, "dad," can result in unpredictable behavior in some systems. Instead, the script, "/usr/share/centrifydc/bin/centrifyda" should be used by administrators to start and stop the DirectAudit Daemon. (72292)

·         Starting from DirectAudit 3.2.0, dash.force.audit has been deprecated and is no longer needed in the configuration of command-level auditing for managed computers. As a result, it is no longer included in the configuration file (centrifyda.conf) by default. For details, please refer to the Configuration and Tuning Reference Guide. (Ref: 56822a)

·         Auditing init during startup on UNIX is not possible.  The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

·         You cannot start a GUI session if you are logged in via an interactive session.  Running startx or starting a GUI session from an interactive session results in the following message:

X: user not authorized to run the X server, aborting.

Workaround:

-          Run "sudo dpkg-reconfigure x11-common"

-          When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

The GUI session or X server should start normally. (Ref: 25036a)

·         Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install Centrify OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

·         To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

·         The dzinfo utility is run by a wrapper script. The actual executable of dzinfo is located in /usr/share/centrifydc/libexec/dzinfo.

To enable auditing on dzinfo, a user is required to audit /usr/share/centrifydc/libexec/dzinfo.

NOTE: /usr/bin/dzinfo and /usr/share/centrifydc/bin/dzinfo are symbolic links to the wrapper script /usr/share/centrifydc/bin/cdcexec. Ensure that the executable, and not a symbolic link or wrapper script, is audited.

·         On Solaris, the following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias   bg      cd

    command fc      fg

    getopts hash    jobs

    kill    read    test

    type    ulimit  umask  

    unalias wait

To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=`basename $0`

    $cmd "$@"

The commands that are implemented internally by ksh should not be audited.

·         On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

1)  svcadm disable centrifyda

2)  svcadm enable centrifyda

Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

·         When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will implies the local user.

DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl UNIX Agent will respond to <username>@localhost if the user name is set in pam.allow.override.

·         If you upgrade from DirectAudit 2.0., disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

·         DirectAudit maintains a cache of user information for performance reasons.  This cache interferes with Unix commands that manipulate the local user database (passwd file).  These commands include useradd, userdel and usermod. From DirectAudit 3.2.0 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

Please contact support if your operating system platform has other programs that directly access the local passwd file.  (Ref: 56259a)

·         Change in AIX root user behavior: By default, all releases starting with Suite 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations.  One side effect is that root user login WILL NOT be audited.  If your environment requires session auditing of root user login, you need to do the followings:

a.       Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

b.       Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

c.       If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

d.       Restart adclient (Ref: 56239a, 56604a)

   For AIX customers who upgrade from prior versions of Centrify Server Suite 2014 (DirectAudit 3.2.0), there is NO change in behavior.   The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf.  The root user will still be audited. (Ref: 56235)

o    If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited.  This may block login if domain controllers are not responsive and/or DirectControl agent is not running.  Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

- user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level.  By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

- user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list.  The supported values are 0 (audit if possible) and 1 (audit not requested/required).  Default is 0 (audit if possible).  Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

 

o    The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usr/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

 

4.7    Database

·         When adding an Audit Store database to a SQL Server Availability Group with the multi subnet failover feature, the SQL Server that hosts the management database must be SQL Server 2012 or above. In addition, when upgrading an existing DirectAudit installation to use the SQL Server Availability Group feature, Centrify recommends upgrading Collectors, Audit Management Server service, Audit Manager consoles and Audit Analyzer consoles to the latest version to benefit from this feature. (Ref: CS-39872)

·         In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

·         If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:

http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/74a94f06-adf5-4059-bb92-57a99def37bd/

·         SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while.  For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

·         The collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)

HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold

·         Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold  DWORD in MB, not configured, default to 1024 MB.  If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s).

4.8    Audit Management Server

·         To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

4.9    FindSession Tools

·         For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

·         When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su  –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

4.10  Centrify  Agent for Windows

o    In the DirectAudit Windows Agent control panel, the setting “Maximum size of the offline data file” indicates the minimum amount of disk space (in percentage) that must be available/free in the spool volume in order to continue auditing users (especially when the DirectAudit Windows agent cannot send audit data to collector).  The DirectAudit Windows Agent makes its best attempt to pause auditing when the specified amount of disk space is no longer available and in certain cases may continue to write to spool volume for a few minutes before eventually pausing the auditing activity. (78072,  CS-6718)

o    Cannot connect to an installation when the Windows Agent machine has 2 IPs and the 2 IPs belong to the scope of two different AuditStores. (Ref: CS-42157)

o    Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit Windows agent software has not completed its setup. (Ref: 26286a)

 

4.11  Centrify Audit Module for PowerShell

·         Audit Module for PowerShell may take a long time to start because of the publisher's certificate verification.  To resolve the problem, disable the "Check for publisher's certificate revocation" option in System Control Panel\Internet Options\Advanced\Security. (Ref: 72499)

·         After installing Audit Module for PowerShell in a RDP session, PowerShell complains module "Centrify.DirectAudit.PowerShell" cannot be loaded.  This is because the installation package needs to modify system environment variables to let PowerShell know where to load the module.  This operation needed to be done in a "Console Session" if installation is done via RDP.  To resolve this problem, logout and re-login or run RDP with the "admin" option as "mstsc /admin" or "mstsc /console". (Ref: 72500a)

·         The cmdlet "Get-CdaUnixCommandTranscript" will fail to run on Win2K8R2(Server Core). (Ref: CS-41493)

5.   Additional Information and Support

In addition to following instructions in the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations, as well as tips and suggestions, from the Centrify Knowledge Base on the Centrify Support Portal.

You can also contact Centrify Support directly with your questions through the Centrify web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to Support or call 1-669-444-5200, option 2.

For information about purchasing or evaluating Centrify products, send email to info.