Centrify DirectAudit 2.x/3.x
Is it possible to achieve the following:
1) Enable session level auditing for certain users (e.g., root)
2) audit of "su" sessions
3)audit of "dzdo/sudo" sessions
4) commands such as "ssh root@audited_server who" from remote systems are not audited.
5) cron jobs should not be audited.
The following steps was tested on RHEL server.
1) Roles and Role Assignments:
The following roles need to be created:
a) Audit_no_login: with audit level "Audit not requested/required", assign it to All AD users
b) Audit_no_local: with audit level "Audit not requested/required", assign it to All Local accounts
c) Audit_if_login: with audit level “Audit if possible”, assign it to AD user “joe”
d) Audit_if_local: with audit level “Audit if possible”, assign it to local user “root”
1.Configure Linux Agent and NSS is active.
2. Enable CLI auditing as shown below:
DirectAudit is configured to audit the following command(s):
3.Add below 2 lines under “/etc/centrifyda/centrifyda.conf” then run “dareload”
4.ssh login into audited sever with audited users: root and joe
Both users can be audited and the session can be found in Audit Analyzer.
5.ssh login Agent with no audited users:
a)normal(local user) – run “su” command to root
b)super(local user) – run “sudo adflush”
c) joe (AD user) – run “dzdo adflush”
a),b) and c) can generate the sessions which contain related audited commands.