Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4352: How to audit interactive sessions that either act as root or su to root, or process as root but not cron

Centrify DirectAudit ,  

12 April,16 at 11:41 AM

Applies to:
 
Centrify DirectAudit 2.x/3.x

 
 
Question:
 
Is it possible to achieve the following:
 
1) Enable session level auditing for certain users (e.g., root)
 
2) audit of "su" sessions
 
3)audit of "dzdo/sudo" sessions
 
4)  commands such as "ssh root@audited_server who" from remote systems are not audited.
 
5) cron jobs should not be audited.

 
 
Answer:
 
The following steps was tested on RHEL server.
 
1)  Roles and Role Assignments:
 
The following roles need to be created:
 
a) Audit_no_login: with audit level "Audit not requested/required", assign it to All AD users
 
b) Audit_no_local: with audit level "Audit not requested/required", assign it to All Local accounts
 
c) Audit_if_login: with audit level “Audit if possible”, assign it to AD user “joe”
 
d) Audit_if_local: with audit level “Audit if possible”, assign it to local user “root”
 
1.Configure Linux Agent and NSS is active.
 
2. Enable CLI auditing as shown below:
 
==========================
DirectAudit is configured to audit the following command(s):
   /bin/su
   /usr/bin/sudo
   /usr/share/centrifydc/bin/dzdo
==========================
 
3.Add below 2 lines under “/etc/centrifyda/centrifyda.conf” then run “dareload”
===========================
dash.allinvoked: false
dash.force.audit:/usr/share/centrifydc/bin/dzdo.daudit,/bin/su.daudit,/usr/bin/sudo.daudit
===========================
 
4.ssh login into audited sever with audited users: root and joe
 
===========================
Both users can be audited and the session can be found in Audit Analyzer.
===========================
 
5.ssh login Agent with no audited users:
 
a)normal(local user) – run “su” command to root
 
b)super(local user) – run “sudo adflush”
 
c) joe (AD user) – run “dzdo adflush”
===============================
 
a),b) and c) can generate the sessions which contain related audited commands.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.