Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4352: How to audit interactive sessions that either act as root or su to root, or process as root but not cron

Auditing and Monitoring Service ,  

12 April,16 at 11:41 AM

Applies to:
Centrify DirectAudit 2.x/3.x

Is it possible to achieve the following:
1) Enable session level auditing for certain users (e.g., root)
2) audit of "su" sessions
3)audit of "dzdo/sudo" sessions
4)  commands such as "ssh root@audited_server who" from remote systems are not audited.
5) cron jobs should not be audited.

The following steps was tested on RHEL server.
1)  Roles and Role Assignments:
The following roles need to be created:
a) Audit_no_login: with audit level "Audit not requested/required", assign it to All AD users
b) Audit_no_local: with audit level "Audit not requested/required", assign it to All Local accounts
c) Audit_if_login: with audit level “Audit if possible”, assign it to AD user “joe”
d) Audit_if_local: with audit level “Audit if possible”, assign it to local user “root”
1.Configure Linux Agent and NSS is active.
2. Enable CLI auditing as shown below:
DirectAudit is configured to audit the following command(s):
3.Add below 2 lines under “/etc/centrifyda/centrifyda.conf” then run “dareload”
dash.allinvoked: false
4.ssh login into audited sever with audited users: root and joe
Both users can be audited and the session can be found in Audit Analyzer.
5.ssh login Agent with no audited users:
a)normal(local user) – run “su” command to root
b)super(local user) – run “sudo adflush”
c) joe (AD user) – run “dzdo adflush”
a),b) and c) can generate the sessions which contain related audited commands.