Centrify DirectAudit 2.x/3..x
What is the purpose of DirectAudit outgoing account?. What permissions are needed for this account?
DA works with two types of databases:
a) Audit Server database (also called as Management database) and
b) Audit Store database.
The Audit Store database stores the actual user activity from Unix/Linux/windows machines. The Audit Server database’s primary responsibility is to collect data from all the Audit Store databases and present this information in a unified way in the Auditor console (also called as
Audit Analyzer console) and Administrator console. e.g. when you search user sessions, they might be coming from more than one Audit Store databases but Auditor console combines and shows them all as one unit.
How does Audit Server work?
The Audit Server uses stored procedures that reach out to each of the Audit Store databases (there can be more than one Audit Store databases) and then combines the information together and sends it to the console. To make this work, Audit Server needs to login to each of the Audit Store databases using something known as “Outgoing account”.
What authentication is supported by Outgoing account?
Outgoing account supports both Windows authentication (default) and SQL server authentication. If you are using Windows authentication,
the outgoing account is nothing but the service account under which the Audit Server database’s SQL server is running
(remember, here one database is trying to connect to other database). If customers do not like using Windows authentication or do not like their SQL server service account to reach out to other databases, they can use a low privilege SQL login account as the Outgoing account.
What privileges are required/exercised by the Outgoing account?
Outgoing account does not need any admin level privileges. This account is simply used to login to the Audit Store databases and run a
bunch of stored procedures to pull data. However, the stored procedures hosted on the Audit Store database need to make sure that the
caller is indeed the Audit Server database and not an unauthorized user. This is enforced by using database role
named “managementdb”. Every Audit Store database has a database level role named “managementdb” and the Outgoing account must be a member of this role.
If that’s not the case, the called stored procedure assumes that the caller is not authorized and simply rejects the call; please note that this
check is done by DA’s stored procedures and it is a safety check; even if the Outgoing account is sysadmin, you cannot bypass this check.
1. Outgoing account is used by the Audit Server DB to contact all Audit Store DBs.
2. By default, Outgoing account is SQL server’s service account; customers who do not like it can change it to a low privilege SQL login account.
3. Outgoing account must have a mapping and it must be a member of managementdb role on each of the Audit Store databases (even if the Outgoing account is sysadmin).
4. Outgoing account does not need any sysadmin rights on the database server.