Centrify DirectAudit 3.x
On a Centrify audit server, the command "getent passwd username" returns shell as /bin/centrifyda & it returns /bin/bash when doing "getent passwd"
Is there an option in Centrify which can be used so that getent passwd user returns default shell rather than /bin/centrifyda without impacting business scripts which rely upon the same?
[root@localhost ~]# rpm -qa | grep -i centrify
[root@localhost~]# getent passwd p2181976
p2181976:x:2762:1014:Joe user :/home/p2181976:/bin/centrifyda
[root@localhost ~]# getent passwd | grep p2181976
Unfortunately this is by design.
This is how DirectAudit intercept through inserting itself in nsswitch.conf and replace the real shell with cdash or centrifyda in order to capture user activity.
There is no way we can distinguish and supply different answers for getpwnam queries for different caller.
The difference for getent passwd and getent passwd <user> is they use different nss function call:
getent passwd is actually using getpwent()
getent passwd <user> is using getpwnam()
DirectAudit intercept getpwnam() call but not getpwent() call
Attached to the KB is a sample shell script which can be deployed on a test system.
1. Customer should verify:
a. 'which getent' shows /usr/bin/getent
b. There is no file named /usr/local/bin/getent
2. If 'which getent' does not show /usr/bin/getent, edit the script to use the correct path for getent.
3. If there is no file named /usr/local/bin/getent, copy the script to /usr/local/bin/getent.
4. Make sure that the file is owned by root and world executable.
5. If there is another file named /usr/local/bin/getent, find a directory that getent does not exist and is in the user's path ahead of /usr/bin
This getent script just executes 'getent passwd | grep user' if 'getent passwd user' is called; otherwise it calls the original getent with all the arguments.
Customer can switch to command-line auditing.