Centrify DirectAudit 3.x
DA is capturing raw data when piping files using tar command over an SSH connection. This is causing the DA dB to grow huge.
It would be something like this (run by a local user). It's used in a script to replicate files across servers.
ssh NPIUSER@HOSTB \"sudo -u LOCALUSERB bash -c 'tar' -C $DIRB -czf - $FILE' \" | tar -C $DIRA -xzf"
If there is no need to audit all `sudo' commands run by ssh remotely then adding the following to /etc/centrifyda/centrifyda.conf will resolve the issue:
dash.ssh.command.skiplist: scp rsync sftp-server sudo
Please note "ssh using sudo" won't be audited and DA doesn't check whether it is ssh and it checks terminal (tty).