Applies to:
Centrify DirectAudit 3.x
Question:
DA is capturing raw data when piping files using tar command over an SSH connection. This is causing the DA dB to grow huge.
It would be something like this (run by a local user). It's used in a script to replicate files across servers.
ssh NPIUSER@HOSTB \"sudo -u LOCALUSERB bash -c 'tar' -C $DIRB -czf - $FILE' \" | tar -C $DIRA -xzf"
Answer:
If there is no need to audit all `sudo' commands run by ssh remotely then adding the following to /etc/centrifyda/centrifyda.conf will resolve the issue:
dash.ssh.command.skiplist: scp rsync sftp-server sudo
Please note "ssh using sudo" won't be audited and DA doesn't check whether it is ssh and it checks terminal (tty).