KB-7039: In Direct Audit, with command auditing enabled, two sessions were logged instead of one.
Auditing and Monitoring Service
,
Show Properties
Hide Properties
|
6/21/2016 4:17 PM |
|
10/24/2016 4:49 PM |
|
6/21/2016 4:17 PM |
|
Article Audience |
|
Products |
Auditing and Monitoring Service
|
|
|
|
|
000007039 |
|
In Direct Audit, with command auditing enabled, two sessions were logged instead of one |
|
Applies to:
DirectAudit 3.3.0 & 3.3.1 ( Centrify Server Suite 2016 & 2016.1)
Problem:
In Direct Audit with command auditing enabled for both su and dzdo, when a user run "dzdo su - root", two sessions were logged instead of one.
Cause:
In Suite 2016 and 2016.1 for command auditing, a flaw in the logic caused Direct Audit to send the child sessions audited data to the collector.
Workaround:
The issue can be work around by adding a new parameter to the file /etc/centrifyda/centrifyda.conf like this:
dash.parent.skiplist: sapstartsrv gdm-binary gdm-session-wor kdm sdt_shell dzdo sudo sudo.daudit
Customer can also use the group policy to set up the same parameter.
"Centrify DirectAudit Settings" -> "DirectAudit Shell Settings" -> "Set parent process skip list"
Resolution:
This issue will be fixed in the future release.