How Centrify DirectAudit Works
Centrify DirectAudit's next-generation, enterprise-scale architecture was designed to be highly scaleable, secure and reliable
Centrify DirectAudit consists of four components:
DirectAudit's Architecture. See below for a discussion of each component.
DirectAudit Agent
DirectAudit's easy-to-install, low overhead Agent silently and transparently gathers comprehensive user session activity: what commands were executed, what changes were made to key files and data, and what output appeared. Or, you can tailor the auditing to record sessions for all users, specific users or specific commands.
The DirectAudit Agent continuously communicates user session activity in an authenticated and encrypted format to a DirectAudit Collector Service. Asynchronous data transfer ensures minimal impact on monitored systems.
The DirectAudit Agent was designed with enterprise-level compatibility, reliability and scaleability in mind. It is natively compiled and tested for a wide range of UNIX and Linux systems. When no network connection is available, the DirectAudit Agent continues to record user session data and subsequently forwards it to a Collector Service when the network is available. This ensures auditing continues not only during network outages but for offline use on laptops as well. The DirectAudit Agent leverages the DirectControl Agent on the audited system to determine the best Collector Service to communicate with, and it supports load-balancing among multiple DirectAudit Collector Services to provide scaleability for 100s or 1000s of audited systems.
DirectAudit Collector Service
The Collector Service gathers data from DirectAudit Agents and stores it in a central SQL Server repository. The Collector Service runs on a separate Windows system. You can deploy multiple DirectAudit Collector Services to support load-balancing and to provide fail-over in case a system hosting a Collector Service goes down.
DirectAudit Repository
All audit data is stored in the central DirectAudit Repository running on Microsoft SQL Server, providing enterprise-scale performance and scalability. By adopting a non-proprietary SQL data format, DirectAudit enables robust reporting and querying through the DirectAudit Console as well as through third-party reporting tools. Archiving and purging session data is also easy.
The DirectAudit installation package automatically installs and configures SQL Server Express Edition for evaluation purposes. Express Edition is free and supports up to 4 GB of data; upgrading to the full version of SQL Server is straightforward.
DirectAudit Console
The DirectAudit Console gives you a centralized view of every audited UNIX and Linux system across your enterprise (see Figure 2-2 below). Out-of-the-box views give you easy access to lists of user sessions, including both a real-time view of current sessions and historical views of sessions in the past day, the past week, and so on. You can also build your own views that show sessions by specific users, machines, time periods, or other criteria. Workflow features enable you to flag sessions for later followup (perhaps by IT auditors).
DirectAudit Console. The DirectAudit Console gives you a central, global view of user sessions across your audited UNIX/Linux environment. Out-of-the-box views show both current and historical sessions grouped by computer, by user, and other criteria. In this example, you can see all sessions on a specific computer, sorted by start time. DirectAudit can record sessions both for Active Directory accounts for local accounts such as root. Notice that the top two entries in this example show you sessions currently in progress. (Click to enlarge.)
With a simple right-click you can replay any user session on any audited system to see what commands were executed, what changes were made to key files and data, and what system output appeared. You can pause, rewind, or fast-forward – as easy as using a VCR. This is an invaluable tool for both spotting suspicious activity and quickly troubleshooting system issues.
Session Replay Window. By right-clicking on any session transcript you can replay the entire session to see what commands were entered, what changes were made to files and data, and what output appeared. In this example, a search of session transcript for "passwd" located this session and took you directly to the point where the command was entered. You can pause, rewind or fastforward through a session – just like using a VCR. This unique session replay feature helps you proactively spot insider threats and takes the guesswork out of troubleshooting system problems. In this example, a search across all session transcripts for "passwd" found this session, and replaying the session takes you right to the point where the password command was entered.
One useful feature for IT auditors is the ability to see just a list of commands that the user entered during a session.
Session Command List. Here you can see the user was making a routine web server check and did not edit any files.
You can also perform full-text searches to find, for example, all instances of a password command across all sessions. By adopting a non-proprietary SQL data format, DirectAudit enables robust reporting and querying through third-party tools as well.
