Centrify DirectAudit 2.0.1 Release Notes (C) 2006-2011 Centrify Corporation. This software is protected by international copyright laws.

All Rights Reserved. Table of Contents 1. 2. 2.1 2.2 2.3 2.4 2.5 2.6 3. 4. 5. About This Release New Features New Features in DirectAudit 2.0.0 New Features in DirectAudit 1.3.0 New Features in DirectAudit 1.1.2 New Features in DirectAudit 1.1.0 New Features in DirectAudit 1.0.3 New Features in DirectAudit 1.0.2 Bugs Fixed Known Issues Additional Information and Support

1. About This Release Centrify (R) DirectAudit TM helps you comply with regulatory requirements through detailed auditing and logging of user activity on your UNIX and Linux systems. With DirectAudit you can also perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, and spot suspicious activity through real-time monitoring of current user sessions. These release notes contain information that updates information available in the Administrator's Guide as well as known issues with this release. Centrify DirectControl (R) is a prequisite for DirectAudit. The minimum version of DirectControl required by this version of DirectAudit is 4.2.0.

2.

New Features

2.1 New Features in DirectAudit 2.0.0 * Support for auditing of Windows See documentation for versions of Windows supported. * Support for multiple monitors Capture and replay sessions that occur on Windows systems with multiple active displays. * Audit Server - centrally control, monitor and report on audit stores, audit collectors and audited systems. * Distributed auditor queries Query and report on sessions across multiple audit stores from single audit server.

* Support for subnets and Active Directory sites * Selective audit Only capture sessions for certain Active directory users or groups. * Audit stores - scale session databases to multiple instances on separate hosts. * Auto discovery and configuration DirectAudit system agents automatically find the correct Collector, Collectors automatically find the right audit store, and the audit server can report on all components. * Dynamic reconfiguration Many changes to DirectAudit system agents, Collectors and audit stores can be applied without restarting the service or system. * Rolling backups Create new audit store databases for backup and archiving purposes. Support for multiple attached databases per audit store including DirectAudit 1.x databases. * Easily add new auditors Access control and auditor users' permissions are based on Active Directory group membership in DA 2.0. * Audit security roles Session access control defined as a query of sessions assigned to a role. * Brand new replayer with support for both Windows and *NIX sessions from a single replayer. * Session scrubbing with preview Quickly and visually examine a lengthy session through a scrub bar with preview. * Session magnify and zoom Magnify the area under the cursor with the built-in magnifying glass and zoom the entire session playback for easier reading or a birds-eye view (* zoom not in EA). * Replayer CLI Allows you to specify particular sessions to replay via the command line (URL support under development). * Select / copy session data Replayer supports the selection and copy to clipboard of visible *NIX replayer data. * Export session Export sessions as movies (.wmv) or text (for *NIX). * Powerful new query search language Granular queries across distributed sets of sessions.

* Ad-hoc queries Search for command, application or text across distributed sets of sessions. * Enhanced installer * Single install for fast installation of all components on a single system. Useful for pilots and demonstration systems. * Secure install Ensure that only trusted components with trusted credentials are used with auto discovery and configuration. * UNIX agent support has been added for the following operating systems: - CentOS 4.9, 5.6, 6.0 (32- and 64-bit) - Debian 6 (32- and 64-bit) - Fedora 15 (32- and 64-bit) - IBM AIX 7.1 - Oracle Enterprise Linux 6 (32- and 64-bit) - Red Hat Enterprise Linux 5.7, 6.1 (32- and 64-bit) - Scientific Linux 4.9, 5.6, 6.1 (32- and 64-bit) - Ubuntu Server 11.04 (32- and 64-bit) 2.2 New Features in DirectAudit 1.3.0 * New dash.loginrecord parameter in /etc/centrifyda/centrifyda.conf When set to true, this parameter enables "who -m" and "who am I" to operate correctly. However, setting this parameter also has the side effect that a regular "who" to list all users logged into the system will list users twice. With this parameter set to false (the default behavior), "who" reports the user list correctly, but "who am I" doesn't work properly on an audited shell. * Auditing can be enabled for all shells during installation From Centrify Suite 2011, install.sh will offer to start auditing for all-shells during installation. There is a corresponding parameter ("DA_ENABLE") in centrify-suite.cfg for use in unattended installation and a new option, --enable-da, for use on the install.sh command line. * Agent support has been added for the following operating systems: - CentOS 4.5, 4.6, 4.7. 4.8, 5.1, 5.2, 5.3, 5.4, 5.4, 5.5 (32- and 64-bit) - Fedora 14 (32- and 64-bit) - IBM AIX 7.1 - OpenSuSE 11.3, 11.4 (32- and 64-bit) - Red Hat Enterprise Linux 4.9, 5.6 (32- and 64-bit) - Scientific Linux 4.6, 4.7, 4.8, 5.1, 5.2, 5.3, 5.4, 5.5, 6.0 (32- and 64 -bit) - Ubuntu Server 10.04 LTS, 10.10 (32- and 64-bit) - VMware ESX 4.1

2.3 New Features in DirectAudit 1.1.2 * New default port for the DirectAudit Collector service is 5063 as registered with the IANA. * Console support has been added for Windows 2008 and Windows 7. * Supports SQL Server 2008 databases. * Supports FIPS 140 license keys. * New dash.force.audit parameter allows auditing of non-terminal sessions. dash.force.audit is a list of binaries that must be audited. Note that they are the .daudit names for example: dash.force.audit: /usr/share/centrifydc/bin/ssh.daudit * New option '--force-da-global' added to install.sh so that the user can force DirectAudit to be installed only in a Solaris global zone. * Agent support has been added for the following operating systems: - OpenSuSE 11.1 and 11.2 (32 and 64 bit) - RHEL 4.8 (32 and 64 bit) - RHEL 5.0, 5.1, 5.2, 5.3, 5.4 (32 and 64 bit) - Fedora Core 10, 11, 12 (32 and 64 bit) - Novell SLES 11 (32 and 64 bit) - VMWare ESX 4 / VIMA 4 - Debian 5 (32 and 64 bit) - Ubuntu 9.10 (32 and 64 bit) - Ubuntu 9.04 (32 and 64 bit) - Ubuntu 8.10 (32 and 64 bit) - Ubuntu 8.04 (32 and 64 bit) 2.4 New Features in DirectAudit 1.1.0 * Support for 1-way forest trust environments * Only login shells audited by default. Controllable via centrifyda.conf parameter. * Support is added for the following operating systems: - Ubuntu 6.06 (32 and 64 bit) - Ubuntu 7.04 (32 and 64 bit) - Ubuntu 7.10 (32 and 64 bit) 2.5 New Features in DirectAudit 1.0.3 * None, this is a maintenance release. 2.6 New Features in DirectAudit 1.0.2 * The DirectAudit agents are now compatible with DirectControl version 4.0.0. * Support is added for the following operating systems:

3.

Debian 4 (32 and 64 bit) OpenSuSE 10.1 (64 bit) OpenSuSE 10.2 (32 and 64 bit) Fedora Core 5 (32 and 64 bit)

Bugs Fixed * None

4.

Known Issues The following sections describe common known issues or limitations associated with Centrify DirectAudit. * Install / uninstall * Fresh install of all DirectAudit software is recommended If you were involved in the Early Access program, you will not be able to use your old databases (you may delete them) and you will need to clean up the old installation information in Active Directory. The AD installation information is by default in <domain>/Program Data/Centrify/DirectAudit/Vegas-Installation-nnnnn Use ADSI Edit or AD Explorer (Sys internals) to remove the old installation information. * No upgrade path from beta to GA Please note that there will be no upgrade path from beta to GA for DirectAudit. When the GA version of DirectAudit is released you will need to uninstall the beta and start with new databases. * Need to be Domain Administrator to use Easy Install To use the Easy Install option, you must have Domain Administrator privileges. Installing using individual .EXE or .MSI installers does not have this limitation. * Need permissions on SQL server computer When configuring DirectAudit using the Configuration Wizard you should ensure that you have permissions on the computer hosting the SQL server instance you intend to use. The Wizard will show an alert if you have no permissions on the chosen SQL server; dismiss the alert, click back and enter the credentials of a user with permissions on the machine. * In previous versions of DirectAudit it was possible to specify the location of the database file. In DirectAudit 2.0.0 this facility is not provided in the Wizard, however you may still specify the full text file location, database file location or the transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

* Installation of SQL Server Express can take a long time When you are installing the DirectAudit Auditor or Management Console applications, some install types include the installation of Microsoft SQL Server Express. In some cases, installation of SQL Server Express can take 10-15 minutes, during which time there is no feedback on the screen. Do not terminate the installation at this point as this is normal behavior. * Uninstalling the DirectAudit Collector component on a computer that is not joined to the domain will show an alert during uninstall: The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B) The error message is benign as the Collector is successfully uninstalled on clicking OK. * Collector * Need to be a domain user with local admin privileges to configure the Coll ector To configure the DirectAudit Collector component you should be a domain user with local administrator privileges on the computer you are installing the Collector on. By default a domain administrator has the local administrator privileges on all machines inside the domain so you may use a domain administrator account to do the configuration. * In the Collector Configuration Wizard, if the account credentials given for the SQL Server do not match an existing account on the SQL Server, and the user has rights to create SQL Server accounts, the given credentials will be used to automatically create a new account. * UNIX agents can only find a DirectAudit Collector if an Active Directory Global Catalog is present. This issue will be resolved in a future release of DirectAudit. * Auditor console and session player * When the active database spans two databases, the Auditor Console will show UNIX sessions as "Disconnected" until some data is received from that session. Once data has been received, the session state will change to "In Progress". * If the session player window is blank while replaying a session, and you are using a 32-bit SQL Server instance, it is possible that the SQL server has run out of memory. Giving more memory to the SQL server by using the -g384 switch on the SQL Server should resolve the issue. To do this: - Open the SQL Server configuration manager - Stop the instance

- Add the parameter "-g384" - Start the instance Reopen the failing session on the session player and it should now play normally. * Administration Console * While configuring an installation in the context of a domain user who is a local administrator (without any AD administrative privileges), the Configruation Wizard fails, indicating that the user does not have permission to create the publication location. This issue is caused by the scpcreator service, which is responsible for creating the publication location for a non-admin user, when it does not start in timely fashion. To workaround this issue, increase the default service startup timeout value in the registry and restart the computer. Open the registry editor and navigate to HKLM > SYSTEM > CurrentControlSet > Control Add a new DWORD key with name ServicesPipeTimeout and set its value to a number higher than 30000 (30 sec). The recommended value is 120000 (decimal) or higher. * Using the review attribute to define an accessible set of audit data for a role in the Add Audit Role Wizard should not be used in this version of DirectAudit. If the review attribute is used in a role definition, the Auditor Console will fail when someone with that role tries to access saved sessions, such as replaying a session or displaying the indexed event list. * The first time the Administration or Auditor Console is started you may find an open command window left on the screen. Subsequent uses of the Administration or Auditor Console do not leave the command window behind. The command window can safely be closed as it has done its work once the Console has started. * Windows Agents * Hardware acceleration may slow console login With Windows XP and Windows Server 2003, you may experience slow login performance if hardware acceleration is set to full. This issue only affects local logins, it does not affect RDP sessions. To work around this issue, set hardware acceleration to none. * On audited Windows XP machines, the mouse cursor may flicker when DirectAudit is enabled. When using rdp to access the machine remotely this issue may manifest itself by the rdp mouse pointer jittering back a few pixels from where it was placed. This is a bug with Windows XP and is not expected to be fixed by Microsoft

in a future update. * On Windows XP and Windows Server 2003, when a user dismisses a locked desktop's screen saver and allows it to reactivate without logging in, we will record the reactivated screen saver for ~20 seconds before suspending that session. * If you uninstall the Windows agent while the DirectAudit agent panel is open you will need to close the agent panel and reboot the computer to complete the uninstall. * Offline storage size shows as 0.00KB When auditing a session with the Collector service unavailable the offline storage size will always show as 0.00KB in the Agent Panel, even though data is being saved in offline storage. To see the size of offline storage used, click "Diagnostics" in the Agent Panel. * Changing offline data storage location The offline data location (and any subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location, and this may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on drive c to be copied to d:\spool. * UNIX Agents * Only interactive shells are audited By default, DirectAudit audits interactive login shells only. The reason for this is to eliminate the creation of a large number of empty sessions. When a user launches a script from an un-audited shell, DirectAudit interprets the script as a new shell and creates a new, empty session. When auditing is restricted to login shells, DirectAudit does not create these new empty sessions. However, you can configure DirectAudit to begin auditing whenever an audit-enabled shell is invoked from a terminal session, not only when it is invoked from a login shell. To configure DirectAudit to begin auditing whenever an audit-enabled shell is invoked: 1) On the audited machine, open the DirectAudit configuration file /etc/centrifyda/centrifyda.conf with a text editor. 2) Add the following option, and a similar comment to the file: # configure DirectAudit to audit anytime dash is run dash.allinvoked: true Note: Although it is not explicitly in the configuration file, dash.allinvoked: false is the default option. If you want to change back to auditing login shells only, you can specify this option in the configuration file, or simply delete dash.allinvoked: true from the configuration file.

* Cannot audit init during startup on UNIX The init command used during the boot process may not be audited using per command auditing; attempting to do so will result in a system that does not reboot properly. The init command is properly audited when run from an audited shell. * Auditing with --per-user shell option When enabling auditing UNIX users with the --per-user shell option, some limitations apply: - Inability to login via telnet or other /bin/login related method. If this occurs, try moving the shell to a shorter path as it may be caused by the length of the pathname to the shell. - Indirect links are not enabled automatically. - Restricted shells like ksh will always run in "restricted" mode. * Unable to start a GUI session if the user's shell is a symlink to csh If a user's shell has been configured to a per-user auditing shell that points to csh (e.g. /bin/dash_bin_csh), and auditing has been disabled, the user will not be able to login via the GUI. Available workarounds: (1) don't use per-user shell auditing, or (2) if using per-user shell auditing, and the user's shell is 'csh', and auditing has been disabled, reconfigure users' shells to refer to the real csh shell, not the symlink. (3) use another shell. * Unable to start a GUI session if logged in via an audited shell Running startx or starting a GUI session from an audited shell gives the following message: X: user not authorized to run the X server, aborting. Workaround: 1) Run "sudo dpkg-reconfigure x11-common" 2) When prompted for users allowed to start the X server, choose "anybody" (the default is "console users only"). The GUI session / X server can now be started normally. * When changing the /etc/centrifyda/centrifyda.conf parameter dad.dumpcore, you must restart dad for the new configuration to take effect (dareload will not do it). * dad should be restarted if the Collector host name in /etc/resolv.conf is changed, it will not be picked up automatically. * For more information on known issues with individual UNIX platforms, see the release notes included with each

platform agent bundle. * General * SQL Server 2005 full text search categorizes certain words as noise words by default and ignores them for searches. Some are common UNIX commands for example, like, which, do, while. Full list is below. Users can change the noise word list by modifying this file (for US English): C:\Program Files\Microsoft SQL Server\ MSSQL.1\MSSQL\FTData\noiseENU.txt about, 1, after, 2, all, also, 3, an, 4, and, 5, another, 6, any, 7, are, 8, as, 9, at, 0, be, $, because, been, before, being, between, both, but, by, came, can, come, could, did, do, does, each, else, for, from, get, got, has, had, he, have, her, here, him, himself, his, how, if, in, into, is, it, its, just, like, make, many, me, might, more, most, much, must, my, never, no, now, of, on, only, or, other, our, out, over, re, said, same, see, should, since, so, some, still, such, take, than, that, the, their, them, then, there, these, they, this, those, through, to, too, under, up, use, very, want, was, way, we, well, were, what, when, where, which, while, who, will, with, would, you, your, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z For the most up to date list of known issues, please refer to the Knowledge Base article in the Centrify Support Portal, KB-2185 for the latest known issues with DirectAudit 2.0.1. 5. Additional Information and Support In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base. You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectAudit, send email to support@centrify.com or call 1-408-542-7500, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.