Improving Accountability: Auditing User Activity

Delinea provides its auditing and analysis features through a combination of auditing components on Windows computers and the auditing features of the Delinea Agent on the computers you manage. The auditing service includes several components to support the multitier architecture of the auditing infrastructure. These components are installed on Windows computers to enable you to collect and store detailed information about user activity.

The central console for configuring the auditing infrastructure and managing audit-related features is Audit Manager. From Audit Manager, you can perform the following common administrative tasks:

  • View the status of all audited computers and the other components of the

    auditing infrastructure.

  • Manage the scope and security for auditing-related activity.
  • Set permissions for the tasks granted to specific auditors.

There is also a separate Audit Analyzer console for searching and replaying captured activity.

Why Auditing User Activity is Important

Just as it is important to protect assets and resources from unauthorized access, it is equally important to track what the users who have permission to access those resources have done. For the users who have privileged access to computers and applications with sensitive information, auditing helps ensure accountability and improve regulatory compliance. With the audit and monitoring service, you can capture detailed information about user activity and all of the events that occurred while a user was logged on to an audited computer.

If you choose to enable auditing on Linux or UNIX computers, the Delinea Agent on that computer starts recording user activity as soon as a user logs on. The agent continues recording until the user logs out or the computer is locked because of inactivity. The user activity captured includes an audit trail of the actions a user has taken and a keystroke record of the text that was entered (stdin) and the results that were displayed (stdout and stderr). The information recorded while a user is logged on—which is called a session—is collected as it happens, so you can monitor computers for suspicious activity or troubleshoot problems immediately after they occur.

Reviewing User Activity

When you audit user activity on a computer, the information is transferred to a Microsoft SQL Server database so that it is available for review and follow-up. Because sessions and audit trail events are stored in the database, you can create queries and reports to find information of interest. For example, you can search the stored user sessions to look for policy violations, command-line execution errors, or malicious activity that may have led to a service degradation or an outage.

In addition to saving the input and output recorded, sessions provide a summary of actions taken so that you can scan for potentially interesting or damaging actions without playing back a complete session. After you select a session of interest in Audit Analyzer, the console displays a list of commands in the order in which the user executed them. You can then select any command in the list to start viewing the session beginning with that action. For example, if the user ran a command that reports credit card information, you can scan the list of commands for the command that accesses credit card information and begin reviewing what happened in the session from that time on.