Using Access and Auditing Features Together

You can use access-related features and components without auditing if you aren’t interested in collecting and storing information about session activities. You can also deploy auditing-related features and components without access control and privilege management features if you are only interested in auditing user activity on Linux and UNIX computers. However, you can recognize the most value from Server Suite by using all of the services as an integrated solution for managing elevated privileges and ensuring accountability and regulatory compliance across all platforms in your organization.

Enabling Access Control without Auditing on a Managed Computer

If you only enable access control features, the agent enforces the role-based privileges that enable users to log on, access PAM-based application, and run administrative or restricted shell commands. All of the role-based activity is traceable to the user’s own account credentials. However, the audit trail of user activity is only recorded in the computer’s local system log (syslog) facility. Information that is only stored in a computer’s syslog facility can be more difficult to monitor and query than information stored in a central repository such as Microsoft SQL Server database.

Enabling Auditing without Access Control on a Managed Computer

If you only enable auditing, the agent captures detailed information about the command input and output in the login shell of the managed computer. All of the activity is stored in the Microsoft SQL Server database and available to you for queries and reports. However, there’s no role-based enforcement of what activity is allowed on the audited computer.

Enabling Access Control and Auditing on a Managed Computer

If you use the infrastructure access management and auditing services together, you can define role-based access rights, restrict when and where roles are available, identify roles that should be audited, trace activity when roles with elevated permissions are selected and used, and play back session activity based on the criteria you choose.

By combining access management and auditing on the same computer, you can have an audit trail and, optionally, a video record of all actions performed with elevated privileges. For example, when you deploy access management, users must be assigned to a role with permission to log on. If they are allowed to log on and auditing is deployed, the agent begins auditing their activity. If a user accesses a PAM-based application or executes a privileged command, the action is recorded and can be traced back to the account used to log on.

The following illustration provides a simplified view of the architecture and flow of data when you deploy components for access control, privilege management, and auditing on a Linux or UNIX computer.

Linux or UNIX computer

However, auditing requires database storage for the audited sessions audit trail events. Auditing also requires additional management of the network connections used to collect and transfer audit-related information from computers being audited to one or more databases where the sessions and audit trail events are stored. If you plan to use the infrastructure access management and auditing services together, you also need to decide which roles should require auditing and which features to enable on each computer you want to manage. In most cases, you choose whether to enable access control features, auditing features, or both feature sets when you install the agent on a computer.

Although it is not depicted in the illustration, you do not have to enable the auditing service to record audit trail events locally for successful or failed operations. By using the auditing service, however, you can store the audited sessions and audit trail events in a database and report on specific types of activity, such as the execution of privileged commands or access to applications and information that must be kept secure. With auditing enabled, the audit trail and the user activity are available for display, querying, and analysis from any computer where you install Audit Analyzer. Through rights and roles you can restrict access to sensitive information and control who can run commands with elevated privileges or perform administrative tasks. Through queries and reports, you can track all of the activity taking place—by user, computer, the time the activity took place, the role that was used, the command that was executed, or other criteria—to verify that only authorized users are performing authorized tasks and to investigate and correct any unauthorized access anywhere in your organization.

For complete information about setting up and managing an audit installation, see the Auditing Administrator’s Guide.