Advanced Monitoring
The Delinea Audit & Monitoring Service captures input and output for audited users and commands and then uses this information to provide a history of executed commands.
However, you may want to gather additional information about which users and what programs are accessing or modifying production systems. For example, you may want to know when any user runs a highly privileged program, even if the user runs it from a script or by modifying system configuration files. You can use advanced monitoring to capture these kinds of activities.
One of the big differences in advanced monitoring is that you can track when any user performs a particular activity, not just an audited user.
Advanced monitoring uses the Linux system auditing tools to capture the following user and program activity:
| Use case | Where to review the user activity | Are audit trail events generated for this activity? |
|---|---|---|
| When any user executes a particular program, not just audited users. | Audit Analyzer Linux agent syslog Monitored Execution report Monitored Execution List | yes |
| When any user (not just audited users) attempts to modify system configuration files in monitored directories specified by an administrator. | Audit Analyzer Linux agent syslog File Monitor report | yes |
| Which programs are executed in an audited session, regardless of how the program is invoked-- whether it’s run by way of a script, the use of a command alias, and so forth. | Audit Analyzer Detailed Execution report | no - there would be too many events for the information to be useful. |
Set up Advanced Monitoring
To configure advanced monitoring, make sure that your computer meets the requirements, make some configuration changes in the centrifyda.conf file, and then enable advanced monitoring either by using the dacontrol command or the “Enable Advanced Monitoring” group policy.
Advanced Monitoring Requirements
-
Currently, Delinea supports only 64-bit Linux distributions from RedHat (RHEL, Fedora, CentOS). For more information about supported platforms and versions, please refer to the current Audit & Monitoring Service release notes.
-
Verify that you have the Linux audit package running. For example, run this command:
rpm -qa audit -
Ensure that the Linux audit package that you have is supported for use with Delinea Audit & Monitoring Service. Version 1.2.8 or later of Linux audit package is required. However, the Audit & Monitoring Service prefers the Linux audit package version 2.4.5 or later because earlier versions may have issues with startup.
-
Ensure that your collector and audit store database are running Server Suite 2017 or 2017.1, or Infrastructure Services 2017.2 or later.
Configuring Advanced Monitoring
You have some options and choices as to how you configure advanced monitoring. To use any of these parameters, you must also enable advanced monitoring (by using the dareload -m command or the “Enable Advanced Monitoring” group policy). Here’s a list of the configuration parameters that you can edit in the centrifyda.conf file:
-
event.file.monitor
Use the event.file.monitor parameter to enable advanced monitoring for configuration files.
-
event.file.monitor.process.skiplist
For any areas that you’ve specified to monitor (using event.file.monitor), use the event.file.monitor.process.skiplistparameter to ignore any specific processes in those areas.
-
event.file.monitor.user.skiplist
Use the event.file.monitor.user.skiplist parameter to specify a list of users to exclude from advanced monitoring for files. For these users, the auditing service does not record any write access to directories specified in event.file.monitor.
-
event.execution.monitor
Use the event.execution.monitor parameter to monitor all programs that users run in an audited session.
-
event.monitor.commands
Use the event.monitor.commands parameter to specify a list of commands to monitor. Be sure to list each command using the full path name of the command. The auditing service generates an audit trail event when a user runs any of these monitored commands, unless the user is listed in the event.monitor.commands.user.skiplist parameter.
-
event.monitor.commands.user.skiplist
Use the event.execution.monitor.user.skiplist parameter to specify a list of users to exclude from advanced monitoring for program execution. For these users, the auditing service does not record any programs that they run, even when the parameter event.execution.monitor is set to true.
After you make the configuration changes in the centrifyda.conf file, run the dareload -m command to apply the changes.
Enabling Advanced Monitoring
After you’ve made your configuration changes in the centrifyda.conf file, the next step is to enable advanced monitoring.
To enable advanced monitoring:
-
Run the following command:
dacontrol -m
-
Or, use the Enable Advanced Monitoring group policy.
To disable advanced monitoring:
-
Run the following command:
dacontrol -n
-
Or, discontinue using the Enable Advanced Monitoring group policy.
Using the Advanced Monitoring Reports
These reports provide details on what your advanced monitoring configuration has tracked:
-
Monitored execution report
If you have configured your auditing installation for advanced monitoring, then this Monitored Execution Report provides a detailed record of the sessions where a user ran one of the commands that you’ve configured to monitor. This report shows who ran one of the monitored commands even if that person is not an audited user. Also, this report includes information on commands that are run individually or as part of scripts.
-
Detailed execution report
If you have configured your auditing installation to perform advanced monitoring, then this Detailed Execution report shows all of the commands being executed on the audited machines—including commands that are run as part of scripts or other commands.
-
File monitor report
The File Monitor report shows the sensitive files being modified by users on the audited machines. The File Monitor report includes any activity by any user (except root) in the following protected areas on audited computers:
- /etc/
- /var/centrifydc/
- /var/centrifyda/
- /var/centrify/
