Audit and Monitoring Service 5.9.1 Release Notes (Verify Privilege Server Suite 2022.1)

About Verify Privilege Server Suite Auditing & Monitoring Service

IBM Security Verify Privilege Server Suite is a product category that includes the following product offerings:

  • Privileged Access Service
  • Authentication Service
  • Privilege Elevation Service
  • Auditing & Monitoring Service

The DirectControl Agent provides services for the Authentication Service and Privilege Elevation Service contained in the CentrifyDC packages. The DirectAudit Agent provides services for Auditing & Monitoring Service contained in the CentrifyDA packages.

The Auditing & Monitoring Service is a key component of Verify Privilege Server Suite. It enables detailed auditing of user activity on a wide range of UNIX, Linux, and Windows computers. With this service, you can perform immediate, in-depth troubleshooting by replaying user activity that may have contributed to system failures, spot suspicious activity by monitoring current user sessions, improve regulatory compliance, and ensure accountability by capturing and storing detailed information about the applications used and the commands executed. If you enable auditing, the Verify Privilege Server Suite Agent for Windows records user activity on the Windows computer when it is installed. Auditing & Monitoring Service supports auditing of many different UNIX, Linux, and Windows operating systems.

In Unix and Linux agents, DirectControl Agent is a pre-requisite for the Auditing & Monitoring service.

This release note updates information available in the DirectAudit Administrator's Guide and describes known issues. You can obtain information about previous releases from the IBM Security Support Portal, in the Product Documentation page.

Delinea software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

Feature Changes in Auditing & Monitoring Service 5.9.1 (Release 2022.1)

General

Compatibility

  • With the Verify Privilege Server Suite Agent for Windows version 19.6 and later, the Audit and Monitoring Service uses a different compression library to compress the video data being sent from the agent to the collector. As a result, this agent and all future versions of agents are *not* compatible with audit collector versions 18.11 or earlier.
You will lose video data if you deploy the newer agents in an environment with 18.11 or older collectors.__ Audit trail events and indexed events lists are not affected in this situation.Because of this incompatibility and risk of data loss, you MUST upgrade all of your collectors to the 19.6 or higher version BEFORE you upgrade the agents to Release 2021.1.
As a reminder, before you upgrade the collectors you must first upgrade the database schema. So, to summarize, here’s the order in which you upgrade the audit components:
  1. Upgrade the database.
  2. Upgrade the collectors.
  3. Upgrade the agents.

The minimum DirectControl Agent for *NIX version required by this version of the service is 5.9.0 (Release 2022)

Security Fix

N/A

Audit Collector

N/A

Audit Analyzer and Session Player

N/A

Audit Manager

N/A

DirectAudit Agent for *NIX

N/A

Database

N/A

FindSessions Tool

N/A

Verify Privilege Server Suite Agent for Windows

N/A

Audit Module for PowerShell

  • A new '-Limit' parameter was added to the 'Audit Module for Powershell' command 'Get-CdaAuditEvent'. The '-Limit' parameter is used to specify the number of database entries to return in the results. The '-Limit' parameter is an optional parameter. If the parameter is not specified the command will return 65,536 entries which is the same number of entries this command returned before the change. (Ref:430373)

Audit Management Server

N/A

Supported Platforms

For the list of the supported platforms by this release, refer to the "Supported Platforms" section in the Verify Privilege Server Suite release notes.

For the platforms to be removed support in coming releases, refer to the "Notice of Termination Support" section in the Verify Privilege Server Suite release notes.

Bugs Fixed in this Release

General

Windows Install / Upgrade / Uninstall

Audit Collector

Audit Analyzer and Session Player

Audit Manager

DirectAudit Agent for *NIX

  • Fixed an issue for AIX where the user login might take minutes on a system that has many running processes. (Ref:453879)

Database

FindSessions Tool

Verify Privilege Server Suite Agent for Windows

Audit Module for PowerShell

Audit Management Server

Known Issues

The following sections describe known issues, suggestions, and limitations associated with the Audit and Monitoring Service.

General

For the most up-to-date list of known issues, refer to the knowledge base articles in the IBM Security Support Portal.

  • Starting in Release 2016, only ADMX format for group policies will be installed and ADM format will no longer be provided. (Ref: CS-6821)

  • Starting in Release 2016, Verify Privilege Server Suite will no longer be adding new features to the DirectManage Audit SDK component. It is recommended that all existing users of this component start using the Audit Module for PowerShell component, which is the intended replacement of the SDK. (Ref: CS-6713)

  • From Release 2017.1 onward, DirectAudit no longer supports Version 1 Audit Store databases. You will no longer be able to attach Version 1 databases to an existing DirectAudit installation. To view data from version 1.x databases, please install a DirectAudit Auditor Console 1.x and attach the database. (Ref: CS-41219)

Windows Install / Upgrade / Uninstall

  • If a DirectManage Audit installation has been configured with multiple Audit Management Servers and some of the servers are running on an older version, the Audit Manager may not list these older servers because the new servers list supersedes the older ones. (Ref: CS-40818)

  • When upgrading DirectAudit in Windows, you should use the autorun program to perform the upgrade. The autorun program automatically upgrades other IBM Security components such as IBM Security Licensing Report. If you upgrade DirectAudit components individually using the Microsoft Installer (msi) and then attempt to use the autorun program to uninstall all components, autorun will only be able to uninstall the IBM Security Licensing Report that were upgraded to the latest version. You can remove any remaining components manually using the Add/Remove Programs and Features Control Panel. (Ref: 46293a)

  • If you run setup.exe with all DirectAudit components selected for installation on a single computer, the operation is known as the “Easy Install.” Although this is the default for new installations, using the “Easy Install” option requires you to have local administrator privileges.

  • If you uninstall the collector component on a computer that is not joined to the domain, you will see the following messages during an uninstall operation:

    The specified domain either does not exist or could not be contacted.
    (Exception from HRESULT: 0x8007054B)

Despite the alert message, the collector is successfully uninstalled when you click OK.

Collector

  • In the Collector Configuration wizard, if the account credentials you give for the SQL Server do not match an existing account on the SQL Server, and you have the rights to create SQL Server accounts, the credentials you give will be used to automatically create a new SQL Server account.

Audit Analyzer and Session Player

  • Release 2017.3 has introduced a new version of dzdo and PAM authentication audit trail events. However, these events cannot be captured by older version of database/Collector or reported by older versions of DirectAudit Audit Analyzer console or FindSessions utility or PowerShell cmdlets. To rectify this issue, you need to upgrade the DirectAudit backend components (such as Audit Manager console, Audit Analyzer console, Collector, and Audit Store databases) to Release 2017.3 or later version. Contact IBM Security support if you are unable to upgrade the DirectAudit backend components so that DirectAudit database patching scripts can be provided to you based on your current version. (Ref: CS-44654)
  • When detaching and re-attaching an Audit Store database from an Audit Store, IBM Security recommends refreshing the query results for all open queries in Audit Analyzer console prior to replaying a session from that database. Failure to do so may result into a database error. (Ref: CS-42125)
  • If the active audit store database spans two SQL databases, the Audit Analyzer will show UNIX sessions as "Disconnected" until some data is received from those sessions. Once data has been received, the session state will change to "In Progress.”
  • If an audited Windows session is using multiple monitors in extended mode in DirectAudit 3.2.2 or earlier, it cannot be exported as WMV files. In DirectAudit 3.2.3 or later, it will be trimmed to 2048x2048 pixels before it is saved and can be exported as in WMV file in 2048x2048 resolution. (Ref: 27003a, 75163, CS-6450, CS-3265).
  • When Verify Privilege Server Suite Agent for Windows machine’s system color depth is changed during an audited session, the playback of the session may not be displayed properly. (Ref: 36818c)
  • Entering specific keywords in the “Application” Event list column will not filter based on the keywords as expected. For example, entering the search term "c" will locate the string "Windows Explorer". This is because application characteristics are stored in the database as a set of related attributes as follows: "Explorer.EXE ZZ_BAR_ZZ Microsoft® Windows® Operating System ZZ_BAR_ZZ Windows Explorer ZZ_BAR_ZZ Microsoft Corporation ZZ_BAR_ZZ 6.1.7600.16385" A match with any of the Windows Explorer attributes will yield “Windows Explorer". This issue will be addressed in an upcoming release. (Ref: 39645b)
  • In Audit Analyzer, you can specify double-quote enclosed strings in the query that searches for “Unix Commands and Outputs” attribute. However, if a double-quote character is inside the double-quote enclosed string, the query result is undefined. (Ref: CS-39348)
  • If a DirectAudit Installation is configured to not capture video data, parameters of the UNIX command are also not captured. Therefore, the query using "Parameters of Commands and Applications” as the criteria does not work under this configuration. This is a known issue and will be addressed in future release. (Ref: 55741b)
  • If you open Audit Analyzer and right click on any child node of predefined queries such as "All, Grouped by User", "All, Grouped by Machine" or "All, Grouped by Audit Store" in the left pane, the context menu is displayed and it shows a menu item named "Properties". This context menu item, when clicked, does not open any dialog box because it is not a valid action for the selected child node. This menu item will be removed in the future release. (Ref: 48681b)
  • By default, Audit Analyzer uses MSS2 codec to export audited sessions to a WMV (Windows Media Video) file. The MSS2 codec has a known issue which results in fuzzy video when an audited Windows session is exported as WMV file and opened in Windows Movie Maker 2012. From DirectAudit 3.2.0 onward, you can specify your own codec to export an audited session to a WMV file. Please refer to KB-4029 for additional information. (Ref: 56021a)

Audit Manager

  • User and group criteria should not be combined in an Audit Role or it may result into inconsistent results, the workaround is for users to use two different audit roles (one for groups, another for users) if they want to mix users and groups in audit role assignment. (Ref: CS-38968)
  • When creating an AuditRole with "ClientName" Audit Manager's Role Properties / Criteria will display an empty value rather than "ClientName = <IP address>" (Ref: CS-41803)
  • If you assign DirectAudit permissions to a Domain Local group, which is not in the current domain in the Audit Manager Installation Property Security tab, and a user belonging to that group runs Audit Analyzer and tries to connect to the DirectAudit Installation, Audit Analyzer will display the warning “You do not have permission to connect to the SQL server.” A workaround is to grant permission to a Global or Universal group instead. (Ref: 25546c)

Verify Privilege Server Suite DirectAudit Agent for *NIX

General

  • IBM Security recommends customers use the session auditing capability of DirectAudit to ensure the complete login session is audited vs. auditing individual commands. When the administrator configures Direct Audit to audit a specific command, Direct Audit moves the original command executable to a different location and replaces it by a symbolic link to the Direct Audit shell. It is possible for a user to find out the new location of the executable and runs that command directly to bypass auditing. Whereas the likelihood of this happening is very minute, IBM Security recommends session auditing be turned on to avoid the chance of this happening.

  • If a user is logged in to AIX and HP-UX via a GUI, for example Xmanager, a terminal opened in the GUI will not be audited. To workaround this issue, set the centrifyda.conf parameter 'dash.allinvoked' to true. (Ref: 66330, CS-5876)

  • Obfuscation of session data has the following limitation: If the information is sent to stdout not as a whole, but piece by piece, the information will not be obfuscated. Example: A user wants to obfuscate a pattern "1234-5678". However, "1234-" is shown first and "5678" is shown 1 second later, this pattern will not be obfuscated. Since the stdout buffer in the audit shell is 4KB, the obfuscation string is at most 4KB long. Note: this applies to stdout only. (80462a)

  • Auditing init during startup on UNIX is not possible. The init command used during the boot process should not be audited using per-command auditing. If you attempt to audit init, your operating system will not reboot properly.

  • You cannot start a GUI session if you are logged in via an interactive session. Running startx or starting a GUI session from an interactive session results in the following message:

    X: user not authorized to run the X server, aborting.

    Workaround:

    - Run "sudo dpkg-reconfigure x11-common"

    - When you are prompted for users allowed to start the X server, choose "anybody" (the default is "console users only").

    The GUI session or X server should start normally. (Ref: 25036a)

  • To audit the GUI terminal emulators, GUI login managers have to be fully reinitialized after auditing is enabled. On Linux, "init 3 && init 5" will start the reinitialization. (Stopping the X server only, or pressing ctrl+alt+backspace in Gnome, will not start the reinitialization.)

  • When a local user and an Active Directory user use the same UNIX user name, the user name will default to the name of the Active Directory user. If the local user name is intended, setting the pam.allow.override parameter in /etc/centrifydc/centrifydc.conf will help. After this setting, the user name implies the Active Directory user; and <username>@localhost will imply the local user.

    DirectAudit 3.0 or later understands the "@localhost" syntax. DirectControl Agent will respond to <username>@localhost if the user name is set in pam.allow.override.

    If you upgrade from DirectAudit 2.0, disable DirectAudit so that the new DirectAudit mechanism for hooking shells can be installed: Run 'dacontrol –d -a' to disable auditing, then restart the upgrade.

    DirectAudit maintains a cache of user information for performance reasons. This cache interferes with Unix commands that manipulate the local user database (passwd file). These commands include useradd, userdel and usermod. From DirectAudit 3.2.0 onwards, DirectAudit will not access its local cache to fully support the following commands: useradd, userdel, adduser, usermod, mkuser, rmuser, chuser

    Please contact support if your operating system platform has other programs that directly access the local passwd file. (Ref: 56259a)

  • If session auditing is enabled, all local user logins are processed by DirectAudit to determine whether the session should be audited. This may block login if domain controllers are not responsive and/or DirectControl Agent is not running. Two new parameters are introduced in /etc/centrifyda/centrifyda.conf:

    - user.ignore: specifies a list of local users that DirectAudit does not use Active Directory to determine audit level. By default, the list is /etc/centrifydc/user.ignore (the same one that DirectControl uses), which includes some important accounts like root, bin, daemon, etc.

    - user.ignore.audit.level - specifies the audit level for the local users specified in the user.ignore list. The supported values are 0 (audit if possible) and 1 (audit not requested/required). Default is 0 (audit if possible). Note that "audit required" is not a reasonable choice, as this user needs to login all the time; and "audit required" may block login if DirectAudit does not function correctly. (Ref: 55599a, 57946a, 56935a, 58251a)

  • The /usr/share/centrifydc/bin/centrifyda script should be used to start/stop DirectAudit service in all *nix platforms. However, systemd is not fully supported in /usr/share/centrifydc/bin/centrifyda. For platforms that use systemd by default (such as SUSE Linux Enterprise 12/SUSE Linux Desktop 12), users need to set the environment variable SYSTEMD_NO_WRAP to 1 before calling the /usr/share/centrifydc/bin/centrifyda. Operations such as killing a daemon, running dad (DirectAudit daemon) directly, or running dastop command, could lead to issues in daemon managers in some *nix platforms. For example, SMF of Solaris, SRC of AIX and systemd of Fedora 20, may record incorrect running status of the daemon; and may fail to start daemon. (Ref: 57653a, 71211a)

  • Disable auditing before upgrade

    If you upgrade from DirectAudit 2.0, please run "dacontrol -d -a" to disable DirectAudit before upgrade. Both the installer shell script, install-da.sh, and the native package manager will detect if auditing is enabled and abort if so.

    If you are using the native package manager to upgrade and youattempt to upgrade while auditing is enabled, you may find that,after the package manager aborts, the DirectAudit installation isshown as broken. This may be ignored. Simply disable auditing,upgrade and then re-enable auditing and the package will beshown as committed.

RedHat Linux

  • Due to a limitation of some implementations of audispd (audit dispatcher daemon provided by the operating system), DirectAudit advanced monitoring feature may not work if “dacontrol –n/-m” was run multiple times and over the limit specified in the parameter max_restarts in /etc/audisp/audispd.conf (default 10). If you enable the DirectAudit Advanced monitoring feature and it does not generate the audit trail events as expected, you can run dainfo to check on the status of advanced monitoring feature. If the program /usr/share/centrifydc/bin/dadispatcher is not running, dainfo will show “DirectAudit advanced monitoring status” as “not running”. In this case, you need to restart the system audit daemon using the command “service auditd restart”. This will re-activate the advanced monitoring feature. (Ref: CS-41267)
  • The characters (‘%’, ‘#’, ‘>’ and ‘$’) are used by DirectAudit to recognize UNIX commands. They should not be used in role names and as part of trouble-tickets; otherwise they will be recognized as part of a UNIX command. (Ref: 51687a)
  • DirectAudit advanced monitoring features may not work with early versions of RedHat 5 due to different system configurations. The earliest version that IBM Security tested is RedHat 5.6. Please contact IBM Security Support if you need support in versions earlier than RedHat 5.6. (Ref: CS-43042)
  • The advanced monitoring feature in RedHat 5 version only supports selinux mode set to 'disabled' or 'permissive', 'enforcing' is not supported due to incompatible selinux policies. Moreover, advanced monitoring feature may not work with earlier versions of RedHat 5 releases due to different system configurations. Please contact IBM Security support if you need support in versions earlier than RedHat 5.6. (Ref: CS-43024)

Debian Linux

  • To install the IBM Security DirectAudit package on a computer with the Debian operating environment, you must use the dpkg --install or dpkg -i option. You cannot use the dpkg --update or dpkg -u options to install or update the IBM Security DirectAudit package. If you need to update the IBM Security DirectAudit package, you need to first delete the old package using the dpkg --purge or dpkg -P option then install the new package with the dpkg --install or dpkg -i option.

    Do not use the dpkg --remove or dpkg -r command to remove IBM Security DirectAudit. Using the --remove option prevents the DirectAudit configuration file, /etc/centrifyda/centrifyda.conf, from being created properly when you reinstall the package.

Solaris

  • IBM Security recommends that you install the appropriate recommended patch bundles for the version of Sun Solaris you are using before installing IBM Security DirectAudit.

    The patch installation will skip any individual patches that don't apply to your system, and you can use Sun's patch management system to ensure your computers get the latest security fixes.

    To help you identify any required patches for your environment, IBM Security supplies the pca patch checker in all Solaris IBM Security Verify Privilege Server Suite packages. Install.sh will prompt you to check the patch level of your environment during installation.

    To check for Sun recommended patches with the pca patch checker you should have the wget package installed. This package may be obtained from:

    http://ftp.wayne.edu/sun_freeware/

    And source code may be obtained from:

    http://www.gnu.org/software/wget/

    For more information about downloading and installing patches, see the Sun Web site.

    The minimum patches required for IBM Security DirectAudit are provided below for reference purposes. In some cases these patches may be obsoleted or incorporated into other patches, so the patch numbers on your Solaris machines may be different. The authoritative source on patch compatibility is Sun; their Web site will allow you to follow patch histories to ensure any later patches you are using are compatible with the ones required by DirectAudit.

    For Solaris 10: 119254-65 120011-14 127127-11 138263-03

  • Please contact technical support if you are using sparse zone(s) and like to do one of the following:

    • Change session auditing status from disabled to enabled during upgrade.
    • Enable session auditing in a global zone and want to disable session auditing in sparse zone(s) when using the same global zone. (Ref: 76572, 80616b)
  • The following commands, located in /usr/bin, might be implemented as ksh programs or scripts:

    alias bg cd

    command fc fg

    getopts hash jobs

    kill read test

    type ulimit umask

    unalias wait

    To identify commands implemented as ksh scripts, run the following script:

    #!/bin/ksh -p

    cmd=basename $0

    $cmd "$@"

    The commands that are implemented internally by ksh should not be audited.

  • On a system using SMF (Service Management Facility), such as Solaris 10, the DirectAudit daemon might not start up after an upgrade from DirectAudit 1.x. This does not affect a fresh installation. To bring the daemon up, run these commands:

    • svcadm disable centrifyda
    • svcadm enable centrifyda
    • Run 'svcs' and find 'centrifyda' to confirm the daemon is online.

AIX

  • Some versions of AIX sshd do not function reliably with IBM Security products. When possible, IBM Security recommends using sshd included in IBM Security openSSH on AIX platforms. (Ref: CS-7098)

  • Local AIX users cannot be audited when they log in via built-in ssh, due to a change in AIX 7.0 ML1. Customers are advised to install IBM Security OpenSSH if auditing of ssh login by local users is required (Ref: 33299a).

  • Change in AIX root user behavior: By default, all releases starting with Release 2014 (DirectAudit 3.2.0) DO NOT modify the root stanza in AIX for new installations. One side effect is that root user login WILL NOT be audited. If your environment requires session auditing of root user login, you need to do the followings:

    a. Set up a DirectAuthorize role that has the audit level of "audit required" or "audit if possible"; and assign this role to root.

    b. Set the parameter adclient.autoedit.user.root to TRUE in /etc/centrifydc/centrifydc.conf.

    c. If DirectAudit session auditing is not enabled, enable DirectAudit session auditing using the command "dacontrol -e".

    d. Restart adclient (Ref: 56239a, 56604a)

  • For AIX customers who upgrade from prior versions of Release 2014 (DirectAudit 3.2.0), there is NO change in behavior. The parameter adclient.autoedit.user.root is set to true in /etc/centrifydc/centrifydc.conf. The root user will still be audited. (Ref: 56235)

HPUX

You can install this package by copying it to a HP-UX computer and running install.sh, the installer, or by running the following commands, where <release> is the version of the DirectAudit package you are installing:

gzip -d centrifyda-<release>-hp11.31-ia64.depot.gz

swinstall -s /path/centrifyda-<release>-hp11.31-ia64.depot \

-x allow_incompatible=true
  • You must specify the full path to the IBM Security DirectAudit depot file and set the allow_incompatible option to true to install successfully.

  • The installation script checks your environment for the minimum patch levels required. If you have more recent patches installed, however, you may see an error message. To install, re-run the installation command with the following additional command line option:

    -x enforce_scripts=false

Database

  • When adding an Audit Store database to a SQL Server Availability Group with the multi subnet failover feature, the SQL Server that hosts the management database must be SQL Server 2012 or above. In addition, when upgrading an existing DirectAudit installation to use the SQL Server Availability Group feature, IBM Security recommends upgrading Collectors, Audit Management Server service, Audit Manager consoles and Audit Analyzer consoles to the latest version to benefit from this feature. (Ref: CS-39872)

  • In previous versions of DirectAudit, it was possible to specify the location of the database file. In DirectAudit 2.0.0 and later this capability is not provided in the Audit Store Database Wizard. However, you can still specify the full text file location, database file location, or transaction log file location by choosing "View SQL Scripts" and modifying the relevant database location manually in the script.

  • If the default memory setting for SQL Server is more than the actual memory in the system a memory error may occur. For more information see:

    http://social.msdn.microsoft.com/Forums/en-US/sqldatabaseengine/thread/74a94f06-adf5-4059-bb92-57a99def37bd/

    SQL Server 2008 R2 full text search categorizes certain words as stop words by default and ignores them for searches. Some stop words are common UNIX commands such as like, which, do, and while. For more details about stop words and how to configure, please refer to http://technet.microsoft.com/en-us/library/ms142551.aspx

  • The collector monitors the active Audit Store database to check if it is running low on disk space. If an active Audit Store the database is on a disk with volume mount point, the collector may give a false alarm. In such cases, it is recommended to disable the detection by setting the following registry key with the type of DWORD to 0 on all your collector machines. (Ref: 53389a)

    HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold

  • Collector only detects AuditStore disk space low against a configurable threshold if the SQL Server version is 2008 R2 SP1 (10.50.2500.0) and above. The threshold can be configured at Collector machine Registry: HKLM\Software\Centrify\DirectAudit\Collector\AuditStoreDiskSpaceLowThreshold DWORD in MB, not configured, default to 1024 MB. If free disk space is less than the threshold, Collector state is changed to "AuditStore database disk space is low", and stops accepting audit data from Agent(s).

Audit Management Server

  • To configure the audit management server to point to an installation, the user who is running the Audit Management Server Configuration Wizard must have the "Manage SQL Logins" permission on the management database of the installation. For example, if you are configuring an audit management server in an external forest with a one-way trust, be sure that the installation supports Windows and SQL Server authentication and the account you are using is from the internal forest and has the "Manage SQL Logins" permission on the management database. (Ref: 46989a)

FindSession Tools

  • For per-command auditing of dzdo command, when a ticket is entered, the role and ticket are associated with the audited session. For such sessions, the FindSessions tool’s export of type UnixCommand, UnixInput, or UnixInputOutput based on the role and/or ticket criteria will have the exported command, STDIN, or STDIN and STDOUT marked with role and ticket. When per session auditing is enabled, the exported data will not have role and ticket information. (Ref: 53936a)

  • When per-command auditing is enabled for dzdo command, and role and trouble ticket capturing is also configured, FindSessions.exe run with /export=UnixCommand option will not show the role and trouble ticket information in the exported file for the dzdo command itself, if the dzdo command executed is “dzdo su –“ or “dzdo –i”. However, all the command executed within that dzdo session will have correct role and trouble ticket information. (Ref: 51787a)

Verify Privilege Server Suite Agent for Windows

  • When a user disconnects and then later reconnects to an existing user session from a switch user operation, a successful logon audit trail message will not be logged after the user has reconnected to the session though authentication. This does not apply when the user is performing lock and unlock operations or the logon method is different from the previous login (remote vs. console logon). (Ref: CS-41453)

  • In the DirectAudit Agent for Windows control panel, the setting “Maximum size of the offline data file” indicates the minimum amount of disk space (in percentage) that must be available/free in the spool volume in order to continue auditing users (especially when the DirectAudit Agent cannot send audit data to collector). The DirectAudit Agent makes its best attempt to pause auditing when the specified amount of disk space is no longer available and in certain cases may continue to write to spool volume for a few minutes before eventually pausing the auditing activity. (78072, CS-6718)

  • The optional video capture feature requires both the Collector and the DirectAudit Agent to use 2013.2 or later. If any of collectors or agents are running an older version, video data may still be recorded even though you have turned it off in Release 2013 Update 2 Audit Manager. (Ref: 44064a)

  • If Verify Privilege Server Suite Agent for Windows is auditing a Windows 8 or Windows 2012 system, the Indexed Event List of the corresponding audited session will not show any events for the applications that are using the Metro User Interface. The Metro UI is not supported. (Ref: 56556b)

  • Upon making changes to Group Policy “Centrify Audit Trail Setting” > “Centrify Common Setting” > “Send audit trail to log file”, it would require reboot of the client computer (agent) for this setting to be effective despite the Group Policy has already been refreshed on the client computer. (Ref: 73368b)

  • The offline data location (and subdirectories below it) is expected to be a location dedicated to spooling, for example c:\spool. If the offline data location is changed, all files in the old location (including subdirectories and their contents) are moved to the new location. This may cause problems if the old location was not exclusively for spooling use. For example, choosing c:\ as the original spool location and d:\spool as the new location would cause all files on the c:\ drive to be copied to d:\spool. (Ref: 26592a)

  • Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the DirectAudit software has not completed its setup. (Ref: 26286a)

  • Some events related to the login script are not listed in the indexed events list. The login script cannot be audited for an initial few seconds because the Verify Privilege Server Suite Agent for Windows software has not completed its setup. (Ref: 26286a)

IBM Security Audit Module for PowerShell

  • Audit Module for PowerShell may take a long time to start because of the publisher's certificate verification. To resolve the problem, disable the "Check for publisher's certificate revocation" option in System Control Panel\Internet Options\Advanced\Security. (Ref: 72499)

  • After installing Audit Module for PowerShell in a RDP session, PowerShell complains module "IBM Security.DirectAudit.PowerShell" cannot be loaded. This is because the installation package needs to modify system environment variables to let PowerShell know where to load the module. This operation needed to be done in a "Console Session" if installation is done via RDP. To resolve this problem, logout and re-login or run RDP with the "admin" option as "mstsc /admin" or "mstsc /console". (Ref: 72500a)

Additional Information and Support

In addition to the documentation provided with this package, see the IBM Security Knowledge Base for answers to common questions and other information (including any general or platform-specific known limitations), tips, or suggestions. You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone.

The IBM Security Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of IBM Security products. For more information, see the IBM Security Resources web site.

You can also contact IBM Security Support directly with your questions through the IBM Security Web site, by email, or by telephone. To contact IBM Security Support or to get help with installing or using this software, send email to support@delinea.com or call 1-202-991-0540. For information about purchasing or evaluating IBM Security products, send email to info@delinea.com.