Centrify Audit & Monitoring Service Advanced Monitoring
If you have enabled Centrify Audit & Monitoring Service for advanced monitoring, you can generate data for three additional auditing reports, as follows:
-
Monitored execution report: This report shows the monitored commands being executed on the audited machines—including information on commands that are run individually or as part of scripts.
-
Detailed execution report: This report shows all of the commands being executed on the audited machines—including commands that are run as part of scripts or other commands.
-
File monitor report: This report shows the sensitive files being modified by users on the audited machines.
Advanced Monitoring Audit Event Log Sample
The following is a sample of an audit event log for Centrify Audit Event ID 57300. This log sample documents a session where a user attempted to modify a monitored file. The change was made by root@al_rhel6_2.altest.acme.com on November 2, 2016 at 06:09:01.
Nov 2 06:09:01 al_rhel6_2 adclient[27002]: INFO
AUDIT_TRAIL|Centrify Suite|DirectAudit Advanced
Monitoring|1.0|300|Monitored file modification
attempted|5|user=<no_login_user> pid=32393
utc=1478092141432 CentrifyEventID=57300
DAInst=AuditingInstallation DASessID=c72252aa-
e616-44ff-a5f6-d3f53f09bb67 status=SUCCESS
syscall=unlink status=0 timestamp=1478092141.432000
auid=<no_login_user> uid=root@al_rhel6_2.altest.
acme.com processid=32393 ppid=32392 gid=root
euid=root@al_rhel6_2.altest.acme.com cwd=/ accessType=2
command=/usr/bin/python argc=-1 args=/etc/pki/nssdb/
/etc/pki/nssdb/cert9.db-journal
Centrify Audit & Monitoring Service Advanced Monitoring Audit Events
Audit and Monitoring Service Advanced Monitoring Audit Events
| Event ID | Description | Parameters |
|---|---|---|
| 57200 | Monitored program is executed | syscall: system call exitcode: exit code timestamp: timestamp auid: login user uid: user procid: process id ppid: parent process id gid: group euid: effective user cwd: current working directory cmd: command argc: no of arguments args: arguments |
| 57201 | Monitored program failed to execute | syscall: system call exitcode: exit code timestamp: timestamp auid: login user uid: user procid: process id ppid: parent process id gid: group euid: effective user cwd: current working directory cmd: command argc: no of arguments args: arguments |
| 57300 | Monitored file modification attempted | syscall: system call exitcode: exit code timestamp: timestamp auid: login user uid: user procid: process id ppid: parent process id gid: group euid: effective user cwd: current working directory accType: access Type cmd: command argc: no of arguments args: arguments |
| 57301 | Monitored file modification attempt failed | syscall: system call exitcode: exit code timestamp: timestamp auid: login user uid: user procid: process id ppid: parent process id gid: group euid: effective user cwd: current working directory accType: access Type cmd: command argc: no of arguments args: arguments |
| 57400 | Command execution is started | syscall: syscall exitcode: exit code timestamp: timestamp auid: auid uid: uid pid: pid ppid: ppid gid: gid euid: euid cwd: current working directory command: command argc: no of arguments args: arguments |
| 57401 | Command execution fails to start | syscall: syscall exitcode: exit code timestamp: timestamp auid: auid uid: uid pid: pid ppid: ppid gid: gid euid: euid cwd: current working directory command: command argc: no of arguments args: arguments |