Centrify DirectAudit's Key Features Illustrated
DirectAudit combines unique session auditing and replay features with a scaleable, next-generation architecture
Click a feature to read more and see screenshots of how it works:
- Detailed, nonintrusive recording of user sessions on UNIX and Linux systems
- Secure, reliable data collection in a scaleable SQL repository
- Visual replay of user sessions through an easy-to-use console
- Comprehensive, easy-to-use query, search and reporting capabilities
- Real-time monitoring with an at-a-glance view of all current user activity
Detailed, Nonintrusive Recording of User Sessions on UNIX and Linux Systems
DirectAudit's easy-to-install, low overhead Agent silently and transparently gathers comprehensive user session activity: what commands were executed, what changes were made to key files and data, and what output appeared. DirectAudit records this data without interrupting the user's workflow.
DirectAudit Console. The DirectAudit Console gives you a central, global view of user sessions across your audited UNIX/Linux environment. Out-of-the-box views show both current and historical sessions grouped by computer, by user, and other criteria. In this example, you can see all sessions on a specific computer, sorted by start time. DirectAudit can record sessions both for Active Directory accounts for local accounts such as root. Notice that the top two entries in this example show you sessions currently in progress. (Click to enlarge.)
Secure, Reliable Data Collection in a Scaleable SQL Repository
The DirectAudit Agent continuously communicates user session activity in an encrypted, compressed format to a DirectAudit Collector Service. The Collector Service in turn stores the data in a central SQL Server repository, providing enterprise-scale performance and scalability. For increased reliability, the DirectAudit Agent continues to record session data even when there is no network connection and subsequently forwards it to a DirectAudit Collector Service when the network is available. Centrify also supports load balancing among multiple DirectAudit Collector Services when deployments of DirectAudit Agents range in the 100s or 1000s.
Visual Replay of User Sessions through an Easy-to-Use Console
Using the DirectAudit Console, with a simple right-click you can replay any user session on any audited system to see what commands were executed, what changes were made to key files and data, and what system output appeared. You can pause, rewind, or fast-forward - as easy as using a VCR. This unique playback feature gives you a powerful tool for monitoring activity, troubleshooting changes that may have led to a system failure, or documenting system configuration tasks.
Session Replay Window. By right-clicking on any session transcript you can replay the entire session to see what commands were entered, what changes were made to files and data, and what output appeared. In this example, a search of session transcript for "passwd" located this session and took you directly to the point where the command was entered. You can pause, rewind or fastforward through a session – just like using a VCR. This unique session replay feature helps you proactively spot insider threats and takes the guesswork out of troubleshooting system problems. In this example, a search across all session transcripts for "passwd" found this session, and replaying the session takes you right to the point where the password command was entered.
Comprehensive, Easy-to-Use Query, Search and Reporting Capabilities
You can use the DirectAudit Console's out-of-the-box views to see active sessions and historical sessions, or build your own views that show sessions by specific users, machines, time periods, or other criteria. Or perform full-text searches to find, for example, all instances of a password command across all sessions. By adopting a non-proprietary SQL data format, DirectAudit enables robust reporting and querying through third-party tools as well.
Query Wizard. Using the DirectAudit Query wizard you can create your own views of user sessions and export them for reporting purposes. You can perform full-text searches of transcripts, or create structured queries with multiple filtering criteria. For example, this query has been set up to find all root logins on computers whose name starts with "rhel" and an additional filter is being added to limit the query to sessions in the past month.
Real-Time Monitoring with an At-a-Glance View of All Current User Activity
The DirectAudit Console gives you a centralized, real-time view of every user session on every audited UNIX and Linux system. For each session you can see who is logged on, and you can immediately drill down to see what they are currently doing. This is an invaluable tool for both spotting suspicious activity and quickly troubleshooting system issues.
DirectAudit Console. By clicking on the Active Sessions folder in the DirectAudit Console, you can see who is currently logged into an audited system. You can see the user name, the system they're logged into, and start time. To see what they've been doing, just right-click to replay the session. (Click to enlarge.)
One useful feature for IT auditors is the ability to see just a list of commands that the user entered during a session.
Session Command List. Here you can see the user was making a routine web server check and did not edit any files.
