Centrify DirectAudit: Auditing Linux User Activity

358
Tom Cromelin writes “Centrify Corporation, a leading provider of Microsoft Active Directory-based auditing, access control and identity management solutions for non-Microsoft platforms, today announced Centrify DirectAudit, a comprehensive software solution that addresses regulatory compliance requirements for logging, monitoring and auditing user activity within a UNIX/Linux environment. Centrify DirectAudit captures an entire user session by recording keystrokes and session output and archiving the audit trail to a searchable SQL database. Auditors and IT managers can use the DirectAudit console to not only play back and report on session activity but also view which users accessed what systems, what commands they executed, and what changes they made to key files and data. With Centrify DirectAudit, organizations can be more secure from the threat of insider attacks, achieve greater compliance with the Payment Card Industry (“PCI”) Data Security Standard and other government and industry regulations, and more easily troubleshoot problems within their UNIX/Linux environment.

“DirectAudit looks to be an important addition to our system security, and we expect it to improve our ability to show how we comply with regulations,” said Manohar Nayak, senior security architect at Yodlee, Inc., a leading provider of personal finance management solutions to large financial organizations. “Searching logs for a specific action by a specific administrator on a specific system would be difficult and time-consuming without DirectAudit’s query, reporting and playback capability.”

“Centrify’s DirectAudit fills an important role in securing systems from insider threats and demonstrating compliance to auditors,” said Jon Oltsik, Senior Analyst, Information Security, at the Enterprise Strategy Group. “By tying UNIX and Linux system auditing into the established Microsoft management environment, Centrify further centralizes the administration of security and auditing in a way that increases the robustness of both.”

“DirectAudit will not only help organizations comply with regulatory requirements, it will also be a great tool for IT administrators. The ability to immediately replay a user session will take the guesswork out of diagnosing changes that may have contributed to a system failure,” said Tom Kemp, CEO of Centrify Corporation. ”With our DirectControl solution delivering robust Active Directory-based authentication and authorization and now DirectAudit delivering advanced auditing capabilities, Centrify is proud to provide the full ’Triple A’ stack of UNIX/Linux identity management.”

Key Features and Benefits
Unlike a typical keystroke capture application, DirectAudit records a user’s entire session, including the system responses. It stores the session log in a secure but readily searchable database and allows managers to play the session back as though it was videotaped, so that all user actions and their consequences are viewable. As a result, an organization has a comprehensive audit trail of all actions performed on a system, allowing organizations to meet compliance requirements such as Section 10.2.2 of the PCI Data Security Standard: “Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges.”

At the same time, DirectAudit also allows organizations to minimize the threat of insider attacks, a risk highlighted in a recent survey by the Secret Service and CERT indicating that 86% of internal computer sabotage incidents were perpetrated by technical workers inside the organization. When DirectAudit is combined with DirectControl, which delivers Active Directory-based authentication and access control for over 60+ flavors of UNIX, Linux and Mac systems, the two Centrify solutions help organizations centrally audit and control access to their heterogeneous computing environment.

DirectAudit also strengthens system administration in several ways. First, it can help in troubleshooting problem systems. A system administrator may inadvertently make a change that has undesirable outcomes. With DirectAudit, IT management can reconstruct what actions preceded the problem. Second, organizations can monitor expert consultants, vendors or other third parties to track what they did to a system. This can be used as a teaching aid or as documentation of fulfillment of an agreement. Third, administrators can use the session recordings to prove that maintenance or another administrative task was performed on each system.

Modern and Scalable Architecture
DirectAudit is comprised of four architectural components:
• the DirectAudit Agent which gathers comprehensive user session activity on UNIX/Linux systems;
• the DirectAudit Collector service which gathers data from Agents and stores it in a central SQL Server repository;
• the DirectAudit Repository which is a Microsoft SQL Server database; and
• the DirectAudit Console which delivers a centralized view of every audited UNIX and Linux system in the enterprise and delivers playback and reporting capabilities.

DirectAudit offers many enterprise-class functions not found in other auditing solutions. For example, the DirectAudit Agent will continue to collect all audit data on a remote system even if the network goes down, and will subsequently forward it to the DirectAudit Collector Service when the network is back up. To ensure audit data traffic is secure, data from the Agent is communicated in an authenticated and encrypted format. The DirectAudit Agent will also leverage the DirectControl Agent on the audited system to determine the best Collector Service to communicate with. DirectAudit supports load-balancing among multiple DirectAudit Collector Services to provide scalability for hundreds of audited systems. In addition, because DirectAudit uses a SQL Server database as its repository, it is easy to report and search on all session data using the DirectAudit Console or third-party reporting tools.

DirectAudit is also easy to use. Auditors and IT managers can use the DirectAudit Console to get real-time views of current sessions and historical views of previous sessions. Sessions can be played back as if they were on a VCR with similar fast-forward and rewind controls. Summary reporting is available, as well as full-text search capabilities to find, for example, all instances of edits to the /etc/passwd file across all sessions on all computers.

Price and Availability
DirectAudit costs $750 per system and $2500 for each console, DirectAudit is available for beta testing now and will be available in May 2007. To request a trial version users should contact Centrify at info@centrify.com On Wednesday, April 4, Centrify will deliver a webcast describing and demonstrating DirectAudit. To register, visit http://www.centrify.com/webcast.

About Centrify
Centrify is a leading provider of auditing, access control and identity management solutions that centrally secure an organization’s heterogeneous systems, web applications, databases and storage systems using Microsoft Active Directory. Centrify DirectControl secures an organization’s non-Microsoft platforms using the same authentication, authorization and Group Policy services deployed for its Windows environment. Centrify DirectAudit complements DirectControl by delivering auditing, logging and real-time monitoring of user activity on non-Microsoft systems. Together, they help organizations improve IT efficiency, better comply with regulatory requirements, and move toward a more secure, connected infrastructure for their heterogeneous computing environment. For more information about Centrify and its DirectControl and DirectAudit solutions, call +1 650-961-1100 or visit www.centrify.com.”