After you install the agent, you can enable auditing with the dacontrol command. The dacontrol command links all shells to the cdash shell wrapper by way of NSS. When a user opens a terminal, cdash is automatically loaded instead of the user’s shell, then cdash loads the appropriate shell for the user and begins auditing the session.
You can also choose to enable video capture editing for an installation but disable it for specific computers. You disable or enable video capture auditing for a specific computer or set of computers by using group policy settings or by modifying the agent.video.capture setting. For details, see the Group Policy Guide or the Configuration and Tuning Reference Guide.
Shell or Terminal Window Auditing
To enable auditing on a Linux or UNIX computer:
-
Log on as a user with root privileges.
-
Run dacontrol with the -e option:
dacontrol -e
-
Run dacontrol again to verify that auditing has been enabled or run dainfo.
For example, the output of the dacontrol command shows something like this:
dacontrol --query
This machine has been configured through group policy to use installation 'DefaultInstallation'
DirectAudit NSS module: Active
DirectAudit is not configured to audit individual commands.
See AlsoLinux AuditD logging Vs Legacy Var/log/*Auditing Files in LinuxHow to enable command line audit logging in linux | ConfluenceLynis - Security auditing and hardening tool for Linux/UnixWhen you enable auditing, the NSS module shows as active. You can also see if auditing is enabled or not for a system in the Audit Manager console.
After you enable auditing on a Linux or UNIX computer, you can control whether the auditing of shell activity applies for all users or for selected users by using role assignments. If auditing is enabled and the agent is not running, users with an active role assignment that requires logging are not allowed to log in.
For more information about configuring and assigning roles, see the Administrator’s Guide for Linux and UNIX.
To disable auditing on a Linux or UNIX computer:
-
Log on as a user with root privileges.
-
Run dacontrol with the -d option or the --disable option:
dacontrol -d
dacontrol --disable
-
Run dacontrol again to verify that auditing has been disabled or run dainfo.
For example:
dacontrol --query
This machine has been configured through group policy to use installation 'DefaultInstallation'
DirectAudit NSS module: Inactive
DirectAudit is not configured to audit individual commands
When you disable auditing, the NSS module shows as inactive. You can also see if auditing is enabled or not for a system in the Audit Manager console.
Linux Desktop Auditing
In addition to shell auditing, for some Linux systems you can also enable desktop auditing. When desktop auditing is enabled, the user's entire screen is continuously monitored to record all graphical interactions. More specifically, desktop auditing captures the following:
- The application name and window title when the user switches the focus to that application. For example, if a user opens a web browser or a terminal window.
- Changes to the application window title that currently has focus. For example, if a user opens a web browser and goes to a new web page, desktop auditing records the title of a web page.
The supported platforms for Linux desktop auditing are as follows:
- RHEL 6, 7, and 8 with GNOME v3
- CentOS 6, 7, and 8 with GNOME v3
Linux sessions must be running X as the primary display manager (not Wayland).
Linux desktop auditing requires shell session auditing.
To enable desktop auditing on a Linux computer:
-
Log on as a user with root privileges.
-
Run dacontrol with the -x option or the --desktop-audit option:
dacontrol -x
dacontrol --desktop-audit
To enable both shell and desktop auditing at the same time, use both the -e and -x options:
dacontrol -e -x
-
Run dainfo to verify that desktop auditing has been enabled.
For example, the relevant information from the dainfo command looks like this:
Pinging adclient: adclient is available
Daemon status: Online
Current installation: 'DirectAudit' (configured locally)
Current collector: test.acme.com:5063:HOST/test.acme.com@acme.com
DirectAudit NSS module: Active
...DirectAudit desktop auditing: Enabled
User (root) audited status: YesWhen you enable auditing, the desktop auditing module shows as Enabled. You can also see if auditing is enabled or not for a system in the Audit Manager console.
To disable desktop auditing on a Linux computer:
-
Log on as a user with root privileges.
-
Run dacontrol with the -z option or the --no-desktop-audit option:
dacontrol -z
dacontrol --no-desktop-audit
-
Run dainfo to verify that desktop auditing has been disabled.
For example, the relevant information from the dainfo command looks like this:
Pinging adclient: adclient is available
Daemon status: OnlineCurrent installation: 'DirectAudit' (configured locally)
Current collector: test.acme.com:5063:HOST/test.acme.com@acme.com
DirectAudit NSS module: Inactive
...DirectAudit desktop auditing: Disabled
User (root) audited status: NoWhen you disable auditing, the desktop auditing module shows as Disabled. You can also see if auditing is enabled or not for a system in the Audit Manager console.
