Disable directaudit

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor I
Posts: 30
Registered: ‎08-04-2014
#1 of 15 10,697

Disable directaudit

[ Edited ]

How do I do this?

 

disabling DirectAudit

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#2 of 15 10,695

Re: Disable directaudit

[ Edited ]

John,

 

I advice that you open a ticket with support.

As much as we'd love to tell you how to do it (this could be on NIX or Windows), most likely your organization put DA in place for a reason.

 

Sincerely,

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor I
Posts: 30
Registered: ‎08-04-2014
#3 of 15 10,690

Re: Disable directaudit

It's on linux and I installed/put in place but we don't use it at present - now if I stop centrifyda I get the emergency prompt

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#4 of 15 10,649

Re: Disable directaudit

[ Edited ]

Well, in that case use install.sh or the native package manager to uninstall the CentrifyDA package.

e.g. on Deb platforms:

 

dpkg -r CentrifyDA-<version-platform>.deb

 

This command has to be performed as root or with sudo/dzdo.

 

Keep in mind if best practices are being followed, removal of the Centrify DirectAudit package in a sentitive system should trigger a "dispatch of the guards" towards the cube of the person that issued the command.

 

:-)

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Centrify Advisor IV
Posts: 159
Registered: ‎07-13-2012
#5 of 15 10,632

Re: Disable directaudit

John,

 

Instead of uninstall DirectAudit package (which like Roberston said could have been installed for a good reason), you should consider just disabling auditing.

 

To do this run the following command as root: dacontrol -d

 

This will remove "centrifyda" directive from NSS config and also stop the service.

 

You can see if DirectAudit is enabled or not by runing the command dainfo or dacontrol (last one must be run as root).

Hope that helps.

Fab

-----------------------------------------------------------------------------------------------------
Don't forget to mark posts as "Solution" to help other identify quickly the answers. And don't be afraid to deliver Kudos as well when you are happy with the solution ;)
Advisor I
Posts: 54
Registered: ‎09-16-2014
#6 of 15 10,620

Re: Disable directaudit

I also wonder if they're receiving emergency mode because their login right is set to require auditing? Maybe change the login right to say "audit if possible" as well?
Centrify Advisor IV
Posts: 159
Registered: ‎07-13-2012
#7 of 15 10,616

Re: Disable directaudit

Hi Jeff,

 

If a User has only Roles with "Audit Required" as auditing policy and try to login onto a server wher DirectAudit is not installed or disabled, then he won't be able to login at all or forced into Emergency shell (depends of the policy you setup on the Agent config file or by GPO).

If you have Users with "Audit Required", you should either reconsider if they really need this policy and drop back to "Audit if Possible", or simply ask yourself if you really want to disable DirectAudit agent on this particular server.

I must admit I am not quite sure of what you are trying to achieve here.

 

Cheers,
Fab

-----------------------------------------------------------------------------------------------------
Don't forget to mark posts as "Solution" to help other identify quickly the answers. And don't be afraid to deliver Kudos as well when you are happy with the solution ;)
Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#8 of 15 10,609

Re: Disable directaudit

[ Edited ]

Jeff/Fabrice

 

This is a meta-commentary on this thread.

 

I was hesitant to actually give you any dacontrol options because it wasn't clear to me what the original poster was trying to accomplish.  DirectAudit is typically deployed in very sensitive environments, so my asessment is to simply have you go to support (who can authenticate you, rather than doing this in a public forum).

 

Unfortunately many posters in this forum are either consultants or customers that chose NOT to get our services (bad idea - and we are not a consulting company disguised as a "software" company - but that's a different topic).  Or this could be simply a social engineering attempt for somebody that is trying to circunvent a detective control.  I've followed some of Jeff's posts and I suspect that's not the case, but the original poster is relatively new to the community.  That's why encourage posters to tell us what is your end goal  (without implementation details) this is because we can make a judgement call and recommend the proper course of action:

 

- Answer  (harmless)

- Redirect to support  (maybe this requires more expertise/log sharing etc)

- Redirect to KB (documented and resolved, but shouldn't be public for non-commercial customers)

- Redirect to the Manual (documented, well-known, planning and other aspects required)

 

Now that this is all on the permanent internet record, here's my take on anybody tampering with the DirectAudit service:

 

If I was designing a directaudit infrastructure, any invocation of service control or dacontrol or even uninstallation of directaudit should trigger an immediate investigation.  I'd have that tied with my SIEM tool and mark this with the highest alarms.  I'm actually a bit more paranoid, any invocation of "dzdo su -" should be an auditable event.

 

Why:

DA should only be in sensitive systems.  Anybody manipulating DA outside a change control window should really answer some questions.

 

I hope this helps:

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Contributor I
Posts: 30
Registered: ‎08-04-2014
#9 of 15 10,607

Re: Disable directaudit

OK - disabling this worked for me - however, is there a way to "globally" disable this like via GPO?

 

--------------------------

To do this run the following command as root: dacontrol -d

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#10 of 15 10,592

Re: Disable directaudit

Yes John,

 

DA Admin guide:

https://www.centrify.com/downloads/products/documentation/suite2015/centrify-audit-adminguide.pdf

Or in the /docs folder of the Centrify bits.

 

Chapter 4 - Managing and Installation, Pg. 52 "Securing an Installation"

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: