DirectAudit is an agent-based platform that provides forensic monitoring, logging, and analysis capabilities of UNIX/Linux sessions. The platform consists of four components: DirectAudit Agent, DirectAudit Collector Service, DirectAudit Repository, and DirectAudit Console.

The DirectAudit Agent is deployed to the individual UNIX/Linux boxes to be monitored, and is available for multiple platforms including Red Hat, SUSE, AIX, Solaris, and HP-UX. The agent transparently gathers session data, including both typed in commands and their responses, and sends it asynchronously via authenticated and encrypted channels to the Collector Service. The agents are able to work in offline mode; if the client machine is not currently attached to the network, the agent will gather the data locally and transmit it to the collectors the next time a network connection is established. Administrators can configure the auditing capabilities to gather all data, or focus on specific users or specific commands.

The DirectAudit Collector Service resides on a Windows machine. It receives the information from the DirectAudit Agents and stores it in the repository. Multiple Collector Services can be deployed; with load balancing and fail over supported.

The DirectAudit Repository is based on Microsoft SQL Server. DirectAudit includes and automatically installs/configures SQL Server Express Edition for evaluation, which supports up to 4 GB of data.

Finally, the DirectAudit console is where an administrator and/or forensic analyst is able to review the audit information stored in the repository. Within the GUI are pre-packaged views of both current and historical sessions, and custom views can also be designed displaying the sessions of specific users, machines, time periods, etc. Other features include the ability to perform full-text searches across all sessions, list all commands entered in a session, and the ability to replay a session, including pause, rewind, and fast-forward options.

DirectAudit is also dependent on--and requires--the vendor's DirectControl product to be installed, as well. The DirectAudit agent leverages the DirectControl agent with its Active Directory integration to positively identify the individual whose session is being recorded; i.e., even though the user may be logged in as root, DirectControl is able to identify the actual Active Directory individual who is performing the actions in question.

DirectAudit is currently in beta, with general availability targeted for May of 2007. Pricing is $750 per system and $2,500 per console.

Visit the Centrify Web site for further information.