There are a number of different reasons why someone would want to enable auditing on file shares. “Legal” anything is probably the biggest reason; you’ll be able to tell who did what to which file and when. However, let’s say you just want to know who deleted a file or folder. Here’s a quick explanation of how that might look.
Part 1: Enable auditing on NetApp ONTAP.
1: Create the audit volume:
CLUSTER::> vol create -vserver CIFS -volume AUDITLOG -aggregate n1_aggr_SATA1 -size 10G -state online -policy default -junction-path /CIFSAUDIT -security-style ntfs -type RW -snapshot-policy none
You might also want to create a hidden “admin only” share for the audit volume, so that you are able to access the logs.
2: Create the audit policy on the SVM.
CLUSTER::> vserver audit create -vserver CIFS -destination /AUDITLOG -events file-ops,cifs-logon-logoff -format xml -rotate-size 100MB -rotate-limit 4
The -rotate-size and -rotate-limit can require some adjusting depending on how active your CIFS shares are and how far you want to go back. Also, if you are using an external collector, you can leave rotate size at 100MB and -rotate-limit at 0.
Note: You can also use the “evtx” file format, however there currently is an unpatched bug where it doesn’t format the EVTX file correctly – https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=906536
3: Enable auditing on the SVM.
CLUSTER:>>vserver audit enable -vserver CIFS
At this point you should see auditing enabled on the SVM.
CLUSTER::> vserver audit show Vserver State Event Types Log Format Target Directory ----------- ------ ------------------ ---------- ---------------------------- CIFS true file-ops, xml /AUDITLOG cifs-logon-logoff, audit-policy- change
Part 2: The SACLs
Now we need to add the SACLs, and there are two ways to do this. The first and most common method is via the Windows GUI by going to:
Properties -> Security -> Advanced -> Auditing.
The second method is via the ONTAP CLI. There are a few advantages by doing it in this method. Most notably, it’s quicker to apply through the file structure, and you don’t have to deal with the Windows GUI.
1: Adding which SACLs you want to audit
Here are two examples of what you can audit. “-Rights full-control” will audit everything, including the advanced rights.
CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_full -access-type success -account Everyone -rights full-control -apply-to this-folder,sub-folders,files
Using “full-control” would make a very active and large audit log. However, let’s say you just want to know when a user deletes something. You can just specify “delete” under the -advanced-rights flag like this:
CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_delete -access-type success -account Everyone -advanced-rights delete -apply-to this-folder,sub-folders,files
To verify the SACL rule has been created correctly, run the show command. This rule will enable auditing for everyone in the domain, when they successfully delete a folder, subfolder or files.
CLUSTER::>vserver security file-directory ntfs sacl show Vserver: CIFS NTFS Security Descriptor Name: audit_delete Account Name Access Access Apply To Type Rights -------------- ------- ------- ----------- Everyone success delete this-folder, sub-folders, files
2: Creating the security policy
CLUSTER::>vserver security file-directory policy create -vserver CIFS -policy-name audit_delete
3: Adding the security policy to a task
CLUSTER::>vserver security file-directory policy task add -vserver CIFS -policy-name audit_delete -path /testvol -security-type ntfs -ntfs-mode propagate -ntfs-sd audit_delete
4: Applying the security policy
CLUSTER::>vserver security file-directory apply -vserver CIFS -policy-name audit_delete [Job 978] Job is queued: Fsecurity Apply. Use the "job show -id 978" command to view the status of this operation.
At this point, it might take some time to apply the SACLs to every object in the volume. You can monitor the progress using the “job show” command and the correct job ID.
For further information, or more detailed options, please reference the vserver file-directory command set in the ONTAP documentation.