NetApp CIFS Auditing: Applying SACLs via CLI

There are a number of different reasons why someone would want to enable auditing on file shares. “Legal” anything is probably the biggest reason; you’ll be able to tell who did what to which file and when. However, let’s say you just want to know who deleted a file or folder. Here’s a quick explanation of how that might look.

Part 1: Enable auditing on NetApp ONTAP.

1: Create the audit volume:

CLUSTER::> vol create -vserver CIFS -volume AUDITLOG -aggregate n1_aggr_SATA1 -size 10G -state online -policy default -junction-path /AUDITLOG -security-style ntfs -type RW -snapshot-policy none

You might also want to create a hidden “admin only” share for the audit volume,  so that you are able to access the logs.

2: Create the audit policy on the SVM.  

CLUSTER::> vserver audit create -vserver CIFS -destination /AUDITLOG -events file-ops,cifs-logon-logoff -format xml -rotate-size 100MB -rotate-limit 4

The -rotate-size and -rotate-limit can require some adjusting depending on how active your CIFS shares are and how far you want to go back.  Also, if you are using an external collector, you can leave rotate size at 100MB and -rotate-limit at 0.

Note:  You can also use the “evtx” file format,  however there currently is an unpatched bug where it doesn’t format the EVTX file correctly –

3: Enable auditing on the SVM.

CLUSTER:>>vserver audit enable -vserver CIFS

At this point you should see auditing enabled on the SVM.  

CLUSTER::> vserver audit show
Vserver     State Event Types        Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS   true file-ops,  xml /AUDITLOG cifs-logon-logoff, audit-policy- change

Part 2:  The SACLs

Now we need to add the SACLs, and there are two ways to do this.  The first and most common method is via the Windows GUI by going to:

Properties -> Security -> Advanced -> Auditing.  

The second method is via the ONTAP CLI.  There are a few advantages by doing it in this method. Most notably, it’s quicker to apply through the file structure, and you don’t have to deal with the Windows GUI.   

1: Adding which SACLs you want to audit

Here are two examples of what you can audit. “-Rights full-control”  will audit everything, including the advanced rights.

CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_full -access-type success -account Everyone -rights full-control -apply-to this-folder,sub-folders,files

Using “full-control”  would make a very active and large audit log.  However, let’s say you just want to know when a user deletes something. You can just specify “delete” under the -advanced-rights flag like this:  

CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_delete -access-type success -account Everyone -advanced-rights delete -apply-to this-folder,sub-folders,files

To verify the SACL rule has been created correctly, run the show command.  This rule will enable auditing for everyone in the domain, when they successfully delete a folder, subfolder or files.

CLUSTER::>vserver security file-directory ntfs sacl show
Vserver: CIFS
NTFS Security Descriptor Name: audit_delete
Account Name     Access Access         Apply To     Type Rights
--------------   ------- -------           -----------
Everyone         success delete          this-folder, sub-folders, files

2: Creating the security policy  

CLUSTER::>vserver security file-directory policy create -vserver CIFS -policy-name audit_delete     

3: Adding the security policy to a task   

CLUSTER::>vserver security file-directory policy task add -vserver CIFS -policy-name audit_delete -path /testvol -security-type ntfs -ntfs-mode propagate -ntfs-sd audit_delete

4: Applying the security policy

CLUSTER::>vserver security file-directory apply -vserver CIFS -policy-name audit_delete 

[Job 978] Job is queued: Fsecurity Apply. Use the "job show -id 978" command to view the status of this operation.

At this point, it might take some time to apply the SACLs to every object in the volume.   You can monitor the progress using the “job show” command and the correct job ID.

For further information, or more detailed options, please reference the vserver file-directory command set in the ONTAP documentation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s