NetApp CIFS Auditing: Applying SACLs via CLI

There are a number of different reasons why someone would want to enable auditing on file shares. “Legal” anything is probably the biggest reason; you’ll be able to tell who did what to which file and when. However, let’s say you just want to know who deleted a file or folder. Here’s a quick explanation of how that might look.

Part 1: Enable auditing on NetApp ONTAP.

1: Create the audit volume:

CLUSTER::> vol create -vserver CIFS -volume AUDITLOG -aggregate n1_aggr_SATA1 -size 10G -state online -policy default -junction-path /AUDITLOG -security-style ntfs -type RW -snapshot-policy none

You might also want to create a hidden “admin only” share for the audit volume,  so that you are able to access the logs.

2: Create the audit policy on the SVM.  

CLUSTER::> vserver audit create -vserver CIFS -destination /AUDITLOG -events file-ops,cifs-logon-logoff -format xml -rotate-size 100MB -rotate-limit 4

The -rotate-size and -rotate-limit can require some adjusting depending on how active your CIFS shares are and how far you want to go back.  Also, if you are using an external collector, you can leave rotate size at 100MB and -rotate-limit at 0.

Note:  You can also use the “evtx” file format,  however there currently is an unpatched bug where it doesn’t format the EVTX file correctly –

3: Enable auditing on the SVM.

CLUSTER:>>vserver audit enable -vserver CIFS

At this point you should see auditing enabled on the SVM.  

CLUSTER::> vserver audit show
Vserver     State Event Types        Log Format Target Directory
----------- ------ ------------------ ---------- ----------------------------
CIFS   true file-ops,  xml /AUDITLOG cifs-logon-logoff, audit-policy- change

Part 2:  The SACLs

Now we need to add the SACLs, and there are two ways to do this.  The first and most common method is via the Windows GUI by going to:

Properties -> Security -> Advanced -> Auditing.  

The second method is via the ONTAP CLI.  There are a few advantages by doing it in this method. Most notably, it’s quicker to apply through the file structure, and you don’t have to deal with the Windows GUI.   

1: Adding which SACLs you want to audit

Here are two examples of what you can audit. “-Rights full-control”  will audit everything, including the advanced rights.

CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_full -access-type success -account Everyone -rights full-control -apply-to this-folder,sub-folders,files

Using “full-control”  would make a very active and large audit log.  However, let’s say you just want to know when a user deletes something. You can just specify “delete” under the -advanced-rights flag like this:  

CLUSTER::>vserver security file-directory ntfs sacl add -vserver CIFS -ntfs-sd audit_delete -access-type success -account Everyone -advanced-rights delete -apply-to this-folder,sub-folders,files

To verify the SACL rule has been created correctly, run the show command.  This rule will enable auditing for everyone in the domain, when they successfully delete a folder, subfolder or files.

CLUSTER::>vserver security file-directory ntfs sacl show
Vserver: CIFS
NTFS Security Descriptor Name: audit_delete
Account Name     Access Access         Apply To     Type Rights
--------------   ------- -------           -----------
Everyone         success delete          this-folder, sub-folders, files

2: Creating the security policy  

CLUSTER::>vserver security file-directory policy create -vserver CIFS -policy-name audit_delete     

3: Adding the security policy to a task   

CLUSTER::>vserver security file-directory policy task add -vserver CIFS -policy-name audit_delete -path /testvol -security-type ntfs -ntfs-mode propagate -ntfs-sd audit_delete

4: Applying the security policy

CLUSTER::>vserver security file-directory apply -vserver CIFS -policy-name audit_delete 

[Job 978] Job is queued: Fsecurity Apply. Use the "job show -id 978" command to view the status of this operation.

At this point, it might take some time to apply the SACLs to every object in the volume.   You can monitor the progress using the “job show” command and the correct job ID.

For further information, or more detailed options, please reference the vserver file-directory command set in the ONTAP documentation.


What’s it like to write a tech cert test; contributing to the NetApp NCDA.

My wife dropped me off at O’hare for my flight to Raleigh-Durham. Upon arrival to the hotel, I met a couple of members of the NetApp United crew at the bar. (This will become the theme for the week,  as well as keeping tidy.*)

*We would later learn, that tidy is Welsh slang for a few things depending on context.      

Donny, me and Alun at the hotel bar.

It’s all about Psychometrics:  “the science of measuring mental capacities and processes.”

On the first day, we learned the details of how to write a test and what makes a good question versus a bad question.  So what actually goes in to writing a technology based certification test? Short answer; a lot. The long answer, a question is made up of the “stem” (aka the question),  the answer(s), and the distractors. All parts need to be well thought out, including the distractors. For this we were not allowed to create faux distractors either. Everything has to be a valid answer in the realm of NetApp. And adding even more difficulty, the questions need to be written geared towards a Minimally Acceptable Candidate (MAC). The MAC for the NCDA is considered someone with 6-12 months of ONTAP administrator experience that requires some supervision.  

The NCDA NS0-160 Team

The NCDA NS0-160 Team

Before we could write any new questions,  we needed to review the test blueprint. The blueprint is an outline of various parts of the certification test.  In this case, it was which parts of NetApp ONTAP did we want to include when testing the MAC. Some examples were things like general ONTAP and FAS design and functionality to basic SnapMirror functions and even some higher level functions like Metrocluster.   

Once the blueprint and the number of questions was confirmed, it was time to start writing questions. I learned that writing questions specifically, writing good questions, is actually a lot harder than I originally thought.  Oddly enough, the hardest part was coming up with the distractors, .e.g. the wrong answers. You don’t want to make it too obvious or easy,  and generally speaking even the distractors should be valid. For example, if your answers are a series of commands, each command needs to be valid inside of ONTAP, or any technology that’s referenced needs to be valid tech that existed, or once existed inside of the NetApp universe.  

Once all of the questions are written, then the real “fun” begins. It’s times like these that I think back to one of my very favorite quotes I learned back in my Rock Climbing and Alpine days.  

“It doesn’t have to be fun for you to be having fun.”

Each question needed to be tech-reviewed by all us SME’s in the room, as well as noted with valid references to NetApp documentation. After each question passed the first round of tech review, there’s a second pass of all the questions that needed to be re-reviewed and edited. The second time through went by quicker than the first for sure, due to the reduced number of questions. Once all the questions were finalized,  we reviewed and weighted the questions.


From the NetApp Cafe

Switching to the subject of food for a minute (because it is never far from my mind), I was super impressed with the NetApp RTC Cafe.   Each day there was always something delicious (and healthy) to be had at the various stations.

Each evening required some good R&R.  Good food, drink, and company were a welcome respite from the brain drain.   I am happy to report, I finally found a BBQ joint (Backyard BBQ Pit) I truly enjoyed in the Raleigh-Durham area.   More importantly, lots of locally brewed beer was ONTAP at most of the local establishments we visited.


BBQ Plate

On Friday, it was (sadly) time to head home.   What a good week of making new friends from around the world, learning, and having fun while working!  

Flying home

Flying home.