ONTAP Native NAS Auditing (SMB and NFS)

NetApp has a native NAS auditing method, but it requires some client setup for audit SACLs after enabling (alternatively use the file-directory command). Below is an example from my VSIM lab enabling NAS auditing on the SVMs “source_ntfs” for CIFS and “source_unix” for NFS. After enabling, for CIFS we use the Windows Security property sheet to set the ACEs, and for NFS, we use the nfs4_setfacl command.

There are really good third party tools that leverage Fpolicy for more advanced auditing and ransomware protection, but the goal of this lab is to show the native, free capabilities of ONTAP.

The example below switches between an ONTAP VSIM Cluster named “cmode-prod”, a Windows Server and a Linux Server.

1.1      SVM NAS Auditing (ONTAP Enable)

  • Track and log both NFS and CIFS file and folder access events.
  • 7-Mode required CIFS for auditing, but cDOT supports NFS and CIFS independently.
  • Choose log type XML or EVTX
    • XML viewer to view logs for XML format 
    • Windows Event Viewer for EVTX format
  • Access logs over NFS or CIFS to the data volume.  Logs are not integrated with syslog
  • A storage administrator can create an audit configuration for a Storage Virtual Machine (SVM) by using the vserver audit create command. 
  • After you enable auditing, you must create SACLs to set the folder security from the client (ACEs/ACLs).  
    • NTFS SACLs can be created with Windows Security (folder security properties) or the ONTAP “file-directory” command
    • NFSv4 SACLs can be created with nfs4_setfacl from the nfs client
      • an AUDIT ACE is set on the file or directory.  After the ACE set on the nfsv4 ACL, both v3 and v4.x will audit events
  • NFS file and directory access events that can be audited
    • ONTAP can audit certain NFS file and directory access events. Knowing what access events can be audited is helpful when interpreting results from the converted audit event logs.  To reliably audit NFS RENAME events, you should set audit ACEs on directories instead of files because file permissions are not checked for a RENAME operation if the directory permissions are sufficient. You can audit the following NFS file and directory access events (from the NetApp docs)
      • READ
      • OPEN
      • CLOSE
      • READDIR
      • WRITE
      • SETATTR
      • CREATE
      • LINK
      • OPENATTR
      • REMOVE
      • GETATTR
      • VERIFY
      • NVERIFY
      • RENAME

  • SMB file and directory access events that can be audited (from the NetApp docs)
Event ID (EVT/EVTX)EventDescriptionCategory
4670Object permissions were changedOBJECT ACCESS: Permissions changed.File Access
4907Object auditing settings were changedOBJECT ACCESS: Audit settings changed.File Access
4913Object Central Access Policy was changedOBJECT ACCESS: CAP changed.File Access
540/4624An account was successfully logged onLOGON/LOGOFF: Network (CIFS) logon.Logon and Logoff
529/4625An account failed to log onLOGON/LOGOFF: Unknown user name or bad password.Logon and Logoff
530/4625An account failed to log onLOGON/LOGOFF: Account logon time restriction.Logon and Logoff
531/4625An account failed to log onLOGON/LOGOFF: Account currently disabled.Logon and Logoff
532/4625An account failed to log onLOGON/LOGOFF: User account has expired.Logon and Logoff
533/4625An account failed to log onLOGON/LOGOFF: User cannot log on to this computer.Logon and Logoff
534/4625An account failed to log onLOGON/LOGOFF: User not granted logon type here.Logon and Logoff
535/4625An account failed to log onLOGON/LOGOFF: User’s password has expired.Logon and Logoff
537/4625An account failed to log onLOGON/LOGOFF: Logon failed for reasons other than above.Logon and Logoff
539/4625An account failed to log onLOGON/LOGOFF: Account locked out.Logon and Logoff
538/4634An account was logged offLOGON/LOGOFF: Local or network user logoff.Logon and Logoff
560/4656 Open Object/Create ObjectOBJECT ACCESS: Object (file or directory) open.File Access 
563/4659Open Object with the Intent to DeleteOBJECT ACCESS: A handle to an object (file or directory) was requested with the Intent to Delete.File Access
564/4660Delete ObjectOBJECT ACCESS: Delete Object (file or directory). ONTAP generates this event when a Windows client attempts to delete the object (file or directory).File Access
567/4663Read Object/Write Object/Get Object Attributes/Set Object AttributesOBJECT ACCESS: Object access attempt (read, write, get attribute, set attribute).
Note: For this event, ONTAP audits only the first SMB read and first SMB write operation (success or failure) on an object. This prevents ONTAP from creating excessive log entries when a single client opens an object and performs many successive read or write operations to the same object.
File Access
NA/4664Hard linkOBJECT ACCESS: An attempt was made to create a hard link.File Access
NA/4818Proposed central access policy does not grant the same access permissions as the current central access policyOBJECT ACCESS: Central Access Policy Staging.File Access
NA/NA Data ONTAP Event ID 9999Rename ObjectOBJECT ACCESS: Object renamed. This is an ONTAP event. It is not currently supported by Windows as a single event.File Access
NA/NA Data ONTAP Event ID 9998Unlink ObjectOBJECT ACCESS: Object unlinked. This is an ONTAP event. It is not currently supported by Windows as a single event.File Access

Create the Audit for both NTFS and UNIX SVMs

vserver audit create -vserver source_ntfs -destination /audit_log -rotate-size 100MB -rotate-limit 5 -format evtx

vserver audit create -vserver source_unix -destination /audit_log -rotate-size 100MB -rotate-limit 5 -format evtx

vserver audit show

Enable the audit (reminder you must enable SACLs – ACEs on ACLs on the host side after in the next sections)

vserver audit enable -vserver source_ntfs

vserver audit show -instance -vserver source_ntfs

vserver audit enable -vserver source_unix

vserver audit show -instance -vserver source_unix

Create NTFS Shares for log access

cifs share create -vserver source_ntfs -share-name audit_log -path /audit_log -share-properties oplocks,browsable,changenotify,showsnapshot,show-previous-versions -symlink-properties symlinks -offline-files manual -vscan-fileop-profile standard -max-connections-per-share 4294967295 -force-group-for-create “”

cifs share create -vserver source_unix -share-name audit_log -path /audit_log -share-properties oplocks,browsable,changenotify,showsnapshot,show-previous-versions -symlink-properties symlinks -offline-files manual -vscan-fileop-profile standard -max-connections-per-share 4294967295 -force-group-for-create “”

1.2      SVM SMB Auditing (Windows Enable – Security Tab)

  • This must be done in addition to enabling in ONTAP in the prior section
  • Alternatively, use “vserver security file-directory” commands to create the SACL
    • The windows security tab method is my preferred way of setting the SACLs without several “file-security” commands for each success/failure permission iteration that can be accomplished with check boxes in the Windows property sheet
  • NTFS Auditing for the “apps” volume (run per cifs share or subdirectory)

Windows Server apply SACLs (System Access Control Lists)

\\sourcentfs

Right click the “apps” folder share –> “Properties” –> click the “Security” Tab

Click the “Advanced” button –> click the “Auditing” Tab

Click “Add”

Click “Select a principal”

  • In the Enter the object name to select box, type “Domain Users” and click the “Check Names” button
  • After “Domain Users” is underline checked, Click “OK”
  • Change “Type:” to “All” as seen below
  • Leave the “Applies to:” default “This folder, subfolders and files” as seen below
  • Check all “Basic permissions” as seen below
  • Click the “OK” button
  • Leave the ‘Replace all child object auditing entries…” check box unchecked (default), but you may want to use this in your production environment if you push the audit from the top level
  • Click the “OK” button
  • Click the “Continue” for errors where you cannot apply the policy to ~snapshot directories (these are read only ONTAP Snapshot copies) 
  • Click the “OK” button

cmode-prod

View the SACL – ACE you created above

vserver security file-directory show -vserver source_ntfs -path /apps

                Vserver: source_ntfs

              File Path: /apps

      File Inode Number: 64

         Security Style: ntfs

        Effective Style: ntfs

         DOS Attributes: 10

 DOS Attributes in Text: —-D—

Expanded Dos Attributes: –

           UNIX User Id: 0

          UNIX Group Id: 0

         UNIX Mode Bits: 777

 UNIX Mode Bits in Text: rwxrwxrwx

                   ACLs: NTFS Security Descriptor

                         Control:0xaa14

                         Owner:BUILTIN\Administrators

                         Group:BUILTIN\Administrators

                         SACL – ACEs

                           AUDIT-LAB2\Domain Users-0xf01ff-OI|CI|SA|FA

                         DACL – ACEs

                           ALLOW-Everyone-0x1f01ff

                           ALLOW-Everyone-0x10000000-OI|CI|IO

1.3      SVM SMB View Audit Events

Windows Server (file activity to audit)

\\sourcentfs\apps 

Create file events

  • Open a file
  • Edit a file
  • Delete a file
  • Create a file

cmode-prod

Rotate the logs for visibility

vserver audit rotate-log -vserver source_ntfs

Windows Server (view the logs)

Open Windows Event Viewer in the Task Bar

  • In the Windows folder window, enter \\sourcentfs\audit_log
  • Double click the latest “D” file that was created by the log rotation “audit_source_ntfs_D2020-06-03-T01-06-52_0000000000.evtx” is my example
  • View the events

1.4      SVM NFS Auditing (Linux Enable – nfs4_setfacl command)

  • This must be done in addition to enabling in ONTAP in the prior section
  • NFS Auditing for the “apps” volume (run per export or subdirectory)

Linux Client

cd /root/mount

nfs4_getfacl unix_apps/

# file: unix_apps/

A::OWNER@:rwaDxtTnNcCy

A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

Set the ACE to audit (U type) with inheritance (fdi) and failed and success (SF) for everyone for all read/write/access on unix_apps

nfs4_setfacl -a U:fdiSF:EVERYONE@:rwaDxtTnNcCy unix_apps

nfs4_getfacl unix_apps/

# file: unix_apps/

A::OWNER@:rwaDxtTnNcCy

A:g:GROUP@:rxtncy

A::EVERYONE@:rxtncy

U:fdiSF:EVERYONE@:rwaDxtTnNcCy

cmode-prod

View the SACL – ACE you created above

vserver security file-directory show -vserver source_unix -path /apps

                Vserver: source_unix

              File Path: /apps

      File Inode Number: 64

         Security Style: unix

        Effective Style: unix

         DOS Attributes: 10

 DOS Attributes in Text: —-D—

Expanded Dos Attributes: –

           UNIX User Id: 0

          UNIX Group Id: 0

         UNIX Mode Bits: 755

 UNIX Mode Bits in Text: rwxr-xr-x

                   ACLs: NFSV4 Security Descriptor

                         Control:0x8014

                         SACL – ACEs

                           AUDIT-EVERYONE@-0x1601ff-FI|DI|IO|SA|FA

                         DACL – ACEs

                           ALLOW-OWNER@-0x1601ff

                           ALLOW-GROUP@-0x1200a9-IG

                           ALLOW-EVERYONE@-0x1200a9

1.5      SVM NFS View Audit Events (from Windows because we used evtx)

Linux Client

cd /root/mount/unix_apps/

Create file events

  • Open a file (cat or vi)
  • Edit a file (echo or vi)
  • Delete a file (rm)
  • Create a file (touch)

cmode-prod

Rotate the logs for visibility

vserver audit rotate-log -vserver source_unix

Windows Server (view the logs on Windows since we are using evtx format)

Open Windows Event Viewer in the Task Bar

  • In the Windows folder window, enter \\sourceunix\audit_log
  • Double click the latest “D” file that was created by the log rotation “audit_source_unix_D2020-06-03-T02-51-25_0000000000.evtx” is my example
  • View the events

One thought on “ONTAP Native NAS Auditing (SMB and NFS)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s