Set up CIFS auditing with clustered Data ONTAP

Starting from clustered Data ONTAP 8.2, native auditing is implemented and it provides a file auditing framework that supports both CIFS and NFS protocols.

The following is an example showing how to implement CIFS auditing with clustered Data ONTAP: For setting up CIFS auditing in Data ONTAP 7-Mode, see article 1011243: How to set up CIFS auditing on a Data ONTAP 7-Mode controller.

Cluster Vserver: cm3220a-cn
Data Vserver: vs_cifs
vol1 is mounted as /vol1
audit is a folder in /vol1

Perform the following steps:

  1. Create an Audit Policy:
    The first step for enabling auditing on a Vserver is to create an audit policy. Vserver name and destination path for saving logs and log rotation parameters are required as inputs. It is necessary to create a destination path for the audit.
    It is possible to create an Audit Policy either based on the log size or time. The example below uses policy based on log size:
    cm3220a-cn::> vserver audit create -vserver vs_cifs -destination /vol1/audit -rotate-size 100M -rotate-limit 10
  • As for the value of –destination, UNIX path has to be used. The UNIX path is the junction path or name space followed by the directory created. (/junction/directory)
    • It is good practice to restrict access to the logs directory to an administrators group.
    • In an NTFS environment, enabling Access Based Enumeration to the directory is an added security measure.
  • When log files reach the specified rotate-size of 100M, it triggers log rotation. Minimum value for rotate-size is 100M. This creates an Audit Policy maintaining up to 10 audit logs. You might specify –rotate-schedule-* to create an Audit Policy based on time.Note: Only one active policy can be created per Vserver. Run the ‘vserver audit delete‘ command, then run ‘vserver audit create‘ or ‘vserver audit modify‘ command to modify the current settings. The following example explains this:
    cm3220a-cn::> vserver audit create -vserver vs_cifs -destination /vol1/audits -rotate-size 100M -rotate-limit 10
    Error: command failed: An audit configuration already exists for Vserver 'vs_cifs'. Use the 'vserver audit modify' command to modify the configuration.
  1. Enable an Audit Policy on Vserver:
    cm3220a-cn::> vserver audit enable -vserver vs_cifs
    cm3220a-cn::> vserver audit show
    Vserver State Log Format Target Directory
    ----------- ------ ---------- -----------------------------------
    vs_cifs true evtx /vol1/audit

    • -instance‘ provides more details about the Audit Policy.
    • vserver audit disable‘ disables the Audit Policy
  2. Specify Auditable File Access Events (SACLS).
    There are two ways to set SACLs to audit access events on individual files and directories:

    1. Using the Windows Explorer GUI:
      1. Select the file or directory for which you want to enable auditing access
      2. Right-click the file or directory and select Properties
      3. Select the Security tab and click Advanced
      4. Select the Auditing tab and add, edit, or remove the auditing options you desire.
    2. Run the file-directory command. For details, see the File_Access_Management guide of the corresponding Data ONTAP version.

Note: Run the ‘vserver audit rotate-log‘ command to manually rotate the audit logs

Common issues:

1. Fail to create staging volumes
  • vserver audit create‘ will either:
Create new staging volumes if staging volume does not already exist in the data aggregate.
  • Share existing staging volume in the data aggregate without compromising on multi-tenancy. Sometimes, staging volume might be shared by multiple Vservers.
By default, the staging volume will consume 2GB space, in case any offline aggregates, or aggregates with less than 2GB space exist. The ‘vserver audit create‘ command will fail. For example:
cm3220a-cn::> vserver audit create -vserver vs_cifs -destination /vol1/audit -rotate-size 100M -rotate-limit 10This has to be resolved before creating any Audit Policies successfully.

Error: command failed: Failed to create audit configuration for Vserver "vs_cifs". Reason: One or more aggregates do not have staging volumes. Make sure all aggregates are online and have at least 2GB of available space, then try again


2. How to expand staging volumes.
Staging volumes could only be expanded by running the ‘vol size‘ command in the diag mode. Consult NetApp Support before resizing the staging volumes.The following is an example of running the ‘vol size‘ command on staging volumes in the Admin mode.

cm3220a-cn::> vol size -vserver cm3220a-cn -volume MDV_aud_1690c1e4dcf34918aba47b69b649a885 -new-size 3gb

(volume size)
Error: command failed: This operation is not supported for the system volume 'MDV_aud_1690c1e4dcf34918aba47b69b649a885'.

The following is a successful example:

cm3220a-cn::*> vol size -vserver cm3220a-cn -volume MDV_aud_1690c1e4dcf34918aba47b69b649a885 -new-size 3gb

(volume size)

Warning: You are about to modify the system volume 'MDV_aud_1690c1e4dcf34918aba47b69b649a885'.  This might cause severe performance or stability issues. Do not proceed unless directed to perform so by support.  Do you want to proceed? {y|n}: y
vol size: Volume 'cm3220a-cn:MDV_aud_1690c1e4dcf34918aba47b69b649a885' size set to 3g



View all posts by