Note: This blog is the third in a 4 part series, followed by a webinar to review all the challenges with File System access auditing. Sign up now for the webinar “Challenges with Relying on Native File System Logging“. Register now.
In our last post, we walked through configuring file access auditing on a Windows File server and explored some of the common challenges with data interpretation. In this post, we will take a similar look at file access auditing on a NetApp CMode File Server.
While there is only one basic file access auditing approach offered natively by Windows, NetApp has two distinct approaches for file access auditing:
There are two basic FPolicy configurations:
While the external server configuration offers for more robust use cases, it requires working with third party solutions such as STEALTHbits File Activity Monitor, which can have several benefits including additional parsing of the data to reduce noise events, an easy to query interface to answer simple questions, and the ability to feed this data to alternate technologies such as SIEM for advanced correlation and safekeeping, or StealthDEFEND for advanced thread detection.
In order to get the full set of audit data while solely relying on native functionality, we will need to configure an audit policy leveraging native ONTAP functionality.
The first step before creating and enabling an audit policy on any NetApp Cluster or SVM is to understand the configuration options and parameters available. The table below describes these along with their limitations and default values.
Parameter | Description | Limitations | Required | Default Value |
Vserver | Name of the SVM which the auditing configuration will be created. | The SVM specified must already exist. | Yes | N/A |
Destination | Specifies the path to the directory where the audit logs will be stored. | The path must already exist on the SVM and cannot be more than 864 characters. The log destination cannot be on the root volume if the SVM is a disaster recovery resource. | Yes | N/A |
Events | Determines the types of events to be audited. This can include File Access Events, CIFS logon and logoff events, File Share Events, Audit and several more which you can refer to in this document. | Refer to NetApp documentation for specific limitations based on event category. | No | File Access Events, CIFS logon and logoff events |
Format | Determines the output format of the audit log. The available options are on an ONTAP specific XML format, or the NetApp specific EVTX format. | While the EVTX format can be viewed using Microsoft Event Viewer, The XML file format will require a third-party application. | No | EVTX |
Rotate Limit | Specifies the number of audit logs to retain. If this value is set to 0, then all the log files will be retained. | There must be enough room in the destination path for the logs to support the log rotation configuration. | No | 0 |
Rotate Size | Specifies the limit of the log file size before it gets rotated. This is the default rotation option used if no other option is specified. | There must be enough room in the destination path for the logs to support the log rotation configuration. | No | 100 MB |
Rotate Schedule | Specifies the schedule for log rotation. This can be configured by Month, Day of Week, Day, Hour, or Minute. | There must be enough room in the destination path for the logs to support the log rotation configuration. | No | N/A |
Once the appropriate configuration is determined, we can begin configuring and enabling the audit using the CLI.
1) Create policy based on desired configuration settings using the ‘vserver audit create’ command.
For our example, we will create a policy using the following configurations
To review the newly created audit, run the ‘vserver audit show’ command.
2) Enable the audit policy using the ‘vserver audit enable’ command.
To view that the audit has been enabled, rerun the ‘vserver audit show’ command.
3) Configure the SACL using Windows Explorer in a similar manner to the configuration on a Windows File Server.
Many of the same challenges we’ve discussed in the previous post exist with the events returned by the native ONTAP file access auditing functionality. For example, the same noise events will need to be handled in scenarios where users are accessing Microsoft Office documents, and the same level of correlation is required for move events. For the purpose of this blog post, we will focus on the places where NetApp differs.
While we discussed the difficulties and tedious process involved with interpreting permission change events on Windows File Servers, the quality of this data takes a steep decline when entering into the realm of Network Attached Storage (NAS) servers, including NetApp.
NetApp versions 9.2 and later provide 4670 events, but prior to that, the only way to identify a permission change would be to filter to 4663 events with the InformationSet field present and set to ‘CIFS ACL’.
While the General tab shows limited details, the details tab provides some event specific information in both a ‘Friendly View’ and ‘XML View’. In the example above, the XML view technically shows that the CIFS ACL of the Copyright.txt file was successfully updated by a domain user named Farrah, but it does not actually show us any detail on the permission itself, new or old. In this case it is almost impossible to know what the permission change is without having complete visibility into Active Directory security principals and file system permissions at all times.
Another area where native ONTAP auditing can require manual efforts to interpret the data is with the representation of file paths. The object path displayed in the audit record in the ObjectName field will only contain the name of the volume and the relative path from the root of the volume.
In the example above, the volume name is “DAT1”, and the relative path to the file is “/Marketing/Competitive Analysis/2019 Trends.xlsx”. In order to determine the full path to the file, you will need to run the ‘volume show –junction’ command against the volume listed to determine the junction path for the volume.
Once you have this information, you need to manually derive the complete path of the object by appending the relative path to the junction path. In this case, the full path to the file would be /DATA/DAT1/Marketing/Competitive Analysis/2019 Trends.xlsx.
In our final blog post of the series, we will walk through the configuration of native file access auditing on an EMC Isilon File Server, and will explore some of the unique challenges with data quality on these file systems.
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply