Subscribe

Does Netapp track deletions inside a CIFS share

Hi,

Does Netapp audit file/folder deletions inside a cifs share. We have instance when user would either accidentally move/remove a folder/file and although we can restore using snapshot, we want to know who did it.

Thanks,]

Maico

Does Netapp track deletions inside a CIFS share

Someone correct me if anything has changed, but cifs auditing (off by default) doesn't audit a file deletion.  Some of our customers who have required this have tested Varonis (3rd party product that supports NetApp via fpolicy api).

Does Netapp track deletions inside a CIFS share

I'm pretty sure you can audit file deletions, as stated in this KB you specify groups and events to be audited in the security tab. I seem to remember setting this up in a previous job as important data had been deleted by unknown users a number of times.

Re: Does Netapp track deletions inside a CIFS share

I have used cifs auditing but don’t remember it tracking delete and don’t see it in the kb. It might though… need to test it out and see but I remember something about it logging changes not deletes.

Re: Does Netapp track deletions inside a CIFS share

I don't remember exactly how as I configured the filer and a Windows admin configured the events to be logged in the security tab, but as I remember once it's configured on the filer there are a number of possible event choices in the security tab, and deletions are one of them.

If I'm wrong I'll put my hand up but I'm pretty sure I remember the Windows guy deleting a test file and it showing up in the .evt audit file

Re: Does Netapp track deletions inside a CIFS share

Per this KB you are right... but I remember seeing an issue with it not logging... I will test later in a VSIM if I get a chance.   https://kb.netapp.com/support/index?page=content&id=1010191

Re: Does Netapp track deletions inside a CIFS share

Hi,

I had setup auditing for file, add/write/deletion on cifs shares. It does log deletions of files. As deletion comes under "Object-Access", you have to enable it first on filer through,

filer> options cifs.audit.file_access_events.enable on

Then under Folder Properties --> Security tab --> Advanced --> Auditing - Add any user/group you want to audit on the folder and then select access types such as read, list, write, modify, delete etc.. for it.

I have used it and it works fine

Regards,

Yasir Irfat

Re: Does Netapp track deletions inside a CIFS share

Hi Yasir.

When I setup as you describe above and select the cifs share/volume I get tons of access denied messages from inside the ~snapshot folder. Which surprises me since folks are taking abourt successfull auditing of the ~snapshot folder in this thread.

When I choose a folder inside the share it allows me to audit that folder. This will be a show stopper for us since the customer has a lot of folders Do you have any thoughts? Am I missing something obvious here..

-Pål-Andre

Re: Does Netapp track deletions inside a CIFS share

You cannot audit anything within ~snapshot...that space is 100% read only and auditing requires bits to be flipped by Windows.  You can audit Windows files outside ~snapshot, but not within.

- Scott

Re: Does Netapp track deletions inside a CIFS share

Thank you for replying Scott!


I solved this by setting the cifs.show_snapshot option to off then from Window:

Then under Folder Properties --> Security tab --> Advanced --> Auditing - Add any user/group you want to audit on the folder and then select access types such as read, list, write, modify, delete etc.. for it.

Auditing is now "on" for the share and all subfolders. cifs.show_snapshot option is again enabeled after all the "bits flipping"

-Pål-Andre