topic STIG: Enable Auditing in ONTAP Discussions https://community.netapp.com/t5/ONTAP-Discussions/STIG-Enable-Auditing/m-p/450303#M43136 <P>Hello,<BR />I’ve been going through the NetApp DSC 9.x STIG for the 4 NFS AFF-A220’s / 2 CIFS AFF-A150’s we have. I’m quite new to ONTAP so the process is taking me a while. One of the STIG items requires auditing to be enabled, which I really don’t want to mess up as having an abundance of audit logs piling up could quickly overwhelm our systems and degrade their performance. From what I understand from the STIG, the only parameters that it specifies are:</P><P><BR />1. Auditing must be enabled, and that no ONTAP volume shows 100% capacity, verified via the “df MDV*” CLI command.<BR />2. Audit guarantee must be enabled, verified via the “vserver audit show -fields audit-guarantee" CLI command.</P><P><BR />On the four NFS AFF-A-220’s we have, nothing reports back for either of these commands. For the two CIFS AFF-A150’s we have (which were installed/configured for us via professional services), the “df MDV*” command does come back with a result showing some auditing paths, however audit guarantee doesn’t show as enabled. I have used found these two guides listed below to follow but I have some questions that I could use some guidance on.</P><P><BR /><A href="https://kb.netapp.com/onprem/ontap/da/NAS/How_to_enable_auditing_of_NFS_events_in_ONTAP_9" target="_blank" rel="noopener">https://kb.netapp.com/onprem/ontap/da/NAS/How_to_enable_auditing_of_NFS_events_in_ONTAP_9</A><BR /><A href="https://kb.netapp.com/onprem/ontap/da/NAS/How_to_set_up_CIFS_auditing_in_ONTAP_9" target="_blank" rel="noopener">https://kb.netapp.com/onprem/ontap/da/NAS/How_to_set_up_CIFS_auditing_in_ONTAP_9</A></P><P><BR />1. It looks like auditing is indeed enabled on our two CIFS NetApps, but audit guarantee is not. To configure audit guarantee, would I just need to run "vserver audit modify -vserver &lt;vserver_name&gt; -destination &lt;audit log location&gt; -audit-guarantee true" with &lt;audit log location&gt; being the locations seen from the “df MDV*” command? I guess I would have to run the command once for every location.<BR />2. For I’m having trouble understanding the “-destination” portion of the “vserver audit create” command sequence. I understand this would designate the location of where the logs are stored, but is does this command create the location itself? How should I know where to put the logs?<BR />3. I’m trying to ensure I configure the log rotation correctly when using the “vserver audit create” command. I would like to configure the logs to delete themselves after a certain amount of time so that we can just “set it and forget it” for this STIG requirement, and not have to do any manual cleaning up of logs. I could also use some advice in regards to the exact amount of time I should specify for logs to be kept for. Will two weeks of logs overload my NetApps? How much space are we talking about here? I understand that depends on what is configured to put inside of the logs themselves, but I was planning on just using the default parameters, which seem to be just SMB logon and logoff events according to this NetApp doc: <A href="https://docs.netapp.com/us-en/ontap/nas-audit/create-auditing-config-task.html" target="_blank" rel="noopener">https://docs.netapp.com/us-en/ontap/nas-audit/create-auditing-config-task.html</A></P><P>&nbsp;</P><P>Any advice and/or guidance would be greatly appreciated. Thank you!</P> Wed, 04 Jun 2025 09:42:02 GMT NetApp93 2025-06-04T09:42:02Z STIG: Enable Auditing https://community.netapp.com/t5/ONTAP-Discussions/STIG-Enable-Auditing/m-p/450303#M43136 <P>Hello,<BR />I’ve been going through the NetApp DSC 9.x STIG for the 4 NFS AFF-A220’s / 2 CIFS AFF-A150’s we have. I’m quite new to ONTAP so the process is taking me a while. One of the STIG items requires auditing to be enabled, which I really don’t want to mess up as having an abundance of audit logs piling up could quickly overwhelm our systems and degrade their performance. From what I understand from the STIG, the only parameters that it specifies are:</P><P><BR />1. Auditing must be enabled, and that no ONTAP volume shows 100% capacity, verified via the “df MDV*” CLI command.<BR />2. Audit guarantee must be enabled, verified via the “vserver audit show -fields audit-guarantee" CLI command.</P><P><BR />On the four NFS AFF-A-220’s we have, nothing reports back for either of these commands. For the two CIFS AFF-A150’s we have (which were installed/configured for us via professional services), the “df MDV*” command does come back with a result showing some auditing paths, however audit guarantee doesn’t show as enabled. I have used found these two guides listed below to follow but I have some questions that I could use some guidance on.</P><P><BR /><A href="https://kb.netapp.com/onprem/ontap/da/NAS/How_to_enable_auditing_of_NFS_events_in_ONTAP_9" target="_blank" rel="noopener">https://kb.netapp.com/onprem/ontap/da/NAS/How_to_enable_auditing_of_NFS_events_in_ONTAP_9</A><BR /><A href="https://kb.netapp.com/onprem/ontap/da/NAS/How_to_set_up_CIFS_auditing_in_ONTAP_9" target="_blank" rel="noopener">https://kb.netapp.com/onprem/ontap/da/NAS/How_to_set_up_CIFS_auditing_in_ONTAP_9</A></P><P><BR />1. It looks like auditing is indeed enabled on our two CIFS NetApps, but audit guarantee is not. To configure audit guarantee, would I just need to run "vserver audit modify -vserver &lt;vserver_name&gt; -destination &lt;audit log location&gt; -audit-guarantee true" with &lt;audit log location&gt; being the locations seen from the “df MDV*” command? I guess I would have to run the command once for every location.<BR />2. For I’m having trouble understanding the “-destination” portion of the “vserver audit create” command sequence. I understand this would designate the location of where the logs are stored, but is does this command create the location itself? How should I know where to put the logs?<BR />3. I’m trying to ensure I configure the log rotation correctly when using the “vserver audit create” command. I would like to configure the logs to delete themselves after a certain amount of time so that we can just “set it and forget it” for this STIG requirement, and not have to do any manual cleaning up of logs. I could also use some advice in regards to the exact amount of time I should specify for logs to be kept for. Will two weeks of logs overload my NetApps? How much space are we talking about here? I understand that depends on what is configured to put inside of the logs themselves, but I was planning on just using the default parameters, which seem to be just SMB logon and logoff events according to this NetApp doc: <A href="https://docs.netapp.com/us-en/ontap/nas-audit/create-auditing-config-task.html" target="_blank" rel="noopener">https://docs.netapp.com/us-en/ontap/nas-audit/create-auditing-config-task.html</A></P><P>&nbsp;</P><P>Any advice and/or guidance would be greatly appreciated. Thank you!</P> Wed, 04 Jun 2025 09:42:02 GMT https://community.netapp.com/t5/ONTAP-Discussions/STIG-Enable-Auditing/m-p/450303#M43136 NetApp93 2025-06-04T09:42:02Z