Re: CIFS audit (fpolicy vs xml/evt audit) and SACLs and performance

Al2 · ‎2024-07-04

We are currently using netapp xml auditing and enabling SACLs using Windows Explorer Client to set SACL permissions for everyone read,write, delete etc.

1) When we apply this SACL to big fillers with millions of folders and files it has to apply this recursive and take lot of time and also fails on many folders because inheritance is broken and user doesnt have permission, etc etc. Is there any way to apply this much faster at the root level of the share/volume avoiding this errors, permissions, broken inheritance, time, and other common problems? does "vserver security file-directory ntfs sacl modify" has the same problem? is faster?

2) Does fpolicy auditing also requires setting this SACLs on all folders/files or just enable fpolicy? how you set what operations to audit? I know windows file server requires this and most storages based on windows, but applying SACLS for larger file server is always a problem.

ChLokesh · ‎2024-08-10

1. It depends on how many files/folders youhave. If there are millions of files, it will take time.

2. No, fpolicy is configured on SVM level, you can create fpolicy policy, set of events that need to be monitored and for which of the monitored events notifications must be sent to the designated FPolicy server.

https://docs.netapp.com/us-en/ontap/nas-audit/steps-setup-fpolicy-config-concept.html

liu · ‎2024-11-19

This document describes the steps to set up the FPolicy configuration

Set up and enable FPolicy configuration on the SVM

What the steps for setting up an FPolicy configuration are

CIFS audit (fpolicy vs xml/evt audit) and SACLs and performance

NetApp's KB Wins Again!

Enable auditing

Audit log

CIFS share auditing

7MODE - CIFS audit Netapp - User Sessions

Forwarding CIFS Audit logs to splunk server