Solved: CIFS share auditing

FelixZhou · ‎2021-01-05

we are looking for CIFS auditing on tracing of any shared folder or file deletions.

we enabled audit on SVM and directed the log file, also set up the deletion auditing on shares. But didn't see events on event log for these deletion events.

are there any steps missing here?

Please share your experience. thanks.

scottgelb · ‎2021-01-05

The documentation is very good but there are SACL steps needed and it is hard to find the end-to-end procedure in one place, so I wrote a blog on it for both CIFS and NFS 🙂 Please see the blog and let me know if you have any questions or comments.

https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/

View solution in original post

JGPSHNTAP · ‎2021-01-05

That is not an enterprise solution what you are doing.

You should be looking at third policy fpolicy tools

The way you are talking is you would need to re-acl the ntfs permissions with auditing and that's not scalable.

scottgelb · ‎2021-01-05

The documentation is very good but there are SACL steps needed and it is hard to find the end-to-end procedure in one place, so I wrote a blog on it for both CIFS and NFS 🙂 Please see the blog and let me know if you have any questions or comments.

https://storageexorcist.wordpress.com/2020/06/03/ontap-native-nas-auditing-smb-and-nfs/

JGPSHNTAP · ‎2021-01-05

Scott,

Very well written blog. However, not scalable to large enterprises. This works good if you are looking for something quick.

The correct answer in my opinion would be fpolicy

scottgelb · ‎2021-01-05

Thank you... agreed you get what you pay for ;)... but lot of customers use the native, free tools. I do also recommend 3rd party for scaling, enterprise features and management, but this blog was the result of so many that needed to get the free stuff working. All of my customers are enterprise so more than I thought that would use this.

JGPSHNTAP · ‎2021-01-05

I just think it was important to set the proper expectations

paul_stejskal · ‎2021-01-06

CIFS auditing can be useful for large environments, but there is an overhead that must be accounted for. To say it is a bad solution for enterprise customers is not a fair assumption to make without all the details.

We definitely recommend any major config changes and NetApp guidance needed to consult your account team. They don't sell stuff and that's it, but they are also responsible to help consult, set up, and identify ways to help you use your NetApp resources or possibly more NetApp resources to better optimize your storage footprint.

I will note, the missing link here is that the results show up in a special file, not the event log. Then you have to download the file and open in Windows Event Viewer. It takes a bit of understanding the format to know how it works.

That blog honestly is really good. I'd like to see if that could be incorporated into official documentation possibly. Is that ok @scottgelb? Tagging a few NetApp folks: @DrewC @jtownsen @ODinulos

scottgelb · ‎2021-01-06

Thank you and YES! All good and happy sharing on any NetApp Docs or blog site.. for A-Team, we already blog to the NetApp site. A lot of customers are using native auditing and after a lot of repeated troubleshooting, I created this blog post for the end-to-end setup.

scottgelb · ‎2021-01-06

We have had discussions with customers about taking the xml/evtx then import into Splunk..with formatting and filtering to transform before loading in. A native ONTAP push of NAS auditing to syslog would be really good if feasible to add to the roadmap.

paul_stejskal · ‎2021-01-06

Scott, I'd talk to your account team if you are a customer/partner.