ONTAP Discussions

Does Netapp track deletions inside a CIFS share

mdvillanueva
21,461 Views

Hi,

Does Netapp audit file/folder deletions inside a cifs share. We have instance when user would either accidentally move/remove a folder/file and although we can restore using snapshot, we want to know who did it.

Thanks,]

Maico

14 REPLIES 14

scottgelb
21,222 Views

Someone correct me if anything has changed, but cifs auditing (off by default) doesn't audit a file deletion.  Some of our customers who have required this have tested Varonis (3rd party product that supports NetApp via fpolicy api).

andrc
21,222 Views

I'm pretty sure you can audit file deletions, as stated in this KB you specify groups and events to be audited in the security tab. I seem to remember setting this up in a previous job as important data had been deleted by unknown users a number of times.

scottgelb
21,221 Views

I have used cifs auditing but don’t remember it tracking delete and don’t see it in the kb. It might though… need to test it out and see but I remember something about it logging changes not deletes.

andrc
21,222 Views

I don't remember exactly how as I configured the filer and a Windows admin configured the events to be logged in the security tab, but as I remember once it's configured on the filer there are a number of possible event choices in the security tab, and deletions are one of them.

If I'm wrong I'll put my hand up but I'm pretty sure I remember the Windows guy deleting a test file and it showing up in the .evt audit file

scottgelb
21,222 Views

Per this KB you are right... but I remember seeing an issue with it not logging... I will test later in a VSIM if I get a chance.   https://kb.netapp.com/support/index?page=content&id=1010191

YASIR_IRFAT
21,222 Views

Hi,

I had setup auditing for file, add/write/deletion on cifs shares. It does log deletions of files. As deletion comes under "Object-Access", you have to enable it first on filer through,

filer> options cifs.audit.file_access_events.enable on

Then under Folder Properties --> Security tab --> Advanced --> Auditing - Add any user/group you want to audit on the folder and then select access types such as read, list, write, modify, delete etc.. for it.

I have used it and it works fine

Regards,

Yasir Irfat

enghaug72
21,222 Views

Hi Yasir.

When I setup as you describe above and select the cifs share/volume I get tons of access denied messages from inside the ~snapshot folder. Which surprises me since folks are taking abourt successfull auditing of the ~snapshot folder in this thread.

When I choose a folder inside the share it allows me to audit that folder. This will be a show stopper for us since the customer has a lot of folders Do you have any thoughts? Am I missing something obvious here..

-Pål-Andre

columbus_admin
21,222 Views

You cannot audit anything within ~snapshot...that space is 100% read only and auditing requires bits to be flipped by Windows.  You can audit Windows files outside ~snapshot, but not within.

- Scott

DNOINTERNATIONAL
21,222 Views

Thank you for replying Scott!


I solved this by setting the cifs.show_snapshot option to off then from Window:

Then under Folder Properties --> Security tab --> Advanced --> Auditing - Add any user/group you want to audit on the folder and then select access types such as read, list, write, modify, delete etc.. for it.

Auditing is now "on" for the share and all subfolders. cifs.show_snapshot option is again enabeled after all the "bits flipping"

-Pål-Andre

ASH2017
12,122 Views

Hi,

 

I know this is an old post, but can someone point me to steps for auditing : NFS export, without CIFS auditing enabled ?

 

Thanks,

-Ash

Harendra
13,546 Views

Hi Yasir,

 

Although I have enabled the audit options and completed all configuration parameters but still I am unable to see the audit tab enabled for me in windows.

could you please help on this.

 

Thanks in advance.

JGPSHNTAP
13,515 Views

This is pretty straightforward for NTFS auditing on Netapp.  Also, unless you are looking for a small sample, native auditing is essentially useless b/c of log rolling.... 

CHARRE
12,049 Views

Hi,

 

I'am Loic, i have a metrocluster FAS8200 and i activated audit on CIFS Share Volume.

 

We lose a directory and we found in event log:

 

System

  - Provider

   [ Name]  NetApp-Security-Auditing
   [ Guid]  {3CB2A168-FE19-4A4E-BDAD-DCF422F13473}
 
   EventID 9998
 
   EventName Unlink Object
 
   Version 101.2
 
   Source CIFS
 
   Level 0

 

Do you know what is this event: Unlink Object ? Do you know what that means ?

naveens17
12,015 Views

That is what I found in documentation .. 

 

I would suggest integrating ManageEngine + NetApp native auditing can give all the reports and details what your looking for.

 

 

NA/NA Data ONTAP Event ID 9998 Unlink Object OBJECT ACCESS: Object unlinked. This is a Data ONTAP event. It is not currently supported by Windows as a single event. File Access
Public