Re: Netapp audit how to diferentiate a rename of folder or file without extension

AlbertoGonzalez · ‎2021-03-12

I have enabled audit on netapp but when there is a rename, i cant differentiate if the rename is in a file without extension or a folder.

In other operations like created there is an attributed objecttype that can be directory or archive/file but in rename there is now

In this case how do i know if the rename from object customer1 to customer2 is a folder or a file without any extension? or there can be also folder with extenstion like folder.123

<Event>
<System>
<Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
<EventID>9999</EventID>
<EventName>Rename Object</EventName>
<Version>101.2</Version>
<Source>CIFS</Source>
<Level>0</Level>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<Result>Audit Success</Result>
<TimeCreated SystemTime="2021-03-11T10:33:54.380446000Z"/>
<Correlation/>
<Channel>Security</Channel>
<Computer>xxxx</Computer>
<ComputerUUID>46b4050a-6c79-11eb-8fc6-00505687f230/df5ac188-6c7b-11eb-9c0c-00a0b8e6be4e</ComputerUUID>
<Security/>
</System>
<EventData>
<Data Name="SubjectIP" IPVersion="4">10xxxx</Data>
<Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data>
<Data Name="SubjectUserSid">S-1-5-21-1843849653-2909494909-3618758610-1154</Data>
<Data Name="SubjectUserIsLocal">false</Data>
<Data Name="SubjectDomainName">xxx</Data>
<Data Name="SubjectUserName">xxx</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="OldDirHandle">00000000000405;00;0000290e;0e449a26</Data>
<Data Name="NewDirHandle">00000000000405;00;0000290e;0e449a26</Data>
<Data Name="OldPath">(vol1);/qa/customer1</Data>
<Data Name="NewPath">(vol1);/qa/customer2</Data>
<Data Name="Attributes"></Data>
</EventData>
</Event>

paul_stejskal · ‎2021-03-12

Dir handle didn't change. That should be an indication it's a file if my brain is working... I could be wrong. If not, you may have to browse out there unfortunately.

AlbertoGonzalez · ‎2021-03-18

That didnt work i renamed a folder and dirhandle also the same, I think DirHandle is the parent dir containing the file or folder. Why dont you add ObjectType to all these events so we can filter? I dont understand that an Open event include ObjectType Directory or Archive to differentiate but a de rename or delete no.

any other idea to differentiate?

<Event>
  <System>
    <Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
    <EventID>9999</EventID>
    <EventName>Rename Object</EventName>
    <Version>101.2</Version>
    <Source>CIFS</Source>
    <Level>0</Level>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <Result>Audit Success</Result>
    <TimeCreated SystemTime="2021-03-18T18:54:43.006820000Z"/>
    <Correlation/>
    <Channel>Security</Channel>
    <Computer>xxxxx</Computer>
    <ComputerUUID>46b4050a-6c79-11eb-8fc6-00505687f230/df5ac188-6c7b-11eb-9c0c-00a0b8e6be4e</ComputerUUID>
    <Security/>
  </System>
  <EventData>
    <Data Name="SubjectIP" IPVersion="4">xxx</Data>
    <Data Name="SubjectUnix" Uid="0" Gid="1" Local="false"/>
    <Data Name="SubjectUserSid">S-1-5-21-1843849653-2909494909-3618758610-500</Data>
    <Data Name="SubjectUserIsLocal">false</Data>
    <Data Name="SubjectDomainName">xxxx</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="OldDirHandle">00000000000405;00;00005ad6;0ae6bdf9</Data>
    <Data Name="NewDirHandle">00000000000405;00;00005ad6;0ae6bdf9</Data>
    <Data Name="OldPath">(vol1);/qa/folder/customer_123</Data>
    <Data Name="NewPath">(vol1);/qa/folder/customer_1234</Data>
    <Data Name="Attributes"/>
  </EventData>
</Event>

Netapp audit how to diferentiate a rename of folder or file without extension

Sign-up for Software Release Notifications!

Join us on Discord