ONTAP Discussions

Netapp audit how to diferentiate a rename of folder or file without extension

AlbertoGonzalez

I have enabled audit on netapp but when there is a rename, i cant differentiate if the rename is in a file without extension or a folder.

 

In other operations like created there is an attributed objecttype that can be directory or archive/file but in rename there is now

 

In this case how do i know if the rename from object customer1 to  customer2 is a folder or a file without any extension? or there can be also folder with extenstion like folder.123

 

<Event>
<System>
<Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
<EventID>9999</EventID>
<EventName>Rename Object</EventName>
<Version>101.2</Version>
<Source>CIFS</Source>
<Level>0</Level>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<Result>Audit Success</Result>
<TimeCreated SystemTime="2021-03-11T10:33:54.380446000Z"/>
<Correlation/>
<Channel>Security</Channel>
<Computer>xxxx</Computer>
<ComputerUUID>46b4050a-6c79-11eb-8fc6-00505687f230/df5ac188-6c7b-11eb-9c0c-00a0b8e6be4e</ComputerUUID>
<Security/>
</System>
<EventData>
<Data Name="SubjectIP" IPVersion="4">10xxxx</Data>
<Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data>
<Data Name="SubjectUserSid">S-1-5-21-1843849653-2909494909-3618758610-1154</Data>
<Data Name="SubjectUserIsLocal">false</Data>
<Data Name="SubjectDomainName">xxx</Data>
<Data Name="SubjectUserName">xxx</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="OldDirHandle">00000000000405;00;0000290e;0e449a26</Data>
<Data Name="NewDirHandle">00000000000405;00;0000290e;0e449a26</Data>
<Data Name="OldPath">(vol1);/qa/customer1</Data>
<Data Name="NewPath">(vol1);/qa/customer2</Data>
<Data Name="Attributes"></Data>
</EventData>
</Event>

2 REPLIES 2

paul_stejskal

Dir handle didn't change. That should be an indication it's a file if my brain is working... I could be wrong. If not, you may have to browse out there unfortunately.

That didnt work i renamed a folder and dirhandle also the same, I think DirHandle is the parent dir containing the file or folder. Why dont you add ObjectType to all these events so we can filter?  I dont understand that an Open event include ObjectType Directory or Archive to differentiate but a de  rename or delete no.

 

any other idea to differentiate?

 

 

 

<Event>
  <System>
    <Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
    <EventID>9999</EventID>
    <EventName>Rename Object</EventName>
    <Version>101.2</Version>
    <Source>CIFS</Source>
    <Level>0</Level>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <Result>Audit Success</Result>
    <TimeCreated SystemTime="2021-03-18T18:54:43.006820000Z"/>
    <Correlation/>
    <Channel>Security</Channel>
    <Computer>xxxxx</Computer>
    <ComputerUUID>46b4050a-6c79-11eb-8fc6-00505687f230/df5ac188-6c7b-11eb-9c0c-00a0b8e6be4e</ComputerUUID>
    <Security/>
  </System>
  <EventData>
    <Data Name="SubjectIP" IPVersion="4">xxx</Data>
    <Data Name="SubjectUnix" Uid="0" Gid="1" Local="false"/>
    <Data Name="SubjectUserSid">S-1-5-21-1843849653-2909494909-3618758610-500</Data>
    <Data Name="SubjectUserIsLocal">false</Data>
    <Data Name="SubjectDomainName">xxxx</Data>
    <Data Name="SubjectUserName">Administrator</Data>
    <Data Name="ObjectServer">Security</Data>
    <Data Name="OldDirHandle">00000000000405;00;00005ad6;0ae6bdf9</Data>
    <Data Name="NewDirHandle">00000000000405;00;00005ad6;0ae6bdf9</Data>
    <Data Name="OldPath">(vol1);/qa/folder/customer_123</Data>
    <Data Name="NewPath">(vol1);/qa/folder/customer_1234</Data>
    <Data Name="Attributes"/>
  </EventData>
</Event>

 

 

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public