ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

STIG: Enable Auditing

NetApp93
‎2024-01-17 07:43 AM
1,162 Views

Hello,
I’ve been going through the NetApp DSC 9.x STIG for the 4 NFS AFF-A220’s / 2 CIFS AFF-A150’s we have. I’m quite new to ONTAP so the process is taking me a while. One of the STIG items requires auditing to be enabled, which I really don’t want to mess up as having an abundance of audit logs piling up could quickly overwhelm our systems and degrade their performance. From what I understand from the STIG, the only parameters that it specifies are:


1. Auditing must be enabled, and that no ONTAP volume shows 100% capacity, verified via the “df MDV*” CLI command.
2. Audit guarantee must be enabled, verified via the “vserver audit show -fields audit-guarantee" CLI command.


On the four NFS AFF-A-220’s we have, nothing reports back for either of these commands. For the two CIFS AFF-A150’s we have (which were installed/configured for us via professional services), the “df MDV*” command does come back with a result showing some auditing paths, however audit guarantee doesn’t show as enabled. I have used found these two guides listed below to follow but I have some questions that I could use some guidance on.


https://kb.netapp.com/onprem/ontap/da/NAS/How_to_enable_auditing_of_NFS_events_in_ONTAP_9
https://kb.netapp.com/onprem/ontap/da/NAS/How_to_set_up_CIFS_auditing_in_ONTAP_9


1. It looks like auditing is indeed enabled on our two CIFS NetApps, but audit guarantee is not. To configure audit guarantee, would I just need to run "vserver audit modify -vserver <vserver_name> -destination <audit log location> -audit-guarantee true" with <audit log location> being the locations seen from the “df MDV*” command? I guess I would have to run the command once for every location.
2. For I’m having trouble understanding the “-destination” portion of the “vserver audit create” command sequence. I understand this would designate the location of where the logs are stored, but is does this command create the location itself? How should I know where to put the logs?
3. I’m trying to ensure I configure the log rotation correctly when using the “vserver audit create” command. I would like to configure the logs to delete themselves after a certain amount of time so that we can just “set it and forget it” for this STIG requirement, and not have to do any manual cleaning up of logs. I could also use some advice in regards to the exact amount of time I should specify for logs to be kept for. Will two weeks of logs overload my NetApps? How much space are we talking about here? I understand that depends on what is configured to put inside of the logs themselves, but I was planning on just using the default parameters, which seem to be just SMB logon and logoff events according to this NetApp doc: https://docs.netapp.com/us-en/ontap/nas-audit/create-auditing-config-task.html

 

Any advice and/or guidance would be greatly appreciated. Thank you!

0 Kudos
0 REPLIES 0
Announcements
All Community Forums
Public