Introduction to Native Auditing in Clustered Data ONTAP

With the exponential growth of unstructured data enterprises have challenge to monitor, manage and protect organizational information in their data centers. Data centers need to protect sensitive data from unauthorized access, manage data by monitoring file access activities and to generate and manage audit logs. Some enterprises mandate tracking of audit trails for regulatory and compliancy purpose. In Clustered Data ONTAP 8.2 these capabilities are provided on-box with Native Auditing solution.


In clustered data ONTAP configuration and logging features of Native auditing is supported per Storage Virtual Machine (SVM), supporting a complete multi-tenant environment. Native auditing implements in clustered Data ONTAP is similar to Microsoft windows event logging framework. This auditing framework in clustered Data ONTAP supports logging file-access events in EVTX like format. EVTX is the default event logging framework from Vista and Windows server 2008 onwards. Native auditing implementation supports file access auditing over CIFS (Common Internet File System) and NFS (Network File System). CIFS client accesses can be monitored by setting SACLs (System Access Control List) on storage objects in NTFS of mixed mode volumes. Similarly NFS client accesses can be monitored by setting NFS 4.x ACLs (Access Control Lists) on UNIX or mixed mode volumes


SACLs one be configured to monitor file access from different versions of SMB like SMB 1.0, SMB 2.0, SMB 2.1 and SMB 3.0. Similarly access from different versions of NFS can be monitored as long as NFS 4.0 or above is enabled on the SVM.  In a significant improvement over Data ONTAP 7-Mode implementation of NFS auditing; clustered data ONTAP take away dependency on filter file and on CIFS license. Cluster with either NFS or CIFS license is sufficient to allow auditing on the SVM. In another improvement over earlier implementation current implementation supports reliable auditing. This commits audit events in secure buffers before allowing the file operation. This provides a reliable audit trail even in case of storage or node fail-overs and node reboots


Typical deployment of native auditing involves configuring audit policy on the SVM and enabling ACLs on storage objects. NTFS (New Technology File System) ACLs can be configured either with Windows explorer or Windows APIs or with file-directory (Fsecurity) tool on clustered Data ONTAP. NFS v4.x ACLs can be configured with latest RHEL Linux and Solaris clients using the commands like “nfs4_setfacl”, “chmod” and others. While propagating ACLs, in SVM namespace, be aware that nesting volumes with different security style will break the ACL propagation across volume junction points. Refer the TR-4189 or CIFS File Access Protocol Management guide for more information on the native auditing deployment and solution requirements.


Currently audit logs are stored as plain text XML files in the destination path specified during audit configuration. destination has to be UNIX directory path in the namespace under SVM. Access to audit logs can be either through NFS or CIFS data access path. They can be protected from unauthorized access using DACLs (Discretionary Access Control List) to meet regulatory requirements.