How to enable auditing of NFS events on clustered Data ONTAP
Applies to
Clustered Data ONTAP 8
Description
This article describes the procedure that should be followed to enable file and folder auditing for files and folders accessed, modified, or deleted using NFS (NFSv3 or NFSv4). In order for clustered Data ONTAP to audit NFS events, NFSv4 has to be enabled when you run the vserver nfs create
command.
Once the ACL's are applied to the files/directories, NFSv4 is no longer a requirement for the mount or SVM. Depending on the environment and which NFS versions are enabled, this KB will provide optional steps to disable v4 functionality. NFSv3 events will continue to be audited after v4 is disabled.
This will create an XML files that will grow to no larger than 100M in size. (100M is the sized specified in the cDOT NFS Best Practices TR Section 10).
There are two options for viewing the audit, xml or evtx. XML can be viewed by any client. Where as with evtx, to view it, use windows audit log viewer.
Following is what a “file delete” looks like.
<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>9998</EventID><EventName>Unlink Object</EventName><Version>101.2</Version><Source>NFSv3</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2015-12-02T01:00:36.142467000Z "/><Correlation/><Channel>Security</Channel><Computer>7f88b548-45ef-11e5-a549-005056923487/72ea833a-46d4-11e5-a549-005056923487</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">172.18.83.90</Data><Data Name ="SubjectUnix" Uid="1000" Gid="200" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-315225131-152720833-1400237508-500</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">Not Present</Data><Data Name="SubjectUserName">Not Present</Data><Data Name="DirHandleID">00000000000402;00;00000bc6;000d18d5</Data><Data Name="FileName">(musica);/Gustav Mahler/this_is_a_test_dir/ntp.conf </Data><Data Name="SearchFilter"></Data></EventData></Event>
The Unlink Object is a delete. This displays the time, the source IP address, the user ID and group ID number of the person that did the remove, and the file name.
Here is a permissions change:
<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>4663</EventID><EventName>Set Object Attributes</EventName><Version>101.3</Version><Source>NFSv4</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2015-12-02T00:59:06.790210000Z "/><Correlation/><Channel>Security</Channel><Computer>7f88b548-45ef-11e5-a549-005056923487/72ea833a-46d4-11e5-a549-005056923487</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">172.18.83.50</Data><Data Name=" SubjectUnix" Uid="1000" Gid="200" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-315225131-152720833-1400237508-500</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">Not Present</Data><Data Name="SubjectUserName">Not Present</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">File</Data><Data Name="HandleID">00000000000402;00;0000065e;009be8aa</Data><Data Name="ObjectName">(musica);/Gustav Mahler/Symphony No. 9 [Disc 1 of 2] - Leonard Bernstein Royal Concertgebouw Orchestra/1-01 Mahler_ Symphony #9 In D - 1A..mp3</Data><Data Name="InformationSet">NFS4 ACL; </Data></EventData></Event>
This is what a permissions change looks like from evtx.