CIFS auditing does not work as expected due to missing SACLs
Applies to
- ONTAP 9
- CIFS auditing
Issue
- No file access auditing events are generated
- logon and logoff events may be seen
- Filename is not shown in audit events
vserver security file-directory
shows no SACL on the volume or CIFS shares
::> vserver security file-directory show -vserver svm_netapp -path /vol_netapp -instance
Vserver: svm_netapp
File Path: /vol_netapp
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
ALLOW-Everyone-0x1f01ff-OI|CI
- Auditing is correctly setup:
::*> vserver audit show -vserver svm1 -fields events
vserver events
---------- --------------------------------------------------------------------------
svm1 file-ops,cifs-logon-logoff,user-account,security-group,audit-policy-change