What information is contained in an audit event for NFS delete operations?

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 90

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: NAS

Last Updated:

Applies to

ONTAP 9
NFS audting

Answer

The following data is recorded when an NFS file deletion is audited:
- SubjectIP, IPVersion
- SubjectUnix,Uid,Gid,Local
- SubjectUserSid
- SubjectUserIsLocal
- SubjectDomainName
- SubjectUserName
- ObjectServer
- ObjectType
- HandleID
- ObjectName
- InformationSet
Note: This schema cannot be changed.
There are two options for viewing the audit, xml or evtx. XML can be viewed by any client. Where as with evtx, to view it, use windows audit log viewer
Following is what a “file delete” looks like

<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>9998</EventID><EventName>Unlink Object</EventName><Version>101.2</Version><Source>NFSv3</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2015-12-02T01:00:36.142467000Z "/><Correlation/><Channel>Security</Channel><Computer>7f88b548-45ef-11e5-a549-005056923487/72ea833a-46d4-11e5-a549-005056923487</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">172.18.83.90</Data><Data Name ="SubjectUnix" Uid="1000" Gid="200" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-315225131-152720833-1400237508-500</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">Not Present</Data><Data Name="SubjectUserName">Not Present</Data><Data Name="DirHandleID">00000000000402;00;00000bc6;000d18d5</Data><Data Name="FileName">(musica);/Gustav Mahler/this_is_a_test_dir/ntp.conf </Data><Data Name="SearchFilter"></Data></EventData></Event>

The Unlink Object is a delete. This displays the time, the source IP address, the user ID and group ID number of the person that did the remove, and the file name
Here is a permissions change:

<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>4663</EventID><EventName>Set Object Attributes</EventName><Version>101.3</Version><Source>NFSv4</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2015-12-02T00:59:06.790210000Z "/><Correlation/><Channel>Security</Channel><Computer>7f88b548-45ef-11e5-a549-005056923487/72ea833a-46d4-11e5-a549-005056923487</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">172.18.83.50</Data><Data Name=" SubjectUnix" Uid="1000" Gid="200" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-315225131-152720833-1400237508-500</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">Not Present</Data><Data Name="SubjectUserName">Not Present</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">File</Data><Data Name="HandleID">00000000000402;00;0000065e;009be8aa</Data><Data Name="ObjectName">(musica);/Gustav Mahler/Symphony No. 9 [Disc 1 of 2] - Leonard Bernstein Royal Concertgebouw Orchestra/1-01 Mahler_ Symphony #9 In D - 1A..mp3</Data><Data Name="InformationSet">NFS4 ACL; </Data></EventData></Event>

This is what a permissions change looks like from evtx.

Additional Information

additionalInformation_text