Thursday, 9 May 2013

Enable file access auditing for Windows clients on NetApp FAS (cifs auditing)

What:

NetApp FAS270, FAS2020, FAS2040, FAS2240, FAS2050

Problem:

Client needs to audit access to files and directories on network shares.

Solution:

Before we enable auditing we need to make sure that:
- CIFS are licensed and enabled on the storage system
- The file or directory to be audited must be in a mixed, qtree or NTFS volume

SSH onto the NetApp box and logon.

Take a note of a current settings with
options cifs.audit

Set events that you would like to audit, in these case I need to audit only file access, so set to "on" only this one option.

Audit file access events
options cifs.audit.file_access_events.enable {on | off}
Audit log-on/log-off events
options cifs.audit.logon_events.enable {on | off}
Audit account management events
options cifs.audit.account_mgmt_events.enable {on | off}
Now enable CIFS audit (it's disabled as default)
cifs audit {start | stop}
or command which does the same thing
options cifs.audit.enable {on | off}
Compare old settings with a new ones
options cifs.audit
That's all you need to change on NetApp box to have auditing enabled, but custom settings are highly recommended.

=======================================================================

Custom settings


Change external event log location

Create a folder in your shared directory called "Auditing_logs", list shares
cifs shares *
Path to the folder should look as follows
"/vol/vol0/Share/Auditing_logs"
Store events in a new location
options cifs.audit.saveas "/vol/vol0/Share/Auditing_logs"
To save audit events manually issue following command:
cifs audit save [-f]
*-f option allows you to overwrite the existing event log. If the event log does not exist, you can omit the -f option.


Saving audit events

Audit event information is stored in /etc/log/cifsaudit.alf file. I do not use Live View, so I need to periodically save the contents of this file to an external EVT file, which by default is located at /etc/log/adtlog.evt
*You can access files located in /etc directory from windows pc using unc path \\netappbox\c$

You can specify that audit events are automatically saved to the event log based on a time interval or the size of the internal log file - that is, how full the cifsaudit.alf file is, default value is 75% which I will leave.

Specify the maximum size of the cifsaudit.alf file
options cifs.audit.logsize 10485760
*size is in bytes - default value is 524,288 bytes (512K), maximal value is 68,719,476,736 bytes (64 GB)

 Specifying the maximum number of automatically saved files
options cifs.audit.autosave.file.limit 0
*value can be set from 0 (unlimited) to 999,  oldest file will be overwritten

Enable auto-save
options cifs.audit.autosave.onsize.enable on

To clear the internal cifsaudit.alf file and start over use
 cifs audit clear

=======================================================================

Enable auditing for selected folders

To enable auditing access on individual files and directories, complete the following steps on the Windows administration host.

  1. Create new security group called "File access audit" and add all users that you need to collect informations about.
  2. Select the file or directory for which you want to enable auditing access.
  3. Right-click on the file or directory, and select Properties.
  4. Select the Security tab.
  5. Click Advanced.
  6. Select the Auditing tab.
  7. Add, edit, or remove the auditing options you want for "File access audit" group

=======================================================================

Opening and analysing logs

You can use Windows event viewer
Start > Run type in eventvwr
Going through all that logs is almost impossible task, I decided to use Log Parser Lizard which is a free application. I added separate post about it called
Analyze evt log files with Log Parser Lizard - NetApp auditing

5 comments:

  1. Thanks for this kind update, just wanted to know that by this we dont be using any third party tool any more. Well few days back i have to monitor all the files and folder with in my file server and i used Lepide File Server audit tool and it has worked very fine for me.

    Please up date this information so as it would examine not to use any third party tool any more.

    Thanks.

    ReplyDelete
  2. Rachit thanks for you comment, I will definitely check LipideAuditor. As I am reading on their website currently it is available in two versions Freeware and Enterprise edition, so worth giving it a try.

    Thanks again.

    ReplyDelete
  3. Wrong spelling, it is called "LepideAuditor for File Server"

    ReplyDelete
  4. This was very helpful indeed. Thank you.

    ReplyDelete
  5. Good information, I found good information related to file access auditing from http://www.lepide.com/file-server-audit/. This tool to track unauthorized access and critical modification occurred in a particular network. It helps administrator in management of auditing and reporting of all file servers from a centric location. It generates the complete information of report which includes what, who, when and where modifications and saved in DOC, TXT, HTML and PDF formats. This utility easily works with interactive GUI and more interesting salient features.

    ReplyDelete