NetApp File Activity Monitoring

NetApp File Activity Monitoring

Note: This blog is the third in a 4 part series, followed by a webinar to review all the challenges with File System access auditing. Sign up now for the webinar “Challenges with Relying on Native File System Logging“. Register now.

In our last post, we walked through configuring file access auditing on a Windows File server and explored some of the common challenges with data interpretation. In this post, we will take a similar look at file access auditing on a NetApp CMode File Server.

Before We Start

While there is only one basic file access auditing approach offered natively by Windows, NetApp has two distinct approaches for file access auditing:

  • Native ONTAP Functionality – This approach enables administrators to monitor file and folder access and modification attempts leveraging a similar (but different) methodology that is available through Windows. File access events are stored on disk on the individual SVM nodes and are periodically consolidated and converted into user readable events which are then stored in the audit event log directory for the SVM.
  • FPolicy – The ONTAP FPolicy framework manages access events and can send them to external FPolicy servers for processing. This approach provides a file access monitoring and blocking framework which allows for a richer set of use cases when working with third party software like the STEALTHbits Activity Monitor.

A Little Bit About FPolicy

There are two basic FPolicy configurations:

  • Native FPolicy Server Configuration – This type of configuration does not require an external FPolicy server and can be used for the simple use case of monitoring and blocking based on file extension.
  • External FPolicy Server Configuration – This configuration leverages external FPolicy servers which receive the access events, and can apply rules to either allow or block the file operation.

While the external server configuration offers for more robust use cases, it requires working with  third party solutions such as STEALTHbits File Activity Monitor, which can have several benefits including additional parsing of the data to reduce noise events, an easy to query interface to answer simple questions, and the ability to feed this data to alternate technologies such as SIEM for advanced correlation and safekeeping, or StealthDEFEND for advanced thread detection. 

In order to get the full set of audit data while solely relying on native functionality, we will need to configure an audit policy leveraging native ONTAP functionality.

Configuring File Access Auditing using Native OnTap Functionality

The first step before creating and enabling an audit policy on any NetApp Cluster or SVM is to understand the configuration options and parameters available. The table below describes these along with their limitations and default values.

ParameterDescriptionLimitationsRequiredDefault Value
VserverName of the SVM which the auditing configuration will be created.The SVM specified must already exist.YesN/A
DestinationSpecifies the path to the directory where the audit logs will be stored.The path must already exist on the SVM and cannot be more than 864 characters. The log destination cannot be on the root volume if the SVM is a disaster recovery resource.YesN/A
EventsDetermines the types of events to be audited. This can include File Access Events, CIFS logon and logoff events, File Share Events, Audit and several more which you can refer to in this document.Refer to this document for specific limitations based on event category. NoFile Access Events, CIFS logon and logoff events
FormatDetermines the output format of the audit log. The available options are on an ONTAP specific XML format, or the NetApp specific EVTX format.While the EVTX format can be viewed using Microsoft Event Viewer, The XML file format will require a third-party application.NoEVTX
Rotate LimitSpecifies the number of audit logs to retain. If this value is set to 0, then all the log files will be retained.There must be enough room in the destination path for the logs to support the log rotation configuration.No0
Rotate SizeSpecifies the limit of the log file size before it gets rotated. This is the default rotation option used if no other option is specified.There must be enough room in the destination path for the logs to support the log rotation configuration.No100 MB
Rotate Schedule
Specifies the schedule for log rotation. This can be configured by Month, Day of Week, Day, Hour, or Minute.There must be enough room in the destination path for the logs to support the log rotation configuration.NoN/A

Once the appropriate configuration is determined, we can begin configuring and enabling the audit using the CLI.

1) Create policy based on desired configuration settings using the ‘vserver audit create’ command.

For our example, we will create a policy using the following configurations

  • Events: file-ops, cifs-logon-logoff, file-share
    • Format: EVTX
    • Rotate Limit: 5
    • Rotate Size: 100 MB
Figure 1: Vserver Audit Create

To review the newly created audit, run the ‘vserver audit show’ command.

Figure 2: Vserver Audit Show, Audit Disabled

2) Enable the audit policy using the ‘vserver audit enable’ command.

Figure 3: Vserver enabled

To view that the audit has been enabled, rerun the ‘vserver audit show’ command.

Figure 4: Vserver audit show, Audit Enabled

3) Configure the SACL using Windows Explorer in a similar manner to the configuration on a Windows File Server.

Figure 5: SACL Configuration through Windows Explorer Advanced Security Settings

Challenges with Interpreting Critical Access Events

Many of the same challenges we’ve discussed in the previous post exist with the events returned by the native ONTAP file access auditing functionality. For example, the same noise events will need to be handled in scenarios where users are accessing Microsoft Office documents, and the same level of correlation is required for move events. For the purpose of this blog post, we will focus on the places where NetApp differs. 

Permission Changes

While we discussed the difficulties and tedious process involved with interpreting permission change events on Windows File Servers, the quality of this data takes a steep decline when entering into the realm of Network Attached Storage (NAS) servers, including NetApp.

NetApp versions 9.2 and later provide 4670 events, but prior to that, the only way to identify a permission change would be to filter to 4663 events with the InformationSet field present and set to ‘CIFS ACL’.

Figure 6: XML View of 4663 event for a Permission Change

While the General tab shows limited details, the details tab provides some event specific information in both a ‘Friendly View’ and ‘XML View’. In the example above, the XML view technically shows that the CIFS ACL of the Copyright.txt file was successfully updated by a domain user named Farrah, but it does not actually show us any detail on the permission itself, new or old. In this case it is almost impossible to know what the permission change is without having complete visibility into Active Directory security principals and file system permissions at all times.

Object Paths

Another area where native ONTAP auditing can require manual efforts to interpret the data is with the representation of file paths. The object path displayed in the audit record in the ObjectName field will only contain the name of the volume and the relative path from the root of the volume.

Figure 7: Object Path Representation

In the example above, the volume name is “DAT1”, and the relative path to the file is “/Marketing/Competitive Analysis/2019 Trends.xlsx”. In order to determine the full path to the file, you will need to run the ‘volume show –junction’ command against the volume listed to determine the junction path for the volume.

Figure 8: Volume Junction Path

Once you have this information, you need to manually derive the complete path of the object by appending the relative path to the junction path. In this case, the full path to the file would be /DATA/DAT1/Marketing/Competitive Analysis/2019 Trends.xlsx.

In our final blog post of the series, we will walk through the configuration of native file access auditing on an EMC Isilon File Server, and will explore some of the unique challenges with data quality on these file systems.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.