vserver security trace trace-result show

Description​

The vserver security trace trace-result show command displays the list of security trace event records stored on the cluster. These records are generated in response to security trace filters that are created using the vserver security trace filter create command. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information about all the security trace events generated since the filter was enabled:

• Vserver name

• Cluster node name

• Security trace filter index number

• User name

• Security style

• Path

• Reason

Parameters​

{ [-fields <fieldname>, ...]

If you specify this parameter, the command only displays the fields that you specify.

| [-instance ]}

If you specify this parameter, the command displays detailed information about all security trace events.

[-node {<nodename>|local}] - Node

If you specify this parameter, the command displays information only about security trace events on the specified node.

[-vserver <vserver name>] - Vserver

If you specify this parameter, the command displays information only about security trace events on the specified Vserver.

[-seqnum <integer>] - Sequence Number

If you specify this parameter, the command displays information only about the security trace events with this sequence number.

[-keytime <Date>] - Time

If you specify this parameter, the command displays information only about security trace events that occurred at the specified time.

[-index <integer>] - Index of the Filter

If you specify this parameter, the command displays information only about security trace events that occurred as a result of the filter corresponding to the specified filter index number.

[-client-ip <IP Address>] - Client IP Address

If you specify this parameter, the command displays information only about security trace events that occurred as a result of file access from the specified client IP address.

[-path <TextNoCase>] - Path of the File Being Accessed

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file accesses to the specified path.

[-win-user <TextNoCase>] - Windows User Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified Windows user.

[-security-style <security style>] - Effective Security Style On File

If you specify this parameter, the command displays information only about the security trace events that occurred on file systems with the specified security style. The allowed values for security style are the following:

• SECURITY_NONE - Security not Set

• SECURITY_UNIX_MODEBITS - UNIX and UNIX permissions

• SECURITY_UNIX_ACL - UNIX and NFSv4 ACL

• SECURITY_UNIX_SD - UNIX and NT ACL

• SECURITY_MIXED_MODEBITS - MIXED and UNIX permissions

• SECURITY_MIXED_ACL - MIXED and NFSv4 ACL

• SECURITY_MIXED_SD - MIXED and NT ACL

• SECURITY_NTFS_MODEBITS - NTFS and UNIX permissions

• SECURITY_NTFS_ACL - NTFS and NT ACL

• SECURITY_NTFS_SD - NTFS and NT ACL

• SECURITY_UNIX - UNIX

• SECURITY_MIXED - MIXED

• SECURITY_NTFS - NTFS

• SECURITY_MODEBITS - UNIX permissions

• SECURITY_ACL - ACL

• SECURITY_SD - SD

[-result <TextNoCase>] - Result of Security Checks

If you specify this parameter, the command displays information about the security trace events that have the specified result. Access to a file or a directory can be 'allowed' or 'denied'. Output from this command displays the result as a combination of the reason for allowing or denying access, the location where access is either allowed or denied, and the access right for which the file operation is allowed or denied.

The following are the reasons why an access can be allowed:

• Access is allowed because the operation is trusted and no security is configured

• Access is allowed because the user has UNIX root privileges

• Access is allowed because the user has UNIX owner privileges

• Access is allowed because UNIX implicit permission grants requested access

• Access is allowed because the CIFS user is owner

• Access is allowed because the user has take ownership privilege

• Access is allowed because there is no CIFS ACL

• Access is allowed because CIFS implicit permission grants requested access

• Access is allowed because the security descriptor is corrupted and the user is a member of the Administrators group

• Access is allowed because the ACL is corrupted and the user is a member of the Administrators group

• Access is allowed because the user has UNIX permissions

• Access is allowed because explicit ACE grants requested access

• Access is allowed because the user has audit privileges

• Access is allowed because the user has superuser credentials

• Access is allowed because inherited ACE grants requested access

• Access is allowed because storage-level access guard (SLAG) grants requested access

• Access is allowed because no central access policies applied

• Access is allowed because no central access policies could be applied from the corrupt SACL

• Access is allowed because matching central access policy could not be located

• Access is allowed because no central access rules apply to the object

• Access is allowed because skipped one or more corrupt central access rules

• Access is allowed because all evaluated central access rules grant access

The following are the reasons why an access can be denied:

• Access is denied by UNIX permissions

• Access is denied by an explicit ACE

• Access is denied. The requested permissions are not granted by the ACE

• Access is denied. The security descriptor is corrupted

• Access is denied. The ACL is corrupted

• Access is denied. The sticky bit is set on the parent directory and the user is not the owner of file or parent directory

• Access is denied. The owner can be changed only by root

• Access is denied. The UNIX permissions/uid/gid/NFSv4 ACL can be changed only by owner or root

• Access is denied. The GID can be set by owner to a member of its legal group list only if 'Owner can chown' is not set

• Access is denied. The file or the directory has readonly bit set

• Access is denied. There is no audit privilege

• Access is denied. Enforce DOS bits blocks the access

• Access is denied. Hidden attribute is set

• Access is denied by an inherited ACE

• Access is denied as the volume is readonly or directory is a snapshot

• Access is denied. System attribute is not set in the request

• Access is denied by the storage-level access guard (SLAG)

• Access is denied, file is infected

• Access is denied. Central access policy DB not ready

• Access is denied. Central access rule is corrupt

• Access is denied. Central access rule explicitly denied access

• Access is denied. Matching central access policy not found

• Access is denied because the user does not have UNIX root privileges

• Access is denied because the UNIX user could not be mapped to a valid NT user

• Access is denied because the UNIX permissions/uid/gid/NFSv4 ACL cannot be set in an NTFS qtree

The command or the location at which access was denied or allowed are as follows:

• while traversing the directory.

• while truncating the file.

• while creating the directory.

• while creating the file.

• while checking parent's mode bits during delete.

• while deleting the child.

• while checking for child-delete access on the parent.

• while reading security descriptor.

• while accessing the link.

• while creating the directory.

• while creating or writing the file.

• while opening existing file or directory.

• while setting the attributes.

• while traversing the directory.

• while reading the file.

• while reading the directory.

• while deleting the target during rename.

• while deleting the child during rename.

• while writing data in the parent during rename.

• while adding a directory during rename.

• while adding a file during rename.

• while updating the target directory during rename.

• while setting attributes.

• while writing to the file.

• while extending the coral file.

• while creating the vdisk file.

• while checking for stale locks before open.

• while deleting a file or a directory.

• while truncating a hidden file.

• while truncating a file.

• while truncating a system file.

• while appending to a file or setting a file attribute.

• while opening a file or directory for delete.

• while checking for permission on parent directory during create.

• while appending to the file.

• while creating the device file.

• while reading the user's access rights on an object.

The access rights for which the file operation is allowed or denied are as follows:

• Append.

• Delete.

• Delete Child.

• Execute.

• Generic All.

• Generic Execute.

• Generic Read.

• Generic Write.

• Maximum Allowed.

• Read.

• Read Attributes.

• Read Control.

• Read EA.

• System Security.

• Synchronize.

• Write.

• Write Attributes.

• Write DAC.

• Write EA.

• Write Owner.

• None.

[-unix-user <TextNoCase>] - UNIX User Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified UNIX user.

[-session-id <integer>] - CIFS Session ID

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS session ID.

[-share-name <TextNoCase>] - Accessed CIFS Share Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS share name.

[-protocol {cifs|nfs}] - Protocol

If you specify this parameter, the command displays information only about the security trace events that occurred for the specified protocol.

[-volume-name <TextNoCase>] - Accessed Volume Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified volume name.