Skip to main content

Auditing NAS events on SVMs

Auditing for NAS events is a security measure that enables you to track and log certain CIFS and NFS events on storage virtual machines (SVMs). This helps you track potential security problems and provides evidence of any security breaches. You can also stage and audit Active Directory central access policies to see what the result of implementing them would be.

CIFS events

You can audit the following events:

  • SMB file and folder access events

    You can audit SMB file and folder access events on objects stored on FlexVol volumes belonging to the auditing-enabled SVMs.

  • CIFS logon and logoff events

    You can audit CIFS logon and logoff events for CIFS servers on SVMs.

  • Central access policy staging events

    You can audit the effective access of objects on CIFS servers using permissions applied through proposed central access policies. Auditing through the staging of central access policies enables you to see what the effects are of central access policies before they are deployed.

    Auditing of central access policy staging is set up using Active Directory GPOs; however, the SVM auditing configuration must be configured to audit central access policy staging events.

    Although you can enable central access policy staging in the auditing configuration without enabling Dynamic Access Control on the CIFS server, central access policy staging events are generated only if Dynamic Access Control is enabled. Dynamic Access Control is enabled through a CIFS server option. It is not enabled by default.

NFS events

You can audit file and directory NFSv4 access events on objects stored on SVMs.

  • How auditing works
    Before you plan and configure your auditing configuration, you should understand how auditing works.
  • Auditing requirements and considerations
    Before you configure and enable auditing on your storage virtual machine (SVM), you need to be aware of certain requirements and considerations.
  • Limitations for the size of audit records on staging files
    The size of an audit record on a staging file cannot be greater than 32 KB.
  • What the supported audit event log formats are
    Supported file formats for the converted audit event logs are EVTX and XML file formats.
  • Viewing audit event logs
    You can use audit event logs to determine whether you have adequate file security and whether there have been improper file and folder access attempts. You can view and process audit event logs saved in the EVTX or XML file formats.
  • SMB events that can be audited
    ONTAP can audit certain SMB events, including certain file and folder access events, certain logon and logoff events, and central access policy staging events. Knowing which access events can be audited is helpful when interpreting results from the event logs.
  • NFS file and directory access events that can be audited
    ONTAP can audit certain NFS file and directory access events. Knowing what access events can be audited is helpful when interpreting results from the converted audit event logs.
  • Planning the auditing configuration
    Before you configure auditing on storage virtual machines (SVMs), you must understand which configuration options are available and plan the values that you want to set for each option. This information can help you configure the auditing configuration that meets your business needs.
  • Creating a file and directory auditing configuration on SVMs
    Creating a file and directory auditing configuration on your storage virtual machine (SVM) includes understanding the available configuration options, planning the configuration, and then configuring and enabling the configuration. You can then display information about the auditing configuration to confirm that the resultant configuration is the desired configuration.
  • Configuring file and folder audit policies
    Implementing auditing on file and folder access events is a two-step process. First, you must create and enable an auditing configuration on storage virtual machines (SVMs). Second, you must configure audit policies on the files and folders that you want to monitor. You can configure audit policies to monitor both successful and failed access attempts.