Storage solutions like NetApp store a large amount of data and therefore can have a large volume of audit events. Change Guardian’s policy based monitoring capability can help you monitor and get alerts for changes to files and folders on NetApp Storage, which are most important and critical.
Change Guardian supports both CIFS (Common Internet File System) and NFS (Network File System) protocols for monitoring NetApp. You must use Security Agent for Unix 7.6 or later and also enable native auditing on the NetApp shares you want to monitor.
You can monitor and receive alerts for a variety of malicious behaviors that occur on a Network Attached Storage (NAS) device. For example, unauthorized user accessing confidential files and directories. You can also include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.
Complete the following tasks to monitor NetApp shares:
|
Task |
See |
|---|---|
|
Complete the prerequisites. |
|
|
Assign a license key manually in an upgrade scenario. |
|
|
Configure NetApp native auditing. |
|
|
Mount NetApp audit log files in the agent computer. |
Mounting NetApp Volumes and Audit Logs in Security Agent for Unix. |
|
Create the NetApp configuration file in the agent computer. |
|
|
Create and assign a Policy for a NetApp share. |
Complete the following prerequisites to monitor a NetApp share:
For supported platforms and hardware requirements, see the Technical Information website.
Ensure that your NetApp Filer is in cluster mode (ONTAP 9.x and later).
Install Security Agent for UNIX 7.6 or later on a RHEL or SLES Linux platform. This instance of Security Agent for UNIX must be dedicated to monitor only NetApp. For more information, see Security Agent for UNIX documentation.
You must configure the NetApp native auditing solution to monitor file and directory events on your SVM with a FlexVol volume.
The security descriptor may contain Discretionary Access Control Lists (DACLs) for applying to file and folder access permissions or SACLs for file and folder auditing, or even both SACLs and DACLs.
NOTE:If you use the cat command to create and modify a file in quick succession, you might find a missing file modify event as NetApp reads and updates audit logs slower than Linux.
NOTE:For better performance, store the audit file on a separate volume.
You must create an auditing configuration on the given storage virtual machine (SVM) for CIFS, before you can monitor events on Windows systems.You can monitor these events over CIFS by setting SACLs (System Access Control List) on storage objects in NTFS or mixed mode volumes.
Launch the Data ONTAP command-line interface and run the following commands:
Create audit configuration for an SVM:
vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -format xml -rotate-size XB -rotate-limit 10
Example: When vserver name is SVM1, volume is vol1 and folder audit, then the command should be :
vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10
Verify audit configuration:
vserver audit show
Enable SVM auditing:
vserver audit enable -vserver <Name_SVM>
Example:
vserver audit enable -vserver SVM1
You must create an auditing configuration on the given storage virtual machine (SVM) for NFS on an SVM to monitor events on Linux systems. Similarly, you can monitor these events over NFS by setting NFS 4.x ACLs (Access Control Lists) on UNIX or mixed mode volumes.
Launch the Data ONTAP command-line interface and run the command:
Create audit configuration for an SVM:
vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -format xml -rotate-size XB -rotate-limit 10
Example: When vserver name is SVM1, volume is vol1 and folder audit, then the command should be :
vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10
Verify audit configuration:
vserver audit show
Enable SVM auditing:
vserver audit enable -vserver <Name_SVM>
Example:
vserver audit enable -vserver SVM1
Enable ACL for NFS:
vserver nfs modify -vserver <name_SVM> -v4.0 enabled -v4.0-acl enabled
Example:
vserver nfs modify -vserver SVM1 -v4.0 enabled -v4.0-acl enabled
Verify nfs4-acl-tools is installed on the NFSv4 Linux host:
mkdir <Folder_Name> to create a mount directory.
mount -t nfs4 <nas_SVMIP>:/<volume_name> <mount_path>
Example:
If SVM IP is x.x.x.x, volume name is vol1 and mount path is /mnt/folder1, run the following command
mount -t nfs4 x.x.x.x:/vol1 /mnt/folder1
To monitor each folder within a volume, add audit flags recursively on each of the folders in the mount directory you need to monitor
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <NFSShare>
Example:
If a folder name in the volume is NFSShare, run the following command
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo NFSShare
To monitor an entire volume, add audit flags recursively on the mount directory which contains the volume mounted
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <mount directory>
Example:
If the mount directory is /mnt/folder1, run the following command
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo /mnt/folder1
Complete the NetApp audit configuration and mount the NetApp volumes into the Security Agent for Unix; one volume for audit logs and the other for CIFS or NFS shares to monitor.
Create a mount point in the Security Agent for Unix computer, enter the NetApp configuration details in /etc/fstab and mount the audit log and the NetApp volume that contains the CIFS share.
Create a mount directory.
Example:
mkdir /mnt/audit
Go to /usr/netiq/vsau/etc and create new file named cifs.
Update the cifs file as follows:
username=<user name>
password=<password>
domain=<domain name>
Change the permissions of this file to secure credentials in it using the command:
chmod 600 cifs
Update the /etc/fstab in the following format:
<svm_ip>:/<volume> <mountlocation> cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0
Example:
10.0.0.1:/vol1 /mnt/audit cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0
Mount the audit volume to the mount location:
Example:
mount /mnt/audit
NOTE:You must have read permissions to read the audit file.
Create a mount point in the Security Agent for Unix computer, enter the NetApp configuration details in /etc/fstab and mount the audit log and the NetApp volume over NFS.
Create a mount directory:
Example:
mkdir /mnt/audit
Update the /etc/fstab in the following format:
<svm_ip>:/<volume> <mountlocation> nfs ro,nouser,noexec,nosuid 0 0
Example:
10.0.0.1:/vol1 /mnt/audit nfs ro,nouser,noexec,nosuid 0 0
Mount the audit volume to the mount location:
Example:
mount /mnt/audit
NOTE:You must make changes to /etc/fstab and mount the volume with the NetApp share following the sequence of steps above.
Complete the following steps in Security Agent for UNIX:
Go to /usr/netiq/vsau/etc and create new file named netapp-volume-tab.
Update the netapp-volume-tab file in the following format:
SVM_IP_address, share, mount_directory, volume
Example:
If SVM IP is x.x.x.x, share name is vol1, mount directory is /mnt/audit, volume name is vol1, then specify the command as follows:
x.x.x.x,vol1,/mnt/audit,vol1
NOTE:When you monitor an entire volume, you must update the NetApp volume tab as x.x.x.x,/vol1,/mnt/audit,vol1
Create policies to monitor NetApp at the following levels:
Storage Virtual Machine (SVM).
Shared volume.
All files in a folder or sub folder.
An individual file.
NOTE:Specify the /folder_name that you want to monitor in the directory field of the policy definition. If you want to monitor at the SVM level, then just use /instead of the folder name.
Once created, assign policies to agent computers or groups.
For more information, see Creating Policies and Assigning Policies and Policy Sets.