Storage solutions such as NetApp store a large amount of data and, therefore, can have a large volume of audit events. You can monitor and receive alerts for a variety of malicious behaviors that occur on a Network Attached Storage (NAS) device. For example, unauthorized user accessing confidential files and directories. You can also include or exclude certain files from the audit scope to ensure a faster and more efficient audit process.
Change Guardian monitors file systems in NetApp, and supports both Common Internet File System (CIFS) and Network File System (NFS) protocols.
Complete the following tasks to start monitoring NetApp events:
|
Task |
See |
|---|---|
|
Complete the prerequisites |
|
|
Add a license key |
|
|
Configure NetApp native auditing |
|
|
Configure Change Guardian for NetApp monitoring |
Mounting the Audit Logs in CIFS |
|
Triage events |
Ensure that you have completed the following:
Install a supported version of Data ONTAP Cluster Mode
Install Security Agent for UNIX
NOTE:You should install Security Agent for UNIX on a dedicated system. This ensures that reading files from the agent host machine does not create file read events.
Configure the NetApp native auditing solution to monitor file and directory events on your Storage Virtual Machines (SVM) with a FlexVol volume.
The security descriptor may contain Discretionary Access Control Lists (DACLs) to apply to file and folder access permissions. On the other hand, the security descriptor may contain System Access Control Lists (SACLs) for file and folder auditing, or even both SACLs and DACLs.
For better performance, store the audit file in a separate volume and mount the complete share on the agent machine.
NOTE:If you use the cat command to create and modify a file in quick succession, you might find a missing file modify event because NetApp reads and updates audit logs slower than Linux.
Configure NetApp auditing depending on the filesystem it uses:
NOTE:Ensure that you have the root user privilege to complete these tasks.
Create an auditing configuration on the given SVM for CIFS before you can monitor events on NetApp storage. You can monitor these events on CIFS by setting SACLs on storage objects in NTFS or mixed mode volumes.
To configure auditing for CIFS:
Launch the Data ONTAP command-line interface.
Create audit configuration for an SVM:
vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -events file-ops -format xml -rotate-size XB -rotate-limit 10
Example: If vserver name is SVM1, volume is vol1 and folder is audit, then the command is:
vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10
Verify audit configuration:
vserver audit show -vserver <Name_SVM>
For example, to verify audit configuration for SVM1, run the following command:
vserver audit show -vserver SVM1
Vserver: SVM1 Auditing State: true Log Destination Path: /vol1 Categories of Events to Audit: file-ops, cifs-logon-logoff,audit-policy-change Log Format: xml Log File Size Limit: 100MB Log Rotation Schedule: Month: - Log Rotation Schedule: Day of Week: - Log Rotation Schedule: Day: - Log Rotation Schedule: Hour: - Log Rotation Schedule: Minute: - Rotation Schedules: - Log Files Rotation Limit: 0
Enable SVM auditing:
vserver audit enable -vserver <Name_SVM>
Example:
vserver audit enable -vserver SVM1
To configure auditing in NFS:
Launch the Data ONTAP command-line interface.
Create audit configuration for an SVM:
vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -events file-ops -format xml -rotate-size XB -rotate-limit 10
Example: When vserver name is SVM1, volume is vol1 and folder is audit, then the command is:
vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10
Verify audit configuration:
vserver audit show -vserver <Name_SVM>
For example, to verify audit configuration for SVM1, run the following command:
vserver audit show –vserver SVM1
Vserver: SVM1 Auditing State: true Log Destination Path: /vol1 Categories of Events to Audit: file-ops, audit-policy-change Log Format: xml Log File Size Limit: 100MB Log Rotation Schedule: Month: - Log Rotation Schedule: Day of Week: - Log Rotation Schedule: Day: - Log Rotation Schedule: Hour: - Log Rotation Schedule: Minute: - Rotation Schedules: - Log Files Rotation Limit: 0
Enable SVM auditing:
vserver audit enable -vserver <Name_SVM>
Example:
vserver audit enable -vserver SVM1
To configure Security Agent for UNIX to monitor the NetApp filesystem changes, enable ACL for NFS:
vserver nfs modify -vserver <name_SVM> -v4.0 enabled -v4.0-acl enabled
Example:
vserver nfs modify -vserver SVM1 -v4.0 enabled -v4.0-acl enabled
Verify whether nfs4-acl-tools is installed on the NFSv4 Linux host:
Run the mkdir <Folder_Name> command to create a mount directory.
Mount to the directory:
mount -t nfs4 <nas_SVMIP>:/<volume_name> <mount_path>
Example:
If SVM IP is x.x.x.x, volume name is vol1, and mount path is /mnt/folder1, run the following command:
mount -t nfs4 x.x.x.x:/vol1 /mnt/folder1
To monitor each folder within a volume, add audit flags recursively on each folder in the mount directory you want to monitor:
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <NFS_Share>
Example:
If a folder name in the volume is NFSShare, run the following command:
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo NFSShare
To monitor an entire volume, add audit flags recursively on the mount directory that contains the volume mounted:
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <mount directory>
Example:
If the mount directory is /mnt/folder1, run the following command:
nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo /mnt/folder1
After configuring NetApp audit, mount the NetApp volumes into Security Agent for UNIX. Mount one volume for audit logs and another for CIFS or NFS shares to monitor.
Complete the following tasks to configure Change Guardian:
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.
To mount the audit log:
Create a mount directory.
Example:
mkdir /mnt/audit
Go to /usr/netiq/vsau/etc and create a file cifs.
Update the cifs file as follows:
username=<user name>
password=<password>
domain=<domain name>
Change the permissions of this file to secure its credentials:
chmod 600 cifs
Update the /etc/fstab in the following format:
<svm_ip>:/<volume> <mountlocation> cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0
Example:
10.0.0.1:/vol1 /mnt/audit cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0
Mount the audit volume to the mount location:
mount /mnt/audit
NOTE:You must have read permissions for the audit file.
Create a mount point in the Security Agent for UNIX computer, enter the NetApp configuration details in /etc/fstab, and mount the audit log and the NetApp volume over NFS.
Create a mount directory: mkdir /mnt/audit
Update the /etc/fstab in the following format:
<svm_ip>:/<volume> <mountlocation> nfs ro,nouser,noexec,nosuid 0 0
Example:
10.0.0.1:/vol1 /mnt/audit nfs ro,nouser,noexec,nosuid 0 0
Mount the audit volume to the mount location:
mkdir /mnt/audit
NOTE:Make changes to /etc/fstab and mount the volume with the NetApp share following the above steps.
Complete the following steps in the Security Agent for UNIX machine:
Go to /usr/netiq/vsau/etc and create new file named netapp-volume-tab.
Update the netapp-volume-tab file in the following format:
SVM_IP_address, share, mount_directory, volume
Example:
If SVM IP is x.x.x.x, share name is vol1, mount directory is /mnt/audit, volume name is vol1, then specify the command as follows:
x.x.x.x,/vol1,/mnt/audit,vol1
NOTE:When you monitor an entire volume, you must update the NetApp volume tab as follows:
x.x.x.x,/vol1,/mnt/audit,vol1
Create policies to monitor creating, deleting, renaming, and changing permission on NetApp files and directories.
NOTE:Specify the /folder_name you want to monitor in the directory field of the policy definition. If you want to monitor at the SVM level, then just use /
instead of the folder name.
For information about creating policies, see Creating Change Guardian Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.