Skip to main content

Display information about NFSv4 audit policies on FlexVol volumes using the CLI

Contributors

You can display information about NFSv4 audit policies on FlexVol volumes using the ONTAP CLI, including what the security styles and effective security styles are, what permissions are applied, and information about system access control lists (SACLs). You can use the results to validate your security configuration or to troubleshoot auditing issues.

About this task

You must supply the name of the storage virtual machine (SVM) and the path to the files or directories whose audit information you want to display. You can display the output in summary form or as a detailed list.

  • UNIX security-style volumes and qtrees use only NFSv4 SACLs for audit policies.

  • Files and directories in a mixed security-style volume that are of UNIX security style can have NFSv4 audit policies applied to them.

    Mixed security-style volumes and qtrees can contain some files and directories that use UNIX file permissions, either mode bits or NFSv4 ACLs, and some files and directories that use NTFS file permissions.

  • The top level of a mixed security-style volume can have either UNIX or NTFS effective security and might or might not contain NFSv4 SACLs.

  • ACL output is displayed only for file and folders with NTFS or NFSv4 security.

    This field is empty for files and folders using UNIX security that have only mode bit permissions applied (no NFSv4 ACLs).

  • The owner and group output fields in the ACL output apply only in the case of NTFS security descriptors.

  • Because Storage-Level Access Guard security can be configured on a mixed security-style volume or qtree even if the effective security style of the volume root or qtree is UNIX, output for a volume or qtree path where Storage-Level Access Guard is configured might display both regular NFSv4 file and directory SACLs and Storage-Level Access Guard NTFS SACLs.

  • Because Storage-Level Access Guard security is supported on a UNIX volume or qtree if a CIFS server is configured on the SVM, the output might contain information about Storage-Level Access Guard security applied to the volume or qtree specified in the -path parameter.

Steps
  1. Display file and directory security settings with the desired level of detail:

    If you want to display information…​ Enter the following command…​

    In summary form

    vserver security file-directory show -vserver vserver_name -path path

    With expanded detail

    vserver security file-directory show -vserver vserver_name -path path -expand-mask true

Examples

The following example displays the security information about the path /lab in SVM vs1. This UNIX security-style path has an NFSv4 SACL.

cluster::> vserver security file-directory show -vserver vs1 -path /lab

                Vserver: vs1
              File Path: /lab
      File Inode Number: 288
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 11
 DOS Attributes in Text: ----D--R
Expanded Dos Attributes: -
           Unix User Id: 0
          Unix Group Id: 0
         Unix Mode Bits: 0
 Unix Mode Bits in Text: ---------
                   ACLs: NFSV4 Security Descriptor
                         Control:0x8014
                         SACL - ACEs
                           SUCCESSFUL-S-1-520-0-0xf01ff-SA
                           FAILED-S-1-520-0-0xf01ff-FA
                         DACL - ACEs
                           ALLOW-S-1-520-1-0xf01ff