SMB and NFS auditing and security tracing
You can use the file access auditing features available for the SMB and NFS protocols with ONTAP, such as native auditing and file policy management using FPolicy.
You should design and implement auditing of SMB and NFS file access events under the following circumstances:
-
Basic SMB and NFS protocol file access has been configured.
-
You want to create and maintain an auditing configuration using one of the following methods:
-
Native ONTAP functionality
-
External FPolicy servers
-
Audit NAS events on SVMs
Auditing for NAS events is a security measure that enables you to track and log certain SMB and NFS events on storage virtual machines (SVMs). This helps you track potential security problems and provides evidence of any security breaches. You can also stage and audit Active Directory central access policies to see what the result of implementing them would be.
SMB events
You can audit the following events:
-
SMB file and folder access events
You can audit SMB file and folder access events on objects stored on FlexVol volumes belonging to the auditing-enabled SVMs.
-
SMB logon and logoff events
You can audit SMB logon and logoff events for SMB servers on SVMs.
-
Central access policy staging events
You can audit the effective access of objects on SMB servers using permissions applied through proposed central access policies. Auditing through the staging of central access policies enables you to see what the effects are of central access policies before they are deployed.
Auditing of central access policy staging is set up using Active Directory GPOs; however, the SVM auditing configuration must be configured to audit central access policy staging events.
Although you can enable central access policy staging in the auditing configuration without enabling Dynamic Access Control on the SMB server, central access policy staging events are generated only if Dynamic Access Control is enabled. Dynamic Access Control is enabled through a SMB server option. It is not enabled by default.
NFS events
You can audit file and directory events by utilizing NFSv4 ACL's on objects stored on SVMs.