Skip to main content

vserver security trace filter modify

Contributors
Suggest changes

Modify a security trace entry

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security trace filter modify command modifies a security trace filter entry. Prior to ONTAP 9.3, this feature was only supported for CIFS. In ONTAP 9.3 and later, this feature is supported for both NFS and CIFS.

NFS security trace filters are not supported for FlexGroup volumes, and will only be applied to the FlexVol volumes within the specified Vserver.

Parameters

-vserver <vserver name> - Vserver

This parameter specifies the name of the Vserver on which the permission trace is applied.

-index <integer> - Filter Index

This parameter specifies the index number for the filter. A maximum of 10 entries can be created. The allowed values for this parameter are 1 through 10.

[-protocols {cifs|nfs}] - Protocols

This parameter specifies the protocols for which the permission trace is created.

[-client-ip <IP Address>] - Client IP Address to Match

This parameter specifies the IP Address from which the user is accessing the Vserver.

[-path <TextNoCase>] - Path

This parameter specifies the path to which permission tracing is applied. The value can be the complete path, starting from the root of the share (for a CIFS filter) or the root of the junction path (for an NFS filter) that the client is accessing, or the value can be a part of the path that the client is accessing. Use NFS style directory separators in the path value.

{ [-windows-name <TextNoCase>] - Windows User Name

This parameter specifies the Windows user name to trace. You can use any of the following formats when specifying the value for this parameter:

  • user_name

  • domain\user_name

| [-unix-name <TextNoCase>] - UNIX User Name or User ID }

This parameter specifies the UNIX user name to trace. It accepts UNIX user ID only for NFS filters.

[-trace-allow {yes|no}] - Trace Allow Events

Security tracing can trace deny events and allow events. Deny event tracing is always ON by default. Allow events can optionally be traced. If set to yes, this option allows tracing of allow events. If set to no, allow events are not traced.

[-enabled {enabled|disabled}] - Filter Enabled

This parameter specifies whether to enable or disable the filter. Filters are enabled by default.

[-time-enabled <integer>] - Minutes Filter is Enabled

This parameter specifies a timeout for this filter, after which it is deleted.

Examples

The following example modifies a security trace filter.

cluster1::> vserver security trace filter modify -vserver vs0 -index 1 -time-enabled 120 -client-ip 10.72.205.207

The following examples modify filters that include the -path option. If the client is accessing a file with the path \\server\sharename\dir1\dir2\dir3\file.txt, for a filter applicable to CIFS, a complete path starting from the root of the share or a partial path can be given as shown:

cluster1::> vserver security trace filter modify -vserver vs0 -index 1 -path /dir1/dir2/dir3/file.txt
cluster1::> vserver security trace filter modify -vserver vs0 -index 1 -path dir3/file.txt

Similarly, for filters applicable to NFS, if -path option is specified and the client is accessing a file with path /junction_path1/junction_path2/dir1/file.txt, a complete path starting from the last junction path or a partial path can be given as shown:

cluster1::> vserver security trace filter modify -vserver vs0 -index 1 -protocols nfs -path dir1/file.txt
cluster1::> vserver security trace filter modify -vserver vs0 -index 1 -protocols nfs -path file.txt

The following example modifies a filter that is applicable to both CIFS and NFS.

cluster1::> vserver security trace filter modify -vserver vs0 -index 1 -protocols cifs,nfs -unix-user root -path file.txt