Manage user-account event
When a user-account event is configured for a storage virtual machine (SVM) and an audit is enabled, audit events are generated.
The user-account events with event-ids 4720, 4722, 4724, 4725, 4726, 4738, and 4781 are generated when a local SMB or NFS user is created or deleted from the system, local user account is enabled, disabled or modified, and local SMB user password is reset or changed. The user-account events are generated when a user account is modified using vserver cifs users-and-groups <local user>
and vserver services name-service <unix user>
commands.
The following example displays a user account event with the ID 4720 generated, when a local SMB user is created:
netapp-clus1::*> vserver cifs users-and-groups local-user create -user-name testuser -is-account-disabled false -vserver vserver_1 Enter the password: Confirm the password: - System - Provider [ Name] NetApp-Security-Auditing [ Guid] {3CB2A168-FE19-4A4E-BDAD-DCF422F13473} EventID 4720 EventName Local Cifs User Created ... ... TargetUserName testuser TargetDomainName NETAPP-CLUS1 TargetSid S-1-5-21-2447422786-1297661003-4197201688-1003 TargetType CIFS DisplayName testuser PasswordLastSet 1472662216 AccountExpires NO PrimaryGroupId 513 UserAccountControl %%0200 SidHistory ~ PrivilegeList ~
The following example displays a user account event with the ID 4781 generated, when the local SMB user created in the preceding example is renamed:
netapp-clus1::*> vserver cifs users-and-groups local-user rename -user-name testuser -new-user-name testuser1 - System - Provider [ Name] NetApp-Security-Auditing [ Guid] {3CB2A168-FE19-4A4E-BDAD-DCF422F13473} EventID 4781 EventName Local Cifs User Renamed ... ... OldTargetUserName testuser NewTargetUserName testuser1 TargetDomainName NETAPP-CLUS1 TargetSid S-1-5-21-2447422786-1297661003-4197201688-1000 TargetType CIFS SidHistory ~ PrivilegeList ~