6.9 Configuring NetApp Storage Monitoring

Storage solutions such as NetApp store a large amount of data and, therefore, can have a large volume of audit events. You can monitor and receive alerts for a variety of malicious behaviors that occur on a Network Attached Storage (NAS) device. For example, unauthorized user accessing confidential files and directories. You can also include or exclude certain files from the audit scope to ensure a faster and more efficient audit process.

Change Guardian monitors file systems in NetApp, and supports both Common Internet File System (CIFS) and Network File System (NFS) protocols.

6.9.1 Implementation Checklist

Complete the following tasks to start monitoring NetApp events:

6.9.2 Prerequisites

Ensure that you have completed the following:

Configuring the NetApp Native Auditing

Configure the NetApp native auditing solution to monitor file and directory events on your Storage Virtual Machines (SVM) with a FlexVol volume.

NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.

The security descriptor may contain Discretionary Access Control Lists (DACLs) to apply to file and folder access permissions. On the other hand, the security descriptor may contain System Access Control Lists (SACLs) for file and folder auditing, or even both SACLs and DACLs.

For better performance, store the audit file in a separate volume and mount the complete share on the agent machine.

NOTE:If you use the cat command to create and modify a file in quick succession, you might find a missing file modify event because NetApp reads and updates audit logs slower than Linux.

Configure NetApp auditing depending on the filesystem it uses:

NOTE:Ensure that you have the root user privilege to complete these tasks.

Configuring NetApp Native Auditing for CIFS

Create an auditing configuration on the given SVM for CIFS before you can monitor events on NetApp storage. You can monitor these events on CIFS by setting SACLs on storage objects in NTFS or mixed mode volumes.

To configure auditing for CIFS:

  1. Launch the Data ONTAP command-line interface.

  2. Create audit configuration for an SVM:

    vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -events file-ops -format xml -rotate-size XB -rotate-limit 10

    Example: If vserver name is SVM1, volume is vol1 and folder is audit, then the command is:

    vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10

  3. Set NTFS audit policies using the Windows Security tab.

    For information about the steps, see Apply a basic audit policy on a file or folder in the Microsoft Documentation site.

  4. Verify audit configuration:

    vserver audit show -vserver <Name_SVM>

    For example, to verify audit configuration for SVM1, run the following command:

    vserver audit show -vserver SVM1

    Vserver: SVM1
    Auditing State: true
    Log Destination Path: /vol1
    Categories of Events to Audit: file-ops, cifs-logon-logoff,audit-policy-change
    Log Format: xml
    Log File Size Limit: 100MB
    Log Rotation Schedule: Month: -
    Log Rotation Schedule: Day of Week: -
    Log Rotation Schedule: Day: -
    Log Rotation Schedule: Hour: -
    Log Rotation Schedule: Minute: -
    Rotation Schedules: -
    Log Files Rotation Limit: 0
  5. Enable SVM auditing:

    vserver audit enable -vserver <Name_SVM>

    Example:

    vserver audit enable -vserver SVM1

Configuring NetApp Native Auditing for NFS

To configure auditing in NFS:

  1. Launch the Data ONTAP command-line interface.

  2. Create audit configuration for an SVM:

    vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -events file-ops -format xml -rotate-size XB -rotate-limit 10

    Example: When vserver name is SVM1, volume is vol1 and folder is audit, then the command is:

    vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10

  3. Verify audit configuration:

    vserver audit show -vserver <Name_SVM>

    For example, to verify audit configuration for SVM1, run the following command:

    vserver audit show –vserver SVM1

    Vserver: SVM1
    Auditing State: true
    Log Destination Path: /vol1
    Categories of Events to Audit: file-ops, audit-policy-change
    Log Format: xml
    Log File Size Limit: 100MB
    Log Rotation Schedule: Month: -
    Log Rotation Schedule: Day of Week: -
    Log Rotation Schedule: Day: -
    Log Rotation Schedule: Hour: -
    Log Rotation Schedule: Minute: -
    Rotation Schedules: -
    Log Files Rotation Limit: 0 
  4. To configure Security Agent for UNIX to monitor the NetApp filesystem changes, enable ACL for NFS:

    vserver nfs modify -vserver <name_SVM> -v4.0 enabled -v4.0-acl enabled

    Example:

    vserver nfs modify -vserver SVM1 -v4.0 enabled -v4.0-acl enabled

  5. Verify whether nfs4-acl-tools is installed on the NFSv4 Linux host:

    1. Run the mkdir <Folder_Name> command to create a mount directory.

    2. Mount to the directory:

      mount -t nfs4 <nas_SVMIP>:/<volume_name> <mount_path>

      Example:

      If SVM IP is x.x.x.x, volume name is vol1, and mount path is /mnt/folder1, run the following command:

      mount -t nfs4 x.x.x.x:/vol1 /mnt/folder1

    3. To monitor each folder within a volume, add audit flags recursively on each folder in the mount directory you want to monitor:

      nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <NFS_Share>

      Example:

      If a folder name in the volume is NFSShare, run the following command:

      nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo NFSShare

    4. To monitor an entire volume, add audit flags recursively on the mount directory that contains the volume mounted:

      nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <mount directory>

      Example:

      If the mount directory is /mnt/folder1, run the following command:

      nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo /mnt/folder1

  6. Enable SVM auditing:

    vserver audit enable -vserver <Name_SVM>

    Example:

    vserver audit enable -vserver SVM1

6.9.3 Configuring Change Guardian for Monitoring

After configuring NetApp audit, mount the NetApp volumes into Security Agent for UNIX. Mount one volume for audit logs and another for CIFS or NFS shares to monitor.

Complete the following tasks to configure Change Guardian:

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Mounting the Audit Logs in CIFS

To mount the audit log:

  1. Create a mount directory.

    Example:

    mkdir /mnt/audit

  2. Go to /usr/netiq/vsau/etc and create a file cifs.

  3. Update the cifs file as follows:

    username=<user name>

    password=<password>

    domain=<domain name>

  4. Change the permissions of this file to secure its credentials:

    chmod 600 cifs

  5. Update the /etc/fstab in the following format:

    //<svm_ip>/<volume> <mountlocation> cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0

    Example:

    //10.0.0.1/audit /mnt/audit cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0

  6. Mount the audit volume to the mount location:

    mount /mnt/audit

    NOTE:You must have read permissions for the audit file.

Mounting the Audit Logs in NFS

Create a mount point in the Security Agent for UNIX computer, enter the NetApp configuration details in /etc/fstab, and mount the audit log and the NetApp volume over NFS.

  1. Create a mount directory: mkdir /mnt/audit

  2. Update the /etc/fstab in the following format:

    <svm_ip>:/<volume> <mountlocation> nfs ro,nouser,noexec,nosuid 0 0

    Example:

    10.0.0.1:/vol1 /mnt/audit nfs ro,nouser,noexec,nosuid 0 0

  3. Mount the audit volume to the mount location:

    mkdir /mnt/audit

NOTE:Make changes to /etc/fstab and mount the volume with the NetApp share following the above steps.

Creating a Configuration File

Complete the following steps in the Security Agent for UNIX machine:

  1. Go to /usr/netiq/vsau/etc and create new file named netapp-volume-tab.

  2. Update the netapp-volume-tab file in the following format:

    SVM_IP_address, share, mount_directory, volume

    Example:

    If SVM IP is x.x.x.x, share name is vol1, mount directory is /mnt/audit, volume name is vol1, then specify the command as follows:

    x.x.x.x,/vol1,/mnt/audit,vol1

NOTE:When you monitor an entire volume, you must update the NetApp volume tab as follows:

x.x.x.x,/vol1,/mnt/audit,vol1

6.9.4 Categories of Change Guardian Policies for NetApp

Create policies to monitor creating, deleting, renaming, and changing permission on NetApp files and directories.

NOTE:Specify the /folder_name you want to monitor in the directory field of the policy definition. If you want to monitor at the SVM level, then just use / instead of the folder name.

For information about creating policies, see Creating Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.