Creating a file system audit policy

File Services Administration Guide for Hitachi NAS Platform

Version
14.7.x
14.6.x
Audience
anonymous
Part Number
MK-92HNAS006-29
The file system audit policy specifies access restrictions for clients connecting through unauditable protocols (if access is allowed or denied), and specifies audit log details. The audit log policy specifies naming, location in the file system, size, the log roll over policy, and the backup policy.
  1. Navigate to Home > Files Services > File System Audit Policies, and click add to display the Add File System Audit Policy page.


    Field/Item Description
    EVS/File System Lists the currently selected EVS and file system, to which the audit policy will apply. Click change to go to the Select a File System page, where you can select a different EVS and file system.
    Access via Unsupported Protocols When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either:
    • Deny Access. Client access to the file system using unauditable protocols (such as NFSv2) is denied.
    • Allow Access. Allows client access to the file system using unauditable protocols (such as NFSv2), but does not create any auditing events.
    Audited Protocols When clients attempt to access the file system through a protocol that does not support auditing (such as NFSv2), this setting determines if those clients are permitted to access the file system. You can select either:
    • smb. Only the SMB protocol is audited. Access to SMB is always allowed, and access via other protocols is determined via the Other Protocol Support option.
    • smb, nfsv3. Both the SMB and NFSv3 protocols are audited. Access to SMB and NFSv3 is always allowed, and access via other protocols is determined via the Other Protocol Support option.
    External Stops the audit records from being stored locally (including audit log backups) and instead only makes them available to an external audit log server. To configure an external logging server, use the audit-syslog CLI command or for third-party audit logging applications, configure an audit log consolidated cache and then read the audit logs using the Windows EVENTLOG protocol.
    Active Log File Name Specify the file name for the file system audit log. The file name must have an .evt extension. The default file name is audit.evt.
    Logging Directory Specify the directory within the file system in which the file system audit log files are saved. You can use the browse button to search for an existing directory, or enter the name of a directory to be created.
    Maximum Log File Size Specify the maximum size of the active audit log file in KiB or MiB. The default size is 512 KiB. The maximum log file size is 50 MiB.
    Log roll over policy Determines what the system does once the active audit log file is full (when it reaches the Maximum Log File Size). You can select either:
    • Wrap, which causes the system to delete the oldest existing audit entry to allow room for a new entry.
    • New, which causes the system to create a new active audit log file. The default is New.
    Backup Interval Specify the time (in minutes) between automatic backups of the active audit log. The backup interval must be between 5 and 14400 minutes (10 days). A value of 0 disables the automatic backups. The default is 0.
    Number of files to retain Specify the number of backup audit log files to retain. The default is 10. The maximum number of files to retain is 50.
  2. Specify the access settings for unsupported (unauditable) protocols
    • Deny Access. Client access to the file system using unauditable protocols (such as NFS) is denied.

      Specifying Deny Access generates an error if there is an NFS export mounted on an unauditable client or the file system has a FTP user that has a directory available. To ensure this error is not generated, you can remove the NFS export for the file system, remove the FTP user, or select the Allow Access option.

    • Allow Access. Allows client access to the file system using unauditable protocols (such as NFS), but does not create any auditing events.
  3. Specify the name for the active audit log file. The file type suffix must be .evt.
  4. Click browse to specify an existing logging directory, or enter the name of a directory to create.
    For ease of access to the audit log files, the logging directory should be within in a CIFS share that can be accessed by those who need to review the access log.
  5. Specify the maximum log file size.
  6. Specify the roll over (retention) policy.
  7. Specify the backup interval.
  8. Specify the number of files to retain.
  9. Click OK to save the policy as specified.