Articles in this section

Configuring Global Auditing Settings

Sara Levy
  • Updated
Follow

Configuring Global Auditing Settings via VAST Web UI

  1. From the left navigation menu, select Settings and then Auditing.

  2. Complete the General Settings:

    Audit directory name

    Specify a name for the audit directory. A directory of this name will be created directly under the root directory of the default tenant in the Element Store. Audit records are written to this directory.

    The default is .vast_audit_dir.

    Read-access Users

    List users to grant them read access to all files in the audit directory.

    Specify each user by user name. Enter a comma to start entering a new user. Each user name appears with a removal button so that you can remove if needed while you are editing the field.

    Tip

    To make the audit directory accessible to clients, create a view on the directory.

    Read-access Groups

    List groups to grant them read access to all files in the audit directory.

    Specify each group by group name. Enter a comma to start entering a new group. Each group name appears with a removal button so that you can remove if needed while you are editing the field.

    Tip

    To make the audit directory accessible to clients, create a view on the directory.

    Max audit file size

    The maximum size of each file of audit records in the audit directory. Audit records are written to subdirectories of the audit directory per CNode core. Records written to each directory roll over to a new file when the file reaches this size.

    This setting limits the size of each audit file, but it does not limit the total size of all audit files.

    Specify the value with units of MB, GB, TB and so on.

    Default: 1024 MB

    Maximum audit directory size

    The maximum size of each file of audit records. Audit records are written to subdirectories of the audit directory per CNode core. Records written to each directory roll over to a new file when the file reaches this size.
    This setting limits the size of each audit file, but it does not limit the total size of all audit files.
    Specify the value with units of MB, GB, TB and so on.
    Default: 1024 MB

  3. Under Define retention period, select one of the following:

    • Keep Forever. Audit files are kept for an unlimited period of time.

    • Define Manually (default). Choose this option to manually set the retention period for keeping audit files. Enter an integer and select the unit of measurement from the dropdown. The default is one hour.

  4. Under Global Baseline Audit Settings, optionally set auditing settings to apply globally to all views. Any settings that you do not enable here can be set per view policy. Settings that you do enable here will apply to all views, even if the view policy does not have these settings.

    1. Set the Enable slider to the ON position. Default global audit settings are now enabled.

    2. From the Select protocols to assign operations dropdown, select one or more protocols to enable auditing of protocol operations. The following protocols are supported: NFSv3, NFSv4.1, SMB and S3.

    3. Under Operations to audit, choose one or more categories of operations to be audited for the protocol(s) for which auditing is enabled:

      • Create/Delete Files/Dirs/Objects. Operations that create or delete files, directories, or objects:

        NFSv3

        NFSv4.1

        SMB

        S3

        CREATE, when it creates a file

        MKDIR

        LINK

        SYMLINK

        MKNOD

        REMOVE

        RMDIR

        RENAME

        CREATE

        OPEN, when it creates a file

        LINK

        REMOVE

        RENAME

        CREATE, when it creates a new file or directory, or opens an existing file in delete-on-close mode

        SET_INFO, when it is used for delete on close or when it renames a file or directory

        Bucket-level operations:

        • CreateBucket

        • DeleteBucket

        Object-level operations:

        • PutObject

        • CopyObject

        • CreateMultipartUpload

        • AbortMultipartUpload

        • CompleteMultipartUpload

        • DeleteObject

        • DeleteObjects

      • Modify data/MD. Operations that modify data (this includes operations that change the file size) and metadata:

        NFSv3

        NFSv4.1

        SMB

        S3

        CREATE, when it truncates a file

        WRITE

        SETATTR

        SETACL

        OPEN, if it truncates an existing file

        WRITE

        SETATTR

        CREATE, if it truncates an existing file

        WRITE

        IOCTL on a file or directory, if it modifies data or metadata

        SET_INFO, when it changes metadata

        Bucket-level operations:

        • PutBucketAcl

        • PutBucketVersioning

        • PutObjectLockConfiguration

        • PutBucketLifecycleConfiguration

        • PutBucketTagging

        • DeleteBucketTagging

        Object-level operations:

        • PutObjectAcl

        • PutObjectRetention

        • PutObjectLegalHold

        • PutObjectTagging

        • DeleteObjectTagging

      • Read data. Operations that read data and metadata:

        NFSv3

        NFSv4.1

        SMB

        S3

        READ

        READDIR

        READDIRPLUS

        GETACL

        ACCESS, if the RPC failed or if the granted access is lower than the requested access

        READ

        GETATTR

        READDIR

        VERIFY

        READ

        QUERY_DIRECTORY

        Object-level operations:

        • GetObject

      • Session create/close. For sessions that use Kerberos 5 authentication (krb5, krb5i, or krb5p), the session creation and closing operations:

        NFSv3

        NFSv4.1

        SMB

        S3

        N/A

        Kerberos user token creation

        Kerberos user token deletion

        SESSION_SETUP

        LOGOFF

        N/A

    4. Optionally change the Audit record options:

      Log full path

      If enabled (default for all protocols), audit records contain the full Element Store path to the requested resource. This may affect performance. When disabled, the view path is recorded.

      Log username

      Disabled by default.

      If enabled, audit records contain the username (if a username can be retrieved from the auth provider).

  5. Click Save.

 

Configuring Global Auditing Settings via VAST CLI

  • To view the currently enabled global auditing settings, run the cluster show command with the --audit parameter.

    vcli: admin> cluster show --audit
+--------------------------+------------------+
| ID                       | 1                |
| Name                     | vast111-az       |
| Audit-dir-name           | .vast_audit_dir  |
| Read-access-users        | []               |
| Read-access-users-groups | []               |
| Max-file-size(GB)        | 1.024            |
| Max-retention-period     | 1                |
| Max-retention-timeunit   | h                |
| Protocols                | ['NFSv3', 'SMB'] |
+--------------------------+------------------+
Operations to audit
+----------------------------------+---------+
| Operation                        | Enabled |
+----------------------------------+---------+
| Create/Delete Files/Dirs/Objects | True    |
| Modify data/MD                   | True    |
| Read data                        | True    |
| Session create/close             | False   |
+----------------------------------+---------+
Audit record options
+---------------------+---------+
| Audit record option | Enabled |
+---------------------+---------+
| Log full path       | True    |
| Log username        | False   |
+---------------------+---------+

  • To configure global auditing settings, use the cluster modify command.

    For example, the following command sets the audit directory name to vast_audit_dir, grants read access for the audit files to the user janef and enables auditing of a few types of NFSv3 and SMB operations:

    vcli: admin> cluster modify --id 1 --audit-protocols NFSv3,SMB --read-access-users janef --audit-operations create_delete_files_dirs_objects,modify_data_md,read_data  --audit-dir-name .vast_audit_dir --enable-audit-settings
 
 

Related articles

Comments

0 comments

Article is closed for comments.