CloudFS Access Audit
CloudFS File Access Audit feature tracks operations on files and folders within the CloudFS filesystem.
- CloudFS uses several sources to gather file access audit information, including SMB/CIFS, NFS, and the file system.
- Only UDP is supported for the Syslog output configured in the AS-Audit license.
- Data Services & Syslog Server support- By editing the audit license in the license manager you can now point your local audit logs to a Syslog server independently or simultaneously to Data Services.
- You can point the audit logs to the Syslog server by defining the Syslog hostname (ip address) in the Syslog host field. If the Data Services CloudFS NAS plugin is enabled on your node it will also automatically send the audit logs to Data Services. You can disable the audit scan on the CloudFS NAS plugin via the Data Services UI.
Panzura File Access Audit Best Practices
Installing the Audit License
Audit functionality is enabled through licensing. This can be done via token or license file. Once you receive the token or license, you can refer to the License Manager section of the Admin Guide to enable the feature.
Configuring the Audit License
1. Once your license has been installed, return to the License Manager, and select the check box next to the “AS-Audit” license and click the “EDIT” button:
2. Enter or edit the following information:
a. SYSLOG HOST
Enter the hostname for your syslog host here.
b. INCLUDE FILES
Specify patterns to explicitly identify files and folders to record audit activity. Comma separated list of paths with glob (wildcard) matches are used to include audited files.
Default: Include all files on node, indicated by the “*” symbol.
Example: Enter “*.pdf” (without quotations) to include only files with the “pdf” suffix.
c. EXCLUDE FILES
Specify patterns to explicitly identify files and folders to be excluded from recording audit activity. Comma separated list of paths with glob (wildcard) matches are used to exclude from auditing.
Default: Exclude no files from audit on the node, indicated by the “-“ symbol.
Example: Enter “*.exe, *.docx” (without quotations) to exclude files with the “exe” or “docx” suffix.
Enter a comma delimited list of operations and aliases specified in the “Audit License Access Field Operations” and “Audit Aliases” sections below.
3. Click the “Done” button. File Access Audit is now enabled on your CloudFS node.
As best practice, Panzura recommends adding a minimum of 4 MB RAM per User if Audit is enabled
Audit Access Operations
The operations below correspond to user activity. Adding each operation to the “ACCESS” field of the AS-Audit license enables the user activity to be captured. For simplified configuration, please see the next section “Audit License Access Aliases”.
Chart only pertains to Panzura CloudFS8.
|General Filesystem Operations||access||Check access permissions||
|create||Create a file||
|getattr||Get file attributes||
|link||Create link to an object||
|mkdir||Create a directory||√||√|
|mknod||Create a special device||
|read||Read from file||√||√|
|readir||Read from directory||
|readirplus||Extended read from directory||√||√|
|readlink||Read from symbolic link||
|remove||Remove a file||√||√|
|rename||Rename a file or directory||
|rmdir||Remove a directory||√||√|
|setattr||Set file attributes||
|symlink||Create a symbolic link||√||√|
|write||Write to file||√||√|
|ACLs||aclcheck||Check access control list||√|
|aclget||Get access control list||√|
|aclset||Set access control list||
|Extended Attributes||delxattr||Delete extended attribute||√|
|getxattr||Get extended attribute||√|
|listxattr||List extended attribute||√|
|setxattr||Set extended attribute||√|
|SMB Operations||chflags||Change flags||√|
|chmod||Change mode of file||√|
|chown||Change owner of file||√|
|connect||Connect to a fileshare||√|
|disconnect||Disconnect from a fileshare||√|
|fsync||Flush all write data to disk||√|
|search||Search using a specified template||√|
|streaminfo||Provide information about an IO stream||√|
|trunc||Truncate file to zero length||√|
|ICAP||avscan||Run an antivirus scan||√|
|GRW||rlop||Used by Panzura Support.||√|
|rlclaim||Used by Panzura Support.||√|
|rlclaimasync||Used by Panzura Support.||√|
AS-Audit License Access Aliases
To simplify configuration of the Audit feature, aliases work as a shorthand for common groups of operations. For instance, instead of adding “remove, rmdir, rename” in the “ACCESS” field, you can enable the same functionality by adding “delete”.
|smb||open, close, read, write, create, remove, rename, mkdir, rmdir, readdir, getxattr, setxattr|
|delete||remove, rename, rmdir|
|grw||rlop, rlclaim, rlclaimsync|
|vizion||open, create, remove, rename, close, mkdir, rmdir, setxattr, rlclaim|
Events can be removed from a group as well by adding a hyphen before the single operation. For instance, “delete, -rmdir” corresponds to “remove, rename”.
Prior to the 188.8.131.52 release, NFS clients connecting as ‘root’ were not visible in Audit. This issue is fixed, and all NFS users are now visible in Audit logs.
Audit Resource Recommendations
To ensure operational performance, for each node with Audit enabled, it is recommended that a minimum overhead of 500MiB of system RAM is available. For nodes that support more than 3,000 users, a minimum overhead of 1GiB of system RAM should be available. In cases of extreme activity, the Audit process may consume up to 20% of system RAM.