File Access Auditing Support for SMB and NFS Clients

Freedom File Access Audit

Panzura Freedom’s File Access Audit feature tracks operations on files and folders within the Freedom filesystem.

  • Freedom uses several sources to gather file access audit information, including SMB/CIFS, NFS, and the file system.
  • Only UDP is supported for the Syslog output configured in the AS-Audit license.
  • Data Services & Syslog Server support- By editing the audit license in the license manager you can now point your local audit logs to a Syslog server independently or simultaneously to Data Services.
  • You can point the audit logs to the Syslog server by defining the Syslog hostname (ip address) in the Syslog host field. If the Data Services Freedom NAS plugin is enabled on your filer it will also automatically send the audit logs to Data Services. You can disable the audit scan on the Freedom NAS plugin via the Data Services UI.

Panzura File Access Audit Best Practices

Installing the Audit License

Audit functionality is enabled through licensing. This can be done via token or license file. Once you receive the token or license, you can refer to the License Manager section of the Admin Guide to enable the feature.

Configuring the Audit License

1. Once your license has been installed, return to the License Manager, and select the check box next to the “AS-Audit” license and click the “EDIT” button:

2. Enter or edit the following information:

a. SYSLOG HOST

Enter the hostname for your syslog host here.

b. INCLUDE FILES

Specify patterns to explicitly identify files and folders to record audit activity. Comma separated list of paths with glob (wildcard) matches are used to include audited files.

Default: Include all files on filer, indicated by the “*” symbol.

Example: Enter “*.pdf” (without quotations) to include only files with the “pdf” suffix.

c. EXCLUDE FILES

Specify patterns to explicitly identify files and folders to be excluded from recording audit activity. Comma separated list of paths with glob (wildcard) matches are used to exclude from auditing.

Default: Exclude no files from audit on the filer, indicated by the “-“ symbol.

Example: Enter “*.exe, *.docx” (without quotations) to exclude files with the “exe” or “docx” suffix.

d. ACCESS

Enter a comma delimited list of operations and aliases specified in the “Audit License Access Field Operations” and “Audit Aliases” sections below.

3. Click the “Done” button. File Access Audit is now enabled on your Freedom Filer.

As best practice, Panzura recommends adding a minimum of 4 MB RAM per User if Audit is enabled

Audit Access Operations

The operations below correspond to user activity. Adding each operation to the “ACCESS” field of the AS-Audit license enables the user activity to be captured. For simplified configuration, please see the next section “Audit License Access Aliases”.

Chart only pertains to Panzura CloudFS8.

Category Operation Description Client Type
(File Protocol)
SMB

NFS

General Filesystem Operations access Check access permissions

create Create a file

getattr Get file attributes

link Create link to an object

mkdir Create a directory
mknod Create a special device

read Read from file
readir Read from directory

readirplus Extended read from directory
readlink Read from symbolic link

remove Remove a file
rename Rename a file or directory

rmdir Remove a directory
setattr Set file attributes

symlink Create a symbolic link
write Write to file
ACLs aclcheck Check access control list  
aclget Get access control list  
aclset Set access control list

 
Extended Attributes delxattr Delete extended attribute  
getxattr Get extended attribute  
listxattr List extended attribute  
setxattr Set extended attribute  
SMB Operations chflags Change flags  
chmod Change mode of file  
chown Change owner of file  
close Close file  
connect Connect to a fileshare  
disconnect Disconnect from a fileshare  
fsync Flush all write data to disk  
lock Lock file  
open Open file  
recvfile Receive file  
search Search using a specified template  
sendfile Send file  
streaminfo Provide information about an IO stream  
trunc Truncate file to zero length  
unlock Unlock file  
ICAP avscan Run an antivirus scan  
GRW rlop Used by Panzura Support.  
rlclaim Used by Panzura Support.  
rlclaimasync Used by Panzura Support.  

 

AS-Audit License Access Aliases

To simplify configuration of the Audit feature, aliases work as a shorthand for common groups of operations. For instance, instead of adding “remove, rmdir, rename” in the “ACCESS” field, you can enable the same functionality by adding “delete”.

Alias Operations Included
smb open, close, read, write, create, remove, rename, mkdir, rmdir, readdir, getxattr, setxattr
delete remove, rename, rmdir
ntacl getxattr, setxattr
grw rlop, rlclaim, rlclaimsync
icap avscan
vizion open, create, remove, rename, close, mkdir, rmdir, setxattr, rlclaim

Events can be removed from a group as well by adding a hyphen before the single operation. For instance, “delete, -rmdir” corresponds to “remove, rename”.

Prior to the 8.0.0.3 release, NFS clients connecting as ‘root’ were not visible in Audit. This issue is fixed, and all NFS users are now visible in Audit logs.

Audit Resource Recommendations

To ensure operational performance, for each filer with Audit enabled, it is recommended that a minimum overhead of 500MiB of system RAM is available. For filers that support more than 3,000 users, a minimum overhead of 1GiB of system RAM should be available. In cases of extreme activity, the Audit process may consume up to 20% of system RAM.