Friday, 22 January 2021

NetApp ONTAP: Apply SACLs Using Vserver Security File-Directory

The following blog is an example of applying an everything SACL (CIFS audit policy) using the ‘vserver security file-directory’ command set.  Unfortunately, using ‘vserver security file-directory’, you cannot just add a SACL, you have to get the existing DACL, and then add the SACL and original DACL at the same time. In practice, setting NTFS SACLs from Windows is an easier approach (I’d recommend reading Justin Parisi's blog post here and especially the comments section.)
 
My ONTAP version here is 9.7.
 
Setting Up the Test Environment
 
My test structure is one volume with 2 folders:
vol1 > folder1 > folder2
And each folder has a text file in:
folder1file.txt and folder2file.txt
 
The permissions have been setup as so:
 
vol1:
  Everyone with ‘Read & execute’ access,
  applied to ‘folder, subfolder and files’,
  and Inheritance Disabled
 
folder1:
  ‘Domain Admins’ with ‘Full Control’,
  ‘Domain Users’ with ‘Read & execute’,
  applied to ‘folder, subfolder and files’,
  and Inheritance Disabled
 
folder2:
  ‘Domain Admins’ with ‘Full Control’,
  ‘Domain Users’ with ‘Modify’,
  applied to ‘folder, subfolder and files’,
  and Inheritance Disabled
 
Reviewing Current ACLs using ‘vserver security file-directory show’
 
The current ACLs as reviewed by ‘vserver security file-directory show’ are below:
 
Current /vol1 ACLs: 

ACLs: NTFS Security Descriptor
  Control:0x9504
  Owner:BUILTIN\Administrators
  Group:BUILTIN\Administrators
  DACL - ACEs
    ALLOW-Everyone-0x1200a9-OI|CI
 
Current /vol1/folder1 and folder1file.txt ACLs:
 
ACLs: NTFS Security Descriptor
  Control:0x9504
  Owner:BUILTIN\Administrators
  Group:DEMO\Domain Users
  DACL - ACEs
    ALLOW-DEMO\Domain Admins-0x1f01ff-OI|CI
    ALLOW-DEMO\Domain Users-0x1200a9-OI|CI
 
Current /vol1/folder1/folder2 and folder2file.txt ACLs:
 
ACLs: NTFS Security Descriptor
  Control:0x9504
  Owner:BUILTIN\Administrators
  Group:DEMO\Domain Users
  DACL - ACEs
    ALLOW-DEMO\Domain Admins-0x1f01ff-OI|CI
    ALLOW-DEMO\Domain Users-0x1301bf-OI|CI
 
Creating SACLs
 
We have 3 different permission sets, so we will need 3 NTFS Security Descriptors to rebuild the permissions above with a SACL.
 
Firstly, we create 3 NTFS Security Descriptors, each with our audit everyone and everything SACL (note, I don’t want inheritance, so not using the apply-to ‘sub-folders’.)
 
vserver security file-directory ntfs sacl add -ntfs-sd sdvol1 -access-type failure -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl add -ntfs-sd sdvol1 -access-type success -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
 
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder1 -access-type failure -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder1 -access-type success -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
 
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder2 -access-type failure -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl add -ntfs-sd sdfolder2 -access-type success -account Everyone -vserver svm1 -rights full-control -apply-to this-folder,files
 
And verify these are correct using the below (outputs not included):
 
vserver security file-directory ntfs sacl show -ntfs-sd sdvol1
vserver security file-directory ntfs sacl show -ntfs-sd sdfolder1
vserver security file-directory ntfs sacl show -ntfs-sd sdfolder2
 
Removing Default DACLs
 
In the above, when we created our NTFS Security Descriptors, these come with a default set of DACLs. We don’t want these default DACLs so firstly we need to remove them. The default DACLs are seen when you run ‘vserver security file-directory ntfs dacl show -ntfs-sd SDNAME’:
 
Account Name           Access Access
--------------         ------ -------
BUILTIN\Administrators allow  full-control
BUILTIN\Users          allow  full-control
CREATOR OWNER          allow  full-control
NT AUTHORITY\SYSTEM    allow  full-control
 
To remove these default DACLs we run the below:
 
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account BUILTIN\Administrators -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account "CREATOR OWNER" -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdvol1 -account "NT AUTHORITY\SYSTEM" -access-type allow
 
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account BUILTIN\Administrators -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account "CREATOR OWNER" -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder1 -account "NT AUTHORITY\SYSTEM" -access-type allow
 
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account BUILTIN\Administrators -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account "CREATOR OWNER" -access-type allow
vserver security file-directory ntfs dacl remove -vserver svm1 -ntfs-sd sdfolder2 -account "NT AUTHORITY\SYSTEM" -access-type allow

And to confirm the DACLs are now clean and empty, run:
 
vserver security file-directory ntfs dacl show -ntfs-sd sdvol1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder2
 
Now we are ready to add our DACLs!
 
Creating DACLs
 
To create our DACLs as per ‘Setting up the test environment’:

vserver security file-directory ntfs dacl add -ntfs-sd sdvol1 -vserver svm1 -access-type allow -account Everyone -rights read-and-execute -apply-to this-folder,files
 
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder1 -vserver svm1 -access-type allow -account "DEMO\Domain Admins" -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder1 -vserver svm1 -access-type allow -account "DEMO\Domain Users" -rights read-and-execute -apply-to this-folder,files
 
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder2 -vserver svm1 -access-type allow -account "DEMO\Domain Admins" -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs dacl add -ntfs-sd sdfolder2 -vserver svm1 -access-type allow -account "DEMO\Domain Users" -rights modify -apply-to this-folder,files
 
And to confirm the DACLs are as we want, run:
 
vserver security file-directory ntfs dacl show -ntfs-sd sdvol1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder1
vserver security file-directory ntfs dacl show -ntfs-sd sdfolder2
 
Applying the DACL and SACL
 
We need to create a new ‘vserver security file-directory policy’, add tasks to it (one per level of the volume and folder hierarchy), then finally apply the policy and see it it’s worked! Here the tasks work downwards with the the volume having task index 1, and folders tasks index 2 and 3.
 
vserver security file-directory policy create -policy-name DACL_with_SACL_1 -vserver svm1
vserver security file-directory policy task add -vserver svm1 -path /vol1 -ntfs-sd sdvol1 -policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy task add -vserver svm1 -path /vol1/folder1 -ntfs-sd sdfolder1 -policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy task add -vserver svm1 -path /vol1/folder1/folder2 -ntfs-sd sdfolder2 -policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy task show -vserver svm1 -policy-name DACL_with_SACL_1
vserver security file-directory apply -vserver svm1 -policy-name DACL_with_SACL_1
job show -id 234
 
NOTE: We use ‘ntfs-mode replace’ which replaces permissions. I found ‘ignore’ simply won’t do anything when you run the apply (it does indeed ignore existing ACLs, but also doesn’t apply any of your new ACLs.) Didn’t want to use ‘propragate’ in this scenario (which is the default if you don’t specify ntfs-mode).
 
Did it Work As Expected? NO
 
Unfortunately, it did not work as expected. Yes, the audit SACLs are correct (actually perfect). The problem is that the ‘vserver security file-directory policy apply’ goes and enables inheritance on folders, which is not what we wanted. Which means that my folder2file.txt gets Everyone ‘Read & execute’ access inherited from /vol1. See the picture below.
 
Image: SACLs and DACLs applied using ‘vserver security file-directory’ (click to enlarge)

 
Conclusion
 
‘vserver security file-directory’ is useful for resetting permissions, say when permissions have been lost (like I did with PowerShell in 2015 www.cosonok.com/2015/10/using-data-ontap-apis-powershell-to-set.html), otherwise it is completely the wrong tool for setting NTFS SACLs and modifying DACLs.

...

There is Another Option...

You could configure SLAG (Storage-Level Access Guard). Hopefully I'll get time to do a blog on this in the future, something like 'How to use SLAG for CIFS Auditing on ONTAP'.

“SACLs designate if an object, or sub object, should be audited for a given event, successful or failure. If you are wanting to audit the objects within a volume or qtree you will have 2 options. The easiest would be using SLAG. If the SACLs you are setting are the same across the volume you can use SLAG to apply the SACLs immediately. If you have variance across your qtree or volume when it comes to what you want to audit then you will have to apply the appropriate SACLs to each object you want to audit.”

No comments:

Post a Comment

Note: only a member of this blog may post a comment.