The following blog is an example of applying an
everything SACL (CIFS audit policy) using the ‘vserver security file-directory’
command set. Unfortunately, using ‘vserver
security file-directory’, you cannot just add a SACL, you have to get the
existing DACL, and then add the SACL and original DACL at the same time. In
practice, setting NTFS SACLs from Windows is an easier approach (I’d recommend
reading Justin
Parisi's blog post here and especially the comments section.)
My ONTAP version here is 9.7.
Setting Up the Test
Environment
My test structure is one volume with 2 folders:
vol1 > folder1 > folder2
And each folder has a text file in:
folder1file.txt and folder2file.txt
The permissions have been setup as so:
vol1:
Everyone with ‘Read & execute’
access,
applied to ‘folder, subfolder and files’,
and Inheritance Disabled
folder1:
‘Domain Admins’ with ‘Full Control’,
‘Domain Users’ with ‘Read &
execute’,
applied to ‘folder, subfolder and files’,
and Inheritance Disabled
folder2:
‘Domain Admins’ with ‘Full Control’,
‘Domain Users’ with ‘Modify’,
applied to ‘folder, subfolder and files’,
and Inheritance Disabled
Reviewing Current
ACLs using ‘vserver security file-directory show’
The current ACLs as reviewed by ‘vserver security
file-directory show’ are below:
Current /vol1 ACLs:
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL
- ACEs
ALLOW-Everyone-0x1200a9-OI|CI
Current /vol1/folder1 and folder1file.txt ACLs:
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\Administrators
Group:DEMO\Domain Users
DACL - ACEs
ALLOW-DEMO\Domain Admins-0x1f01ff-OI|CI
ALLOW-DEMO\Domain Users-0x1200a9-OI|CI
Current /vol1/folder1/folder2 and folder2file.txt ACLs:
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\Administrators
Group:DEMO\Domain Users
DACL - ACEs
ALLOW-DEMO\Domain Admins-0x1f01ff-OI|CI
ALLOW-DEMO\Domain Users-0x1301bf-OI|CI
Creating SACLs
We have 3 different permission sets, so we will need 3 NTFS
Security Descriptors to rebuild the permissions above with a SACL.
Firstly, we create 3 NTFS Security Descriptors, each with
our audit everyone and everything SACL (note, I don’t want inheritance, so not
using the apply-to ‘sub-folders’.)
vserver security file-directory ntfs sacl
add -ntfs-sd sdvol1 -access-type failure -account Everyone -vserver svm1
-rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl
add -ntfs-sd sdvol1 -access-type success -account Everyone -vserver svm1
-rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl
add -ntfs-sd sdfolder1 -access-type failure -account Everyone -vserver svm1
-rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl
add -ntfs-sd sdfolder1 -access-type success -account Everyone -vserver svm1
-rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl
add -ntfs-sd sdfolder2 -access-type failure -account Everyone -vserver svm1
-rights full-control -apply-to this-folder,files
vserver security file-directory ntfs sacl
add -ntfs-sd sdfolder2 -access-type success -account Everyone -vserver svm1
-rights full-control -apply-to this-folder,files
And verify these are correct using the below (outputs not
included):
vserver security file-directory ntfs sacl
show -ntfs-sd sdvol1
vserver security file-directory ntfs sacl
show -ntfs-sd sdfolder1
vserver security file-directory ntfs sacl
show -ntfs-sd sdfolder2
Removing Default
DACLs
In the above, when we created our NTFS Security
Descriptors, these come with a default set of DACLs. We don’t want these default
DACLs so firstly we need to remove them. The default DACLs are seen when you
run ‘vserver security file-directory ntfs dacl show -ntfs-sd SDNAME’:
Account Name Access Access
-------------- ------
-------
BUILTIN\Administrators
allow full-control
BUILTIN\Users allow full-control
CREATOR
OWNER allow full-control
NT
AUTHORITY\SYSTEM allow full-control
To remove these default DACLs we run the below:
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdvol1 -account BUILTIN\Administrators
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdvol1 -account BUILTIN\Users -access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdvol1 -account "CREATOR OWNER"
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdvol1 -account "NT AUTHORITY\SYSTEM"
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder1 -account BUILTIN\Administrators
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder1 -account BUILTIN\Users -access-type
allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder1 -account "CREATOR OWNER"
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder1 -account "NT AUTHORITY\SYSTEM"
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder2 -account BUILTIN\Administrators
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder2 -account BUILTIN\Users -access-type
allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder2 -account "CREATOR OWNER"
-access-type allow
vserver security file-directory ntfs dacl
remove -vserver svm1 -ntfs-sd sdfolder2 -account "NT AUTHORITY\SYSTEM"
-access-type allow
And to confirm the DACLs are now clean and empty, run:
vserver security file-directory ntfs dacl
show -ntfs-sd sdvol1
vserver security file-directory ntfs dacl
show -ntfs-sd sdfolder1
vserver security file-directory ntfs dacl
show -ntfs-sd sdfolder2
Now we are ready to add our DACLs!
Creating DACLs
To create our DACLs as per ‘Setting up the test
environment’:
vserver security file-directory ntfs dacl
add -ntfs-sd sdvol1 -vserver svm1 -access-type allow -account Everyone -rights
read-and-execute -apply-to this-folder,files
vserver security file-directory ntfs dacl
add -ntfs-sd sdfolder1 -vserver svm1 -access-type allow -account "DEMO\Domain
Admins" -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs dacl
add -ntfs-sd sdfolder1 -vserver svm1 -access-type allow -account "DEMO\Domain
Users" -rights read-and-execute -apply-to this-folder,files
vserver security file-directory ntfs dacl
add -ntfs-sd sdfolder2 -vserver svm1 -access-type allow -account "DEMO\Domain
Admins" -rights full-control -apply-to this-folder,files
vserver security file-directory ntfs dacl
add -ntfs-sd sdfolder2 -vserver svm1 -access-type allow -account "DEMO\Domain
Users" -rights modify -apply-to this-folder,files
And to confirm the DACLs are as we want, run:
vserver security file-directory ntfs dacl
show -ntfs-sd sdvol1
vserver security file-directory ntfs dacl
show -ntfs-sd sdfolder1
vserver security file-directory ntfs dacl
show -ntfs-sd sdfolder2
Applying the DACL
and SACL
We need to create a new ‘vserver security file-directory
policy’, add tasks to it (one per level of the volume and folder hierarchy),
then finally apply the policy and see it it’s worked! Here the tasks work downwards
with the the volume having task index 1, and folders tasks index 2 and 3.
vserver security file-directory policy
create -policy-name DACL_with_SACL_1 -vserver svm1
vserver security file-directory policy
task add -vserver svm1 -path /vol1 -ntfs-sd sdvol1 -policy-name DACL_with_SACL_1
-ntfs-mode replace
vserver security file-directory policy
task add -vserver svm1 -path /vol1/folder1 -ntfs-sd sdfolder1 -policy-name DACL_with_SACL_1
-ntfs-mode replace
vserver security file-directory policy
task add -vserver svm1 -path /vol1/folder1/folder2 -ntfs-sd sdfolder2
-policy-name DACL_with_SACL_1 -ntfs-mode replace
vserver security file-directory policy
task show -vserver svm1 -policy-name DACL_with_SACL_1
vserver security file-directory apply
-vserver svm1 -policy-name DACL_with_SACL_1
job show -id 234
NOTE: We use ‘ntfs-mode replace’ which replaces
permissions. I found ‘ignore’ simply won’t do anything when you run the
apply (it does indeed ignore existing ACLs, but also doesn’t apply any of your
new ACLs.) Didn’t want to use ‘propragate’ in this scenario (which is
the default if you don’t specify ntfs-mode).
Did it Work As
Expected? NO
Unfortunately, it did not work as expected. Yes, the audit
SACLs are correct (actually perfect). The problem is that the ‘vserver security
file-directory policy apply’ goes and enables inheritance on folders, which is
not what we wanted. Which means that my folder2file.txt gets Everyone ‘Read
& execute’ access inherited from /vol1. See the picture below.
Image: SACLs and DACLs applied using ‘vserver security
file-directory’ (click to enlarge)
Conclusion
‘vserver security file-directory’ is useful for resetting
permissions, say when permissions have been lost (like I did with PowerShell in
2015 www.cosonok.com/2015/10/using-data-ontap-apis-powershell-to-set.html),
otherwise it is completely the wrong tool for setting NTFS SACLs and modifying DACLs.
...
There is Another Option...
You could configure SLAG (Storage-Level Access Guard). Hopefully I'll get time to do a blog on this in the future, something like 'How to use SLAG for CIFS Auditing on ONTAP'.
“SACLs designate if an object, or sub object, should be audited for a given event, successful or failure. If you are wanting to audit the objects within a volume or qtree you will have 2 options. The easiest would be using SLAG. If the SACLs you are setting are the same across the volume you can use SLAG to apply the SACLs immediately. If you have variance across your qtree or volume when it comes to what you want to audit then you will have to apply the appropriate SACLs to each object you want to audit.”
Comments
Post a Comment