Dell FILE SYSTEM AUDITING User Manual

Document ID

WHITE PAPER

FILE SYSTEM AUDITING WITH DELL EMC
POWERSCALE AND DELL EMC COMMON
EVENT ENABLER

Abstract

This white paper outlines best practices to configure a File System Audit
solution in an SMB or NFS environment with Dell EMC PowerScale & Common
Event
Enabler (CEE).

May 2020

Revisions

2 FILE SYSTEM AUDITING WITH DELL EMC POWERSCALE AND DELL EMC COMMON EVENT ENABLER

Revisions

Date

Description

March 2019

Initial release

Dec 2019

Update the detailed audit event

May 2020

Update OneFS 9.0.0

Sept 2020

Update OneFS 9.1.0.0

Acknowledgements

This paper was produced by the following:
Author: Vincent.Shen@dell.com
Support:
Other:

The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

Use, copying, and distribution of any software described in this publication requires an applicable software license.

Acknowledgements

3 FILE SYSTEM AUDITING WITH DELL EMC POWERSCALE AND DELL EMC COMMON EVENT ENABLER

Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its
subsidiaries. Other trademarks may be trademarks of their respective owners. [9/15/2020] [WHITE PAPER] [h12428]

Table of contents

4 FILE SYSTEM AUDITING WITH DELL EMC POWERSCALE AND DELL EMC COMMON EVENT ENABLER

Table of contents

Revisions............................................................................................................................................................................. 2

Acknowledgements ............................................................................................................................................................. 2

Table of contents ................................................................................................................................................................ 4

Executive summary ............................................................................................................................................................. 5

1.1 Overview ............................................................................................................................................................. 5

1.2 Document purpose ............................................................................................................................................. 5

1.3 Audience ............................................................................................................................................................. 6

1.4 We value your feedback ..................................................................................................................................... 6

2 Audit configuration consideration ................................................................................................................................. 7

2.1 PowerScale OneFS audit overview .................................................................................................................... 7

2.2 Audit architecture ................................................................................................................................................ 7

2.3 Audit requirements.............................................................................................................................................. 8

2.4 Audit management ............................................................................................................................................. 8

2.4.1 Manage audit setting with OneFS WebUI .......................................................................................................... 8

2.4.2 Manage audit setting with CLI ............................................................................................................................ 9

2.4.3 Granular audit selection ...................................................................................................................................... 9

2.4.4 Configure Dell EMC CEE event forwarding ...................................................................................................... 12

2.4.5 Configuration of audit syslog forwarding .......................................................................................................... 13

2.4.6 Audit log viewer ................................................................................................................................................ 14

2.4.7 Audit log progress ............................................................................................................................................. 15

2.4.8 Audit log time adjustment ................................................................................................................................. 15

2.4.9 Audit event delivery rate statistics .................................................................................................................... 16

2.4.10 Audit purging ................................................................................................................................................ 16

3 Conclusion .................................................................................................................................................................. 19

A Configure Varonis DatAdvantage ............................................................................................................................... 20

B OneFS to Dell EMC CEE event map ......................................................................................................................... 22

C Technical support and resources ............................................................................................................................... 23

C.1 Related resources............................................................................................................................................. 23

Executive summary

5 FILE SYSTEM AUDITING WITH DELL EMC POWERSCALE AND DELL EMC COMMON EVENT ENABLER

Executive summary

1.1 Overview

Information technology auditors are faced with rapidly growing unstructured data in their data centers,
including sensitive information such as intellectual property, confidential customer or employee data, and
proprietary company records. The need to audit unstructured data to keep company proprietary information
secure, as well as the need to comply with governmental regulations, drives the need for business-critical
audit capabilities.

Auditing can detect many potential sources of data loss, including fraudulent activities, inappropriate
entitlements, unauthorized access attempts, and a range of other anomalies that are indicators of risk.
Customers in industries such as financial services, health care, life sciences, and media and entertainment,
as well as in governmental agencies, must meet stringent regulatory requirements developed to protect
against these sources of data loss.

Regulatory requirements

Segment

Key business drivers

Financial services

Compliance requirements for the Sarbanes-Oxley Act (SOX)

Health care

Compliance requirements for the Health Insurance Portability
and Accountability Act (HIPAA) 21 CFR (Part 11)

Life sciences

Compliance requirements for the Genetic Information Non­Discrimination Act (GINA)

Media and entertainment

Security requirements for Motion Picture Association of America
(MPAA) content movement

Federal agencies

Security requirements for Security Technical Information Guide
(STIG)/Federal Information Security Management Act (FISMA)

Depending on the regulation requirements, auditing file system operations, such as file creation or deletion, is
required to demonstrate compliance with chain of custody. In other scenarios, the goal of auditing is to track
configuration changes to the storage system. Lastly, auditing needs to track activities such as logon/logoff
events, which may not involve file data or configuration changes. The audit enhancements included in Dell
EMC® PowerScale® OneFS® 8.0 addresses these needs for SMB, NFS and HDFS workflows and
PowerScale cluster configuration changes

1.2 Document purpose

This white paper provides configuration considerations and best practices of PowerScale OneFS Audit
including:

• Audit architecture

• Audit requirement

• Audit management configuration and considerations including

o Configure audit settings through OneFS WebUI and CLI
o Configure audit Dell EMC Common Event Enabler (CEE) event forwarding
o Audit syslog forwarding

Executive summary

6 FILE SYSTEM AUDITING WITH DELL EMC POWERSCALE AND DELL EMC COMMON EVENT ENABLER

o Audit log progress check
o Audit log time adjustment
o Audit event delivery rate statistics

1.3 Audience

This guide is intended for experienced system and storage administrators who are familiar with file services
and network storage administration.

This guide assumes you have a working knowledge of the following:

• Network-attached Storage (NAS) systems

• Audit 3rd party applications

• Dell EMC Common Event Enabler

• The PowerScale scale-out storage architecture and the PowerScale OneFS operating system

You should also be familiar with PowerScale documentation resources, including:

• EMC Community Network (ECN) info hubs

• DELL EMC OneFS release notes, which are available on the Dell EMC support network and contain

important information about resolved and known issues.

• Dell EMC PowerScale OneFS Best Practices

1.4 We value your feedback

Dell EMC and the authors of this document welcome your feedback on the whitepaper.
Authors: Vincent Shen (Vincent.shen@dell.com)

Executive summary

7 FILE SYSTEM AUDITING WITH DELL EMC POWERSCALE AND DELL EMC COMMON EVENT ENABLER |

Document ID

2 Audit configuration consideration

2.1 PowerScale OneFS audit overview

PowerScale OneFS can audit system configuration events, SMB, NFS, and HDFS protocol access events on
the PowerScale cluster. All audit data is stored in files called audit topics, which collect log information that
can be further processed by auditing tools. System configuration auditing is either enabled or disabled; no
additional configuration is required. If configuration auditing is enabled, all configuration events that are
handled by the application programming interface (API) are tracked and recorded in the configuration audit
topic. Configuration events will not be forwarded to the Dell EMC Common Event Enabler (CEE). SMB, NFS
and HDFS protocol events can be audited. If protocol auditing is enabled, file access events through the
SMB, NFS, and HDFS are recorded in the protocol audit topic. The protocol audit topic is consumable by
auditing applications that support the Common Event Enabler, which provides integration with auditing
applications such as Varonis® DatAdvantage®, STEALTHbits StealthAUDIT®, Symantec Data Insight®, and
Dell Change Auditor for Dell EMC®.

2.2 Audit architecture

Starting with OneFS 7.1, a likewise input/output (LWIO) filter manager was created. The filter manager
provides a plug-in framework for pre- and post-input/output request packet (IRP). The IRP provides the
mechanism to encode a protocol request handled by LWIO and encodes the request handled by the file
system drivers.

Audit events are processed after the kernel has serviced the IRP. If the IRP involves a configured audit event
for an Access Zone where auditing is enabled, an audit payload is created.

The audit events are logged on the individual nodes where the SMB/NFS client initiated the activity. The
events are then stored in a binary file under /ifs/.ifsvar/audit/logs. The logs automatically roll over to a new file
once the size reaches 1 GB. The default protection for the audit log files is +3. Given various regulatory
requirements, such as HIPAA, which require two years of audit logs, the audit log files are not deleted from
the cluster.

Starting in OneFS 7.1.1, audit logs are automatically compressed. Audit logs are compressed on file roll over.
As part of the audit log roll over, a new audit log file is actively written to, while the previous log file is
compressed. The estimated space savings for the audit logs is 90%.

Once the auditing event has been logged, a CEE forwarder service handles forwarding the event to CEE. The
event is forwarded via an HTTP PUT operation.

At this point, CEE will forward the audit event to a defined endpoint, such as Varonis DatAdvantage. The audit
events are coalesced by the 3rd Party audit application.

OneFS 7.1.1 added the ability to forward config and protocol auditing events to a syslog server. By default,
syslog forwarding will write the events to /var/log/audit_protocol.log for protocol auditing events and
/var/log/audit_config for configuration auditing events.

OneFS 8.0.1 adds the support for concurrent delivery to multiple CEE servers. Each node initiates 20 HTTP

1.1 connections across a subset of CEE servers. Each node can choose up to 5 CEE servers for delivery.
The HTTP connections are evenly balanced across the CEE servers from each node. The change results in
increased audit performance.