ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • vserver security trace trace-result show

    Display security trace results

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The vserver security trace trace-result show command displays the list of security trace event records stored on the cluster. These records are generated in response to security trace filters that are created using the vserver security trace filter create command. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information about all the security trace events generated since the filter was enabled:

    • Vserver name

    • Cluster node name

    • Security trace filter index number

    • User name

    • Security style

    • Path

    • Reason

      You can specify additional parameters to display only information that match those parameters. For example, to display information about events that occurred for the user "guest", run the command with `-user-name` parameter set to ``_guest_`` .

    Parameters

    { [-fields <fieldname>,…​]

    If you specify this parameter, the command only displays the fields that you specify.

    | [-instance ] }

    If you specify this parameter, the command displays detailed information about all security trace events.

    [-node {<nodename>|local}] - Node

    If you specify this parameter, the command displays information only about security trace events on the specified node.

    [-vserver <vserver name>] - Vserver

    If you specify this parameter, the command displays information only about security trace events on the specified Vserver.

    [-seqnum <integer>] - Sequence Number

    If you specify this parameter, the command displays information only about the security trace events with this sequence number.

    [-keytime <Date>] - Time

    If you specify this parameter, the command displays information only about security trace events that occurred at the specified time.

    [-index <integer>] - Index of the Filter

    If you specify this parameter, the command displays information only about security trace events that occurred as a result of the filter corresponding to the specified filter index number.

    [-client-ip <IP Address>] - Client IP Address

    If you specify this parameter, the command displays information only about security trace events that occurred as a result of file access from the specified client IP address.

    [-path <TextNoCase>] - Path of the File Being Accessed

    If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file accesses to the specified path.

    [-win-user <TextNoCase>] - Windows User Name

    If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified Windows user.

    [-security-style <security style>] - Effective Security Style On File

    If you specify this parameter, the command displays information only about the security trace events that occurred on file systems with the specified security style. The allowed values for security style are the following:

    • SECURITY_NONE - Security not Set

    • SECURITY_UNIX_MODEBITS - UNIX and UNIX permissions

    • SECURITY_UNIX_ACL - UNIX and NFSv4 ACL

    • SECURITY_UNIX_SD - UNIX and NT ACL

    • SECURITY_MIXED_MODEBITS - MIXED and UNIX permissions

    • SECURITY_MIXED_ACL - MIXED and NFSv4 ACL

    • SECURITY_MIXED_SD - MIXED and NT ACL

    • SECURITY_NTFS_MODEBITS - NTFS and UNIX permissions

    • SECURITY_NTFS_ACL - NTFS and NT ACL

    • SECURITY_NTFS_SD - NTFS and NT ACL

    • SECURITY_UNIX - UNIX

    • SECURITY_MIXED - MIXED

    • SECURITY_NTFS - NTFS

    • SECURITY_MODEBITS - UNIX permissions

    • SECURITY_ACL - ACL

    • SECURITY_SD - SD

    [-result <TextNoCase>] - Result of Security Checks

    If you specify this parameter, the command displays information about the security trace events that have the specified result. Access to a file or a directory can be 'allowed' or 'denied'. Output from this command displays the result as a combination of the reason for allowing or denying access, the location where access is either allowed or denied, and the access right for which the file operation is allowed or denied.

    The following are the reasons why an access can be allowed:

    +
    * Access is allowed because the operation is trusted and no security is configured
    * Access is allowed because the user has UNIX root privileges
    * Access is allowed because the user has UNIX owner privileges
    * Access is allowed because UNIX implicit permission grants requested access
    * Access is allowed because the CIFS user is owner
    * Access is allowed because the user has take ownership privilege
    * Access is allowed because there is no CIFS ACL
    * Access is allowed because CIFS implicit permission grants requested access
    * Access is allowed because the security descriptor is corrupted and the user is a member of the Administrators group
    * Access is allowed because the ACL is corrupted and the user is a member of the Administrators group
    * Access is allowed because the user has UNIX permissions
    * Access is allowed because explicit ACE grants requested access
    * Access is allowed because the user has audit privileges
    * Access is allowed because the user has superuser credentials
    * Access is allowed because inherited ACE grants requested access
    * Access is allowed because storage-level access guard (SLAG) grants requested access
    * Access is allowed because no central access policies applied
    * Access is allowed because no central access policies could be applied from the corrupt SACL
    * Access is allowed because matching central access policy could not be located
    * Access is allowed because no central access rules apply to the object
    * Access is allowed because skipped one or more corrupt central access rules
    * Access is allowed because all evaluated central access rules grant access

    +
    The following are the reasons why an access can be denied:

    +

    • Access is denied by UNIX permissions

    • Access is denied by an explicit ACE

    • Access is denied. The requested permissions are not granted by the ACE

    • Access is denied. The security descriptor is corrupted

    • Access is denied. The ACL is corrupted

    • Access is denied. The sticky bit is set on the parent directory and the user is not the owner of file or parent directory

    • Access is denied. The owner can be changed only by root

    • Access is denied. The UNIX permissions/uid/gid/NFSv4 ACL can be changed only by owner or root

    • Access is denied. The GID can be set by owner to a member of its legal group list only if 'Owner can chown' is not set

    • Access is denied. The file or the directory has readonly bit set

    • Access is denied. There is no audit privilege

    • Access is denied. Enforce DOS bits blocks the access

    • Access is denied. Hidden attribute is set

    • Access is denied by an inherited ACE

    • Access is denied as the volume is readonly or directory is a snapshot

    • Access is denied. System attribute is not set in the request

    • Access is denied by the storage-level access guard (SLAG)

    • Access is denied, file is infected

    • Access is denied. Central access policy DB not ready

    • Access is denied. Central access rule is corrupt

    • Access is denied. Central access rule explicitly denied access

    • Access is denied. Matching central access policy not found

    • Access is denied because the user does not have UNIX root privileges

    • Access is denied because the UNIX user could not be mapped to a valid NT user

    • Access is denied because the UNIX permissions/uid/gid/NFSv4 ACL cannot be set in an NTFS qtree

      The command or the location at which access was denied or allowed are as follows:

    • while traversing the directory.

    • while truncating the file.

    • while creating the directory.

    • while creating the file.

    • while checking parent’s mode bits during delete.

    • while deleting the child.

    • while checking for child-delete access on the parent.

    • while reading security descriptor.

    • while accessing the link.

    • while creating the directory.

    • while creating or writing the file.

    • while opening existing file or directory.

    • while setting the attributes.

    • while traversing the directory.

    • while reading the file.

    • while reading the directory.

    • while deleting the target during rename.

    • while deleting the child during rename.

    • while writing data in the parent during rename.

    • while adding a directory during rename.

    • while adding a file during rename.

    • while updating the target directory during rename.

    • while setting attributes.

    • while writing to the file.

    • while extending the coral file.

    • while creating the vdisk file.

    • while checking for stale locks before open.

    • while deleting a file or a directory.

    • while truncating a hidden file.

    • while truncating a file.

    • while truncating a system file.

    • while appending to a file or setting a file attribute.

    • while opening a file or directory for delete.

    • while checking for permission on parent directory during create.

    • while appending to the file.

    • while creating the device file.

    • while reading the user’s access rights on an object.

    The access rights for which the file operation is allowed or denied are as follows:

    +

    • Append.

    • Delete.

    • Delete Child.

    • Execute.

    • Generic All.

    • Generic Execute.

    • Generic Read.

    • Generic Write.

    • Maximum Allowed.

    • Read.

    • Read Attributes.

    • Read Control.

    • Read EA.

    • System Security.

    • Synchronize.

    • Write.

    • Write Attributes.

    • Write DAC.

    • Write EA.

    • Write Owner.

    • None.

    [-unix-user <TextNoCase>] - UNIX User Name

    If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified UNIX user.

    [-session-id <integer>] - CIFS Session ID

    If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS session ID.

    [-share-name <TextNoCase>] - Accessed CIFS Share Name

    If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS share name.

    [-protocol {cifs|nfs}] - Protocol

    If you specify this parameter, the command displays information only about the security trace events that occurred for the specified protocol.

    [-volume-name <TextNoCase>] - Accessed Volume Name

    If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified volume name.

    Examples

    The following example displays information about security trace records:

    cluster1::> vserver security trace trace-result show
    Vserver: vserver_1
    
    Node                     Index     Filter Details      Reason
    ----------------------- -------- --------------------- -------------------------
    cluster1-01             1        Security Style: MIXED Access is allowed because
                                     and NT ACL            CIFS implicit permission
                                                           grants requested access
                                                           while opening existing
                                                           file or directory.
                                                           Access is granted for:
                                                           "Read Attributes"
                                     Protocol: cifs
                                     Share: sh1
                                     Path: /stk/bit
                                     Win-User: cifs1\
                                     administrator
                                     Unix-User: root
                                     Session-ID: 58455810
    
    1 entries were displayed.

    The following example displays information about security trace records for path /stk/bit/set:

    cluster1::> vserver security trace trace-result show -path /stk/bit/set
    
    Vserver: vserver_1
    
    Node                     Index     Filter Details      Reason
    ----------------------- -------- --------------------- -------------------------
    cluster1-01             1        Security Style: MIXED Access is allowed because
                                     and UNIX permissions  the user has UNIX root
                                                           privileges while opening
                                                           existing file or
                                                           directory.
                                                           Access is granted for: "Read"
                                     Protocol: cifs
                                     Share: sh1
                                     Path: /stk/bit/set
                                     Win-User: cifs1\
                                     administrator
                                     UNIX-User: root
                                     Session-ID: 75435293758455810
    cluster1-01             1        Security Style: MIXED Access is denied. The
                                     and NT ACL            requested permissions
                                                           are not granted by the
                                                           ACE while checking for
                                                           child-delete access on
                                                           the parent. Access is not
                                                           granted for: "Delete Child"
                                     Protocol: cifs
                                     Share: sh1
                                     Path: /stk/bit/set
                                     Win-User: cifs1\
                                     administrator
                                     UNIX-User: root
                                     Session-ID: 75435293758455324
    cluster1-01             1        Security Style: MIXED Access is allowed because
                                     and NT ACL            the CIFS user is owner.
                                                           Access is denied by an
                                                           explicit ACE while
                                                           setting the attributes.
                                                           Access is not granted for:
                                                           "Read Attributes"
    Protocol: cifs
                                     Share: sh1
                                     Path: /stk/bit/set
                                     Win-User: cifs1\
                                     administrator
                                     UNIX-User: root
                                     Session-ID: 75435293758455324
    3 entries were displayed.

    The following example displays information about security trace records for the protocol nfs:

    cluster1::> vserver security trace trace-result show -protocol nfs
    Vserver: vserver_1
    
    Node            Index Filter Details             Reason
    --------------- ----- -------------------------- ------------------------------
    cluster1-01     2     Security Style: UNIX       Access is allowed because the
                          permissions                user has UNIX root privileges
                                                     while setting attributes.
                          Protocol: nfs
                          Volume: testvol_flex
                          Share: -
                          Path: /f1
                          Win-User: -
                          UNIX-User: root
                          Session-ID: -
    cluster1-01     2     Security Style: UNIX       Access is allowed because the
                          permissions                user has UNIX root privileges
                                                     while writing to the file.
                                                     Access is granted for: "Write"
                          Protocol: nfs
                          Volume: testvol_flex
                          Share: -
                          Path: /f1
                          Win-User: -
                          UNIX-User: root
                          Session-ID: -
    cluster1-01     3     Security Style: UNIX       Access is denied by UNIX
                          permissions                permissions while creating
                                                     the file. Access is not
                                                     granted for: "Synchronize",
                                                     "Read Control", "Read
                                                     Attributes", "Execute",
                                                     "Write"
                          Protocol: nfs
                          Volume: testvol_flex
                          Share: -
                          Path: /d1/file
                          Win-User: -
                          UNIX-User: 1029
                          Session-ID: -
    3 entries were displayed.
    Top of Page