ONTAP 9.13.1 commands
vserver security trace trace-result show
Display security trace results
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The vserver security trace trace-result show
command displays the list of security trace event records stored on the cluster. These records are generated in response to security trace filters that are created using the vserver security trace filter create command. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information about all the security trace events generated since the filter was enabled:
-
Vserver name
-
Cluster node name
-
Security trace filter index number
-
User name
-
Security style
-
Path
-
Reason
You can specify additional parameters to display only information that match those parameters. For example, to display information about events that occurred for the user "guest", run the command with `-user-name` parameter set to ``_guest_`` .
Parameters
- {
[-fields <fieldname>,…]
-
If you specify this parameter, the command only displays the fields that you specify.
- |
[-instance ]
} -
If you specify this parameter, the command displays detailed information about all security trace events.
[-node {<nodename>|local}]
- Node-
If you specify this parameter, the command displays information only about security trace events on the specified node.
[-vserver <vserver name>]
- Vserver-
If you specify this parameter, the command displays information only about security trace events on the specified Vserver.
[-seqnum <integer>]
- Sequence Number-
If you specify this parameter, the command displays information only about the security trace events with this sequence number.
[-keytime <Date>]
- Time-
If you specify this parameter, the command displays information only about security trace events that occurred at the specified time.
[-index <integer>]
- Index of the Filter-
If you specify this parameter, the command displays information only about security trace events that occurred as a result of the filter corresponding to the specified filter index number.
[-client-ip <IP Address>]
- Client IP Address-
If you specify this parameter, the command displays information only about security trace events that occurred as a result of file access from the specified client IP address.
[-path <TextNoCase>]
- Path of the File Being Accessed-
If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file accesses to the specified path.
[-win-user <TextNoCase>]
- Windows User Name-
If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified Windows user.
[-security-style <security style>]
- Effective Security Style On File-
If you specify this parameter, the command displays information only about the security trace events that occurred on file systems with the specified security style. The allowed values for security style are the following:
-
SECURITY_NONE - Security not Set
-
SECURITY_UNIX_MODEBITS - UNIX and UNIX permissions
-
SECURITY_UNIX_ACL - UNIX and NFSv4 ACL
-
SECURITY_UNIX_SD - UNIX and NTFS ACL
-
SECURITY_MIXED_MODEBITS - MIXED and UNIX permissions
-
SECURITY_MIXED_ACL - MIXED and NFSv4 ACL
-
SECURITY_MIXED_SD - MIXED and NTFS ACL
-
SECURITY_NTFS_MODEBITS - NTFS and UNIX permissions
-
SECURITY_NTFS_ACL - NTFS and NTFS ACL
-
SECURITY_NTFS_SD - NTFS and NTFS ACL
-
SECURITY_UNIX - UNIX
-
SECURITY_MIXED - MIXED
-
SECURITY_NTFS - NTFS
-
SECURITY_MODEBITS - UNIX permissions
-
SECURITY_ACL - ACL
-
SECURITY_SD - SD
-
[-result <TextNoCase>]
- Result of Security Checks-
If you specify this parameter, the command displays information about the security trace events that have the specified result. Access to a file or a directory can be 'allowed' or 'denied'. Output from this command displays the result as a combination of the reason for allowing or denying access, the location where access is either allowed or denied, and the access right for which the file operation is allowed or denied.
The following are the reasons why an access can be allowed:
+
* Access is allowed because the operation is trusted and no security is configured
* Access is allowed because the user has UNIX root privileges
* Access is allowed because the user has UNIX owner privileges
* Access is allowed because UNIX implicit permission grants requested access
* Access is allowed because the CIFS user is owner
* Access is allowed because the user has take ownership privilege
* Access is allowed because there is no CIFS ACL
* Access is allowed because CIFS implicit permission grants requested access
* Access is allowed because the security descriptor is corrupted and the user is a member of the Administrators group
* Access is allowed because the ACL is corrupted and the user is a member of the Administrators group
* Access is allowed because the user has UNIX permissions
* Access is allowed because explicit ACE grants requested access
* Access is allowed because the user has audit privileges
* Access is allowed because the user has superuser credentials
* Access is allowed because inherited ACE grants requested access
* Access is allowed because storage-level access guard (SLAG) grants requested access
* Access is allowed because no central access policies applied
* Access is allowed because no central access policies could be applied from the corrupt SACL
* Access is allowed because matching central access policy could not be located
* Access is allowed because no central access rules apply to the object
* Access is allowed because skipped one or more corrupt central access rules
* Access is allowed because all evaluated central access rules grant access+
The following are the reasons why an access can be denied:+
-
Access is denied by UNIX permissions
-
Access is denied by an explicit ACE
-
Access is denied. The requested permissions are not granted by the ACE
-
Access is denied. The security descriptor is corrupted
-
Access is denied. The ACL is corrupted
-
Access is denied. The sticky bit is set on the parent directory and the user is not the owner of file or parent directory
-
Access is denied. The owner can be changed only by root
-
Access is denied. The UNIX permissions/uid/gid/NFSv4 ACL can be changed only by owner or root
-
Access is denied. The GID can be set by owner to a member of its legal group list only if 'Owner can chown' is not set
-
Access is denied. The file or the directory has readonly bit set
-
Access is denied. There is no audit privilege
-
Access is denied. Enforce DOS bits blocks the access
-
Access is denied. Hidden attribute is set
-
Access is denied by an inherited ACE
-
Access is denied as the volume is readonly or directory is a snapshot
-
Access is denied. System attribute is not set in the request
-
Access is denied by the storage-level access guard (SLAG)
-
Access is denied, file is infected
-
Access is denied. Central access policy DB not ready
-
Access is denied. Central access rule is corrupt
-
Access is denied. Central access rule explicitly denied access
-
Access is denied. Matching central access policy not found
-
Access is denied because the user does not have UNIX root privileges
-
Access is denied because the UNIX user could not be mapped to a valid NT user
-
Access is denied because the UNIX permissions/uid/gid/NFSv4 ACL cannot be set in an NTFS qtree
The command or the location at which access was denied or allowed are as follows:
-
while traversing the directory.
-
while truncating the file.
-
while creating the directory.
-
while creating the file.
-
while checking parent’s mode bits during delete.
-
while deleting the child.
-
while checking for child-delete access on the parent.
-
while reading security descriptor.
-
while accessing the link.
-
while creating the directory.
-
while creating or writing the file.
-
while opening existing file or directory.
-
while setting the attributes.
-
while traversing the directory.
-
while reading the file.
-
while reading the directory.
-
while deleting the target during rename.
-
while deleting the child during rename.
-
while writing data in the parent during rename.
-
while adding a directory during rename.
-
while adding a file during rename.
-
while updating the target directory during rename.
-
while setting attributes.
-
while writing to the file.
-
while extending the coral file.
-
while creating the vdisk file.
-
while checking for stale locks before open.
-
while deleting a file or a directory.
-
while truncating a hidden file.
-
while truncating a file.
-
while truncating a system file.
-
while appending to a file or setting a file attribute.
-
while opening a file or directory for delete.
-
while checking for permission on parent directory during create.
-
while appending to the file.
-
while creating the device file.
-
while reading the user’s access rights on an object.
The access rights for which the file operation is allowed or denied are as follows:
+
-
Append.
-
Delete.
-
Delete Child.
-
Execute.
-
Generic All.
-
Generic Execute.
-
Generic Read.
-
Generic Write.
-
Maximum Allowed.
-
Read.
-
Read Attributes.
-
Read Control.
-
Read EA.
-
System Security.
-
Synchronize.
-
Write.
-
Write Attributes.
-
Write DAC.
-
Write EA.
-
Write Owner.
-
None.
-
[-unix-user <TextNoCase>]
- UNIX User Name-
If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified UNIX user.
[-session-id <integer>]
- CIFS Session ID-
If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS session ID.
[-share-name <TextNoCase>]
- Accessed CIFS Share Name-
If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS share name.
[-protocol {cifs|nfs}]
- Protocol-
If you specify this parameter, the command displays information only about the security trace events that occurred for the specified protocol.
[-volume-name <TextNoCase>]
- Accessed Volume Name-
If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified volume name.
Examples
The following example displays information about security trace records:
cluster1::> vserver security trace trace-result show Vserver: vserver_1 Node Index Filter Details Reason ----------------------- -------- --------------------- ------------------------- cluster1-01 1 Security Style: MIXED Access is allowed because and NTFS ACL CIFS implicit permission grants requested access while opening existing file or directory. Access is granted for: "Read Attributes" Protocol: cifs Share: sh1 Path: /stk/bit Win-User: cifs1\ administrator Unix-User: root Session-ID: 58455810 1 entries were displayed.
The following example displays information about security trace records for path /stk/bit/set:
cluster1::> vserver security trace trace-result show -path /stk/bit/set Vserver: vserver_1 Node Index Filter Details Reason ----------------------- -------- --------------------- ------------------------- cluster1-01 1 Security Style: MIXED Access is allowed because and UNIX permissions the user has UNIX root privileges while opening existing file or directory. Access is granted for: "Read" Protocol: cifs Share: sh1 Path: /stk/bit/set Win-User: cifs1\ administrator UNIX-User: root Session-ID: 75435293758455810 cluster1-01 1 Security Style: MIXED Access is denied. The and NTFS ACL requested permissions are not granted by the ACE while checking for child-delete access on the parent. Access is not granted for: "Delete Child" Protocol: cifs Share: sh1 Path: /stk/bit/set Win-User: cifs1\ administrator UNIX-User: root Session-ID: 75435293758455324 cluster1-01 1 Security Style: MIXED Access is allowed because and NTFS ACL the CIFS user is owner. Access is denied by an explicit ACE while setting the attributes. Access is not granted for: "Read Attributes" Protocol: cifs Share: sh1 Path: /stk/bit/set Win-User: cifs1\ administrator UNIX-User: root Session-ID: 75435293758455324 3 entries were displayed.
The following example displays information about security trace records for the protocol nfs:
cluster1::> vserver security trace trace-result show -protocol nfs Vserver: vserver_1 Node Index Filter Details Reason --------------- ----- -------------------------- ------------------------------ cluster1-01 2 Security Style: UNIX Access is allowed because the permissions user has UNIX root privileges while setting attributes. Protocol: nfs Volume: testvol_flex Share: - Path: /f1 Win-User: - UNIX-User: root Session-ID: - cluster1-01 2 Security Style: UNIX Access is allowed because the permissions user has UNIX root privileges while writing to the file. Access is granted for: "Write" Protocol: nfs Volume: testvol_flex Share: - Path: /f1 Win-User: - UNIX-User: root Session-ID: - cluster1-01 3 Security Style: UNIX Access is denied by UNIX permissions permissions while creating the file. Access is not granted for: "Synchronize", "Read Control", "Read Attributes", "Execute", "Write" Protocol: nfs Volume: testvol_flex Share: - Path: /d1/file Win-User: - UNIX-User: 1029 Session-ID: - 3 entries were displayed.