ONTAP 9.13.1 commands

vserver security trace trace-result show

Display security trace results

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver security trace trace-result show command displays the list of security trace event records stored on the cluster. These records are generated in response to security trace filters that are created using the vserver security trace filter create command. The command output depends on the parameter or parameters specified with the command. If you do not specify any parameters, the command displays the following information about all the security trace events generated since the filter was enabled:

  • Vserver name

  • Cluster node name

  • Security trace filter index number

  • User name

  • Security style

  • Path

  • Reason

    You can specify additional parameters to display only information that match those parameters. For example, to display information about events that occurred for the user "guest", run the command with `-user-name` parameter set to ``_guest_`` .

Parameters

{ [-fields <fieldname>,…​]

If you specify this parameter, the command only displays the fields that you specify.

| [-instance ] }

If you specify this parameter, the command displays detailed information about all security trace events.

[-node {<nodename>|local}] - Node

If you specify this parameter, the command displays information only about security trace events on the specified node.

[-vserver <vserver name>] - Vserver

If you specify this parameter, the command displays information only about security trace events on the specified Vserver.

[-seqnum <integer>] - Sequence Number

If you specify this parameter, the command displays information only about the security trace events with this sequence number.

[-keytime <Date>] - Time

If you specify this parameter, the command displays information only about security trace events that occurred at the specified time.

[-index <integer>] - Index of the Filter

If you specify this parameter, the command displays information only about security trace events that occurred as a result of the filter corresponding to the specified filter index number.

[-client-ip <IP Address>] - Client IP Address

If you specify this parameter, the command displays information only about security trace events that occurred as a result of file access from the specified client IP address.

[-path <TextNoCase>] - Path of the File Being Accessed

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file accesses to the specified path.

[-win-user <TextNoCase>] - Windows User Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified Windows user.

[-security-style <security style>] - Effective Security Style On File

If you specify this parameter, the command displays information only about the security trace events that occurred on file systems with the specified security style. The allowed values for security style are the following:

  • SECURITY_NONE - Security not Set

  • SECURITY_UNIX_MODEBITS - UNIX and UNIX permissions

  • SECURITY_UNIX_ACL - UNIX and NFSv4 ACL

  • SECURITY_UNIX_SD - UNIX and NTFS ACL

  • SECURITY_MIXED_MODEBITS - MIXED and UNIX permissions

  • SECURITY_MIXED_ACL - MIXED and NFSv4 ACL

  • SECURITY_MIXED_SD - MIXED and NTFS ACL

  • SECURITY_NTFS_MODEBITS - NTFS and UNIX permissions

  • SECURITY_NTFS_ACL - NTFS and NTFS ACL

  • SECURITY_NTFS_SD - NTFS and NTFS ACL

  • SECURITY_UNIX - UNIX

  • SECURITY_MIXED - MIXED

  • SECURITY_NTFS - NTFS

  • SECURITY_MODEBITS - UNIX permissions

  • SECURITY_ACL - ACL

  • SECURITY_SD - SD

[-result <TextNoCase>] - Result of Security Checks

If you specify this parameter, the command displays information about the security trace events that have the specified result. Access to a file or a directory can be 'allowed' or 'denied'. Output from this command displays the result as a combination of the reason for allowing or denying access, the location where access is either allowed or denied, and the access right for which the file operation is allowed or denied.

The following are the reasons why an access can be allowed:

+
* Access is allowed because the operation is trusted and no security is configured
* Access is allowed because the user has UNIX root privileges
* Access is allowed because the user has UNIX owner privileges
* Access is allowed because UNIX implicit permission grants requested access
* Access is allowed because the CIFS user is owner
* Access is allowed because the user has take ownership privilege
* Access is allowed because there is no CIFS ACL
* Access is allowed because CIFS implicit permission grants requested access
* Access is allowed because the security descriptor is corrupted and the user is a member of the Administrators group
* Access is allowed because the ACL is corrupted and the user is a member of the Administrators group
* Access is allowed because the user has UNIX permissions
* Access is allowed because explicit ACE grants requested access
* Access is allowed because the user has audit privileges
* Access is allowed because the user has superuser credentials
* Access is allowed because inherited ACE grants requested access
* Access is allowed because storage-level access guard (SLAG) grants requested access
* Access is allowed because no central access policies applied
* Access is allowed because no central access policies could be applied from the corrupt SACL
* Access is allowed because matching central access policy could not be located
* Access is allowed because no central access rules apply to the object
* Access is allowed because skipped one or more corrupt central access rules
* Access is allowed because all evaluated central access rules grant access

+
The following are the reasons why an access can be denied:

+

  • Access is denied by UNIX permissions

  • Access is denied by an explicit ACE

  • Access is denied. The requested permissions are not granted by the ACE

  • Access is denied. The security descriptor is corrupted

  • Access is denied. The ACL is corrupted

  • Access is denied. The sticky bit is set on the parent directory and the user is not the owner of file or parent directory

  • Access is denied. The owner can be changed only by root

  • Access is denied. The UNIX permissions/uid/gid/NFSv4 ACL can be changed only by owner or root

  • Access is denied. The GID can be set by owner to a member of its legal group list only if 'Owner can chown' is not set

  • Access is denied. The file or the directory has readonly bit set

  • Access is denied. There is no audit privilege

  • Access is denied. Enforce DOS bits blocks the access

  • Access is denied. Hidden attribute is set

  • Access is denied by an inherited ACE

  • Access is denied as the volume is readonly or directory is a snapshot

  • Access is denied. System attribute is not set in the request

  • Access is denied by the storage-level access guard (SLAG)

  • Access is denied, file is infected

  • Access is denied. Central access policy DB not ready

  • Access is denied. Central access rule is corrupt

  • Access is denied. Central access rule explicitly denied access

  • Access is denied. Matching central access policy not found

  • Access is denied because the user does not have UNIX root privileges

  • Access is denied because the UNIX user could not be mapped to a valid NT user

  • Access is denied because the UNIX permissions/uid/gid/NFSv4 ACL cannot be set in an NTFS qtree

    The command or the location at which access was denied or allowed are as follows:

  • while traversing the directory.

  • while truncating the file.

  • while creating the directory.

  • while creating the file.

  • while checking parent’s mode bits during delete.

  • while deleting the child.

  • while checking for child-delete access on the parent.

  • while reading security descriptor.

  • while accessing the link.

  • while creating the directory.

  • while creating or writing the file.

  • while opening existing file or directory.

  • while setting the attributes.

  • while traversing the directory.

  • while reading the file.

  • while reading the directory.

  • while deleting the target during rename.

  • while deleting the child during rename.

  • while writing data in the parent during rename.

  • while adding a directory during rename.

  • while adding a file during rename.

  • while updating the target directory during rename.

  • while setting attributes.

  • while writing to the file.

  • while extending the coral file.

  • while creating the vdisk file.

  • while checking for stale locks before open.

  • while deleting a file or a directory.

  • while truncating a hidden file.

  • while truncating a file.

  • while truncating a system file.

  • while appending to a file or setting a file attribute.

  • while opening a file or directory for delete.

  • while checking for permission on parent directory during create.

  • while appending to the file.

  • while creating the device file.

  • while reading the user’s access rights on an object.

The access rights for which the file operation is allowed or denied are as follows:

+

  • Append.

  • Delete.

  • Delete Child.

  • Execute.

  • Generic All.

  • Generic Execute.

  • Generic Read.

  • Generic Write.

  • Maximum Allowed.

  • Read.

  • Read Attributes.

  • Read Control.

  • Read EA.

  • System Security.

  • Synchronize.

  • Write.

  • Write Attributes.

  • Write DAC.

  • Write EA.

  • Write Owner.

  • None.

[-unix-user <TextNoCase>] - UNIX User Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified UNIX user.

[-session-id <integer>] - CIFS Session ID

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS session ID.

[-share-name <TextNoCase>] - Accessed CIFS Share Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified CIFS share name.

[-protocol {cifs|nfs}] - Protocol

If you specify this parameter, the command displays information only about the security trace events that occurred for the specified protocol.

[-volume-name <TextNoCase>] - Accessed Volume Name

If you specify this parameter, the command displays information only about the security trace events that occurred as a result of file access by the specified volume name.

Examples

The following example displays information about security trace records:

cluster1::> vserver security trace trace-result show
Vserver: vserver_1

Node                     Index     Filter Details      Reason
----------------------- -------- --------------------- -------------------------
cluster1-01             1        Security Style: MIXED Access is allowed because
                                 and NTFS ACL            CIFS implicit permission
                                                       grants requested access
                                                       while opening existing
                                                       file or directory.
                                                       Access is granted for:
                                                       "Read Attributes"
                                 Protocol: cifs
                                 Share: sh1
                                 Path: /stk/bit
                                 Win-User: cifs1\
                                 administrator
                                 Unix-User: root
                                 Session-ID: 58455810

1 entries were displayed.

The following example displays information about security trace records for path /stk/bit/set:

cluster1::> vserver security trace trace-result show -path /stk/bit/set

Vserver: vserver_1

Node                     Index     Filter Details      Reason
----------------------- -------- --------------------- -------------------------
cluster1-01             1        Security Style: MIXED Access is allowed because
                                 and UNIX permissions  the user has UNIX root
                                                       privileges while opening
                                                       existing file or
                                                       directory.
                                                       Access is granted for: "Read"
                                 Protocol: cifs
                                 Share: sh1
                                 Path: /stk/bit/set
                                 Win-User: cifs1\
                                 administrator
                                 UNIX-User: root
                                 Session-ID: 75435293758455810
cluster1-01             1        Security Style: MIXED Access is denied. The
                                 and NTFS ACL            requested permissions
                                                       are not granted by the
                                                       ACE while checking for
                                                       child-delete access on
                                                       the parent. Access is not
                                                       granted for: "Delete Child"
                                 Protocol: cifs
                                 Share: sh1
                                 Path: /stk/bit/set
                                 Win-User: cifs1\
                                 administrator
                                 UNIX-User: root
                                 Session-ID: 75435293758455324
cluster1-01             1        Security Style: MIXED Access is allowed because
                                 and NTFS ACL            the CIFS user is owner.
                                                       Access is denied by an
                                                       explicit ACE while
                                                       setting the attributes.
                                                       Access is not granted for:
                                                       "Read Attributes"
Protocol: cifs
                                 Share: sh1
                                 Path: /stk/bit/set
                                 Win-User: cifs1\
                                 administrator
                                 UNIX-User: root
                                 Session-ID: 75435293758455324
3 entries were displayed.

The following example displays information about security trace records for the protocol nfs:

cluster1::> vserver security trace trace-result show -protocol nfs
Vserver: vserver_1

Node            Index Filter Details             Reason
--------------- ----- -------------------------- ------------------------------
cluster1-01     2     Security Style: UNIX       Access is allowed because the
                      permissions                user has UNIX root privileges
                                                 while setting attributes.
                      Protocol: nfs
                      Volume: testvol_flex
                      Share: -
                      Path: /f1
                      Win-User: -
                      UNIX-User: root
                      Session-ID: -
cluster1-01     2     Security Style: UNIX       Access is allowed because the
                      permissions                user has UNIX root privileges
                                                 while writing to the file.
                                                 Access is granted for: "Write"
                      Protocol: nfs
                      Volume: testvol_flex
                      Share: -
                      Path: /f1
                      Win-User: -
                      UNIX-User: root
                      Session-ID: -
cluster1-01     3     Security Style: UNIX       Access is denied by UNIX
                      permissions                permissions while creating
                                                 the file. Access is not
                                                 granted for: "Synchronize",
                                                 "Read Control", "Read
                                                 Attributes", "Execute",
                                                 "Write"
                      Protocol: nfs
                      Volume: testvol_flex
                      Share: -
                      Path: /d1/file
                      Win-User: -
                      UNIX-User: 1029
                      Session-ID: -
3 entries were displayed.
Top of Page