Table of ContentsView in Frames

Displaying information about NFSv4 audit policies on FlexVol volumes

You can display information about NFSv4 audit policies on FlexVol volumes, including what the security styles and effective security styles are, what permissions are applied, and information about system access control lists. You can use the results to validate your security configuration or to troubleshoot auditing issues.

About this task

You must supply the name of the Vserver that contains the path to the files or directories whose audit information you want to display. If you want to customize the output, you can use the following optional parameters to display information only about the audit policies that match the specified parameters:

Optional parameter Description
-fields fieldsname, ... You can use this parameter to display information on the fields you specify. You can use this parameter either alone or in combination with other optional parameters.
-instance Displays detailed information about all entries.
-volume-name volume_name Displays information where the specified path is relative to the specified volume. If this parameter is not specified, the Vserver root volume is taken as default.
-share-name share_name Displays information where the specified path is relative to the root of the specified share. If this parameter is not specified, the Vserver root volume is taken as default.
-lookup-names {true|false} Displays information where the information about owner and group is set to one of the following:
  • true displays information where the lookup name is stored as a name.
  • false displays information where the lookup name is stored as a SID.
-expand-mask {true|false} Displays information where the hexadecimal bit mask entry is set to one of the following:
  • true displays information where the bit mask entries are store in expanded form.
  • false displays information where the bit mask entries are store in collapsed form.
-security-style {unix|ntfs|mixed|unified} Displays information for files and directories with paths in volumes of the specified security style. This command is not supported for Vservers with Infinite Volumes; therefore, the unified value is not valid for this release.

This is the associated security type of the volume or qtree.

-effective-style {unix|ntfs|mixed|unified} Displays information for files and directories with the specified effective security style on the path. This command is not supported for Vservers with Infinite Volumes; therefore, the unified value is not valid for this release.

This is the security scheme in effect for a given file or directory. A file or directory can have one of two security styles, either NTFS or UNIX. The effective security style is important with mixed security-style volumes and qtrees since a file or directory can have either NTFS or UNIX effective security (but not both). You can apply NFSv4 system access control lists to files and directories with UNIX-effective security style.

-dos-attributes hex_integer Displays information only for files and directories with the specified DOS attributes.
-text-dos-attr text Displays information only for files and directories with the specified text DOS attributes.
-expanded-dos-attr text Displays information only for files and directories with the specified extended DOS attributes.
-user-id unix_user_ID Displays information only for files and directories with the specified UNIX user ID.
-group-id unix_group_ID Displays information only for files and directories with the specified UNIX group ID.
-mode-bits octal_permissions Displays information only for files and directories with the specified UNIX mode bits in Octal form.
-text-mode-bits text Displays information only for files and directories with the specified UNIX mode bits in text form.
-acls system_acls Displays information only for files and directories with the specified ACLs. You can enter the following information:
  • Type of ACL, which can be NTFS or NFSv4

    For UNIX security-style volumes and qtrees, the ACL type must be NFSv4.

  • Control bits in the security descriptors
  • Owner, which applies only in the case of NTFS security descriptors

    This does not apply for UNIX security-style volumes and qtrees.

  • Group, which applies only in the case of NTFS security descriptors

    This does not apply for UNIX security-style volumes and qtrees.

  • Access Control Entries (ACEs), which includes both discretionary access control list (DACL) and system access control list (SACL) access control entries (ACEs) in the ACL
Note: This field is empty for files and directories that are using UNIX security with only mode bit permissions applied (no NFSv4 ACLs).
Note: Mixed security-style volumes and qtrees can contain some files and directories that use UNIX file permissions, either mode bits or NFSv4 ACLs, as well as some files and directories that use NTFS file permissions. Each file or directory can be one of the two security styles, but not both. You can apply NFSv4 audit policies to file and directories with UNIX security style.

Step

  1. Display file and directory security settings:
    vserver security file-directory show -vserver vserver_name -path path optional_parameters

Examples

The following example displays the security information about the path /lab in Vserver vs1. This UNIX security-style path has an NFSv4 ACL with a system access control list:

cluster::> vserver security file-directory show -vserver vs1 -path /lab

                Vserver: vs1
              File Path: /lab
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 11
 DOS Attributes in Text: ----D--R
Expanded Dos Attributes: -
           Unix User Id: 0
          Unix Group Id: 0
         Unix Mode Bits: 0
 Unix Mode Bits in Text: ---------
                   ACLs: NFSV4 Security Descriptor
                         Control:0x8014
                         SACL - ACEs
                           SUCCESSFUL-S-1-520-0-0xf01ff-SA
                           FAILED-S-1-520-0-0xf01ff-FA
                         DACL - ACEs
                           ALLOW-S-1-520-1-0xf01ff