Consider the following scenario…
1. EMC audit template is configured to audit security events for a particular share/path located on VNX CIFS
2. Within the monitored path a file or folder has its security descriptor modified
3. The security descriptor change takes 10 seconds to complete
This behavior may also be experienced during Microsoft Office file-save operations within a monitored path as these applications execute SETACL operations during file-save. Therefore, saving a Microsoft Office file may take 10 seconds to complete.
Change Auditor will attempt to query the ‘Before’ value of the security descriptor however it is unable to access the object as EMC has it locked. As Change Auditor cannot query the security descriptor it cannot respond to EMC CEE (deadlock situation) to continue processing. The EMC lock timeout is reached after 10 seconds and processing continues.
New ’no from-value’ events have been added to ChangeAuditor for EMC which allow auditing of security events asynchronously from VNX devices. The previous security events that returned a from-value required synchronous event exchange and could therefore have a negative impact on performance. These improvements have been incorporated in Change Auditor 7.0.0.4400 and higher.
To take advantage of these new events…
IMPORTANT: Ensure these ‘no from-value’ security event have been enabled in all EMC Isilon auditing templates immediately before or after upgrading assigned agents to 7.0.0.4400 or higher. Otherwise file/folder security events will not be audited from those CIFS servers using the previous ‘from-value’ security events. If the events are enabled after the agent is upgraded, manually refresh the agent(s) configuration for the changes to take effect or wait for the next automatic refresh (occurs automatically every 15 minutes).
NOTE 1: The EMC CEPA API does not provide the event property of security information changes. Due to this limitation, Change Auditor now reports both events (EMC access rights changed (no from-value) + EMC ownership changed (no from-value)) for each SETACL operation.
NOTE 2: The following Change Auditor for EMC event log events have been added:
NOTE 3: Only templates created prior to upgrade will contain the ‘from-value’ security event options. New templates will only offer ‘no from-value’ security events.
NOTE 4: EMC Isilon supports only Post events for auditing. Therefore, Change Auditor has always offered only ‘no from-value’ event equivalents when auditing Isilon CIFS shares. The addition of ‘no from-value’ events helps bring parity between VNX and Isilon security events.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center