Skip to main content
Start a Conversation

Unsolved

alx123

2 Intern

 • 

64 Posts

97

February 5th, 2025 18:00

Change permissiones audit event

I am auditing isilon events using isi_audit command  and i can see audit events on files read,create, etc like this but i cant see an event when permissions or owner is changed. Anyone can tell me how to log these events and why are not being audited?

[50: Wed Feb  5 18:13:37 2025] {"id":"89ff1f43-e3e4-11ef-8ec9-00505698cfdb","timestamp":1738775617902169,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"SMB2","zoneID":5,"zoneName":"qa","eventType":"close","detailType":"close-file-unmodified","isDirectory":false,"clientIPAddr":"10.0.0.20","fileName":"\\ifs\\qa\\xxx\\xxxx.txt","userSID":"S-1-5-21-1426247521-2838669014-2602748498-1110","userID":1000010,"bytesRead":0,"bytesWritten":0,"numberOfReads":0,"numberOfWrites":0,"ntStatus":0,"fsId":1,"partialPath":"frandoc.txt","rootInode":4294968371,"inode":4296664588}}

DELL-Sam L

Moderator

 • 

7.9K Posts

February 6th, 2025 10:52

Hello alx123,

Which Isilon system do you have and what is your current onefs version? Isilon Change Permissions Audit Event

To track changes in permissions on an Isilon system, you can utilize the audit events generated by the Isilon protocol auditing system. When a user modifies permissions on a file or directory, an audit event is triggered to capture this action. The relevant audit event type for changing permissions is set-security. This event signifies that security information or permissions on a file or directory have been modified.

In addition to the event type, the audit payload will contain essential details such as:

·         eventType: Indicates the type of action performed, in this case, changing permissions.

·         createDispo: Represents the disposition of the create/open operation, providing insight into how the file or directory should be handled.

·         createResult: Specifies the result of the create/open operation, indicating whether the file was replaced, opened, or created.

·         desiredAccess: Reflects the desired access rights set during the operation, detailing the specific permissions requested.

By monitoring these audit events with the appropriate event type and payload values, you can effectively track and audit changes to permissions on your Isilon system.

Here is a link to a kb with some additional information as well. https://dell.to/4hNSP9B

alx123

2 Intern

 • 

64 Posts

February 12th, 2025 19:21

@DELL-Sam L​ we are getting set-security events but it doesnt specify what permissions were changed. We dont get audit event for change owner.

DELL-Josh Cr

Moderator

 • 

9.5K Posts

February 12th, 2025 19:36

https://dell.to/4aW3uN4 I don't see anything that is a way to audit which permissions changed. 

Was this post helpful?

View All

Top