Skip to main content

Configure CIFS Auditing

This article applies to: Shared File Services


CIFS auditing is only required for shares which store Confidential data. Only properly configured shares on SFS are allowed to store Confidential data. These shares include a separate volume for the CIFS audit log.

  • You Configure CIFS Auditing for the share you requested, \\files.cornell.edu\CIT\Employee-Data.
  • The resultant CIFS Audit Log files are automatically stored on the Audit Log Share, \\files.cornell.edu\CIT\Employee-Data-auditlog.
Do not configure CIFS Auditing for the Audit Log Share itself, \\files.cornell.edu\CIT\Employee-Data-auditlog.
  • If not already done, Map a Network Drive using your "doc" account.
  • Right-click on the top-level folder of your share, select Properties, Security, Advanced, Auditing.
    At this point existing Auditing configurations are displayed; you can edit, or add new configurations, as required.
  1. For each CornellAD group allowed access to your confidential data, create Auditing ACLs as shown, for both the Folder Structure and Files.
    The ITSO required minimum configuration is as follows:

    The ITSO required minimum configuration is shown:
    ITSO Required Minimum
  2. For each CornellAD group which needs access to your confidential data, select “Add” to create 2 entries as shown above, 2 entries per CornellAD group.
  3. Configure the entry for “This folder and subfolders” as shown.
    • Enable Auditing for Successful and Failed:
      1. Create files / write data
      2. Create folders / append data
      3. Write attributes
      4. Write extended attributes
      5. Delete subfolders and files
      6. Delete
      7. Change permissions
      8. Take ownership

    Folder and subfolder

    Only audited items are shown.

  4. Configure the entry for “Files Only” as shown.
    • Enable Auditing for Successful and Failed:
      1. List folder / read data
      2. Create file / write data
      3. Create folders / append data
      4. Write attributes
      5. Write extended attributes
      6. Delete subfolders and files
      7. Delete
      8. Change Permissions
      9. Take Ownership

Files only

Only audited items are shown.

Do not select “Full control” for either configuration.

The configuration as shown meets ITSO/Policy requirements.  Additional configuration may impact the performance of your share and will add additional entries to your audit log which may increase the complexity of auditing, as well as disk-space consumption.

About this Article

Last updated: 

Thursday, December 19, 2019 - 9:10am

Was this page helpful?

Your feedback helps improve the site.

Comments?