跳转到主内容

本机 FPolicy 文件阻止

Views:
231
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

 

适用场景

ONTAP 9

问题解答

概述:

某些管理员希望制定策略,禁止某些类型的文件存储在文件服务器上,这通常需要文件过滤请求。这些文件可能是音乐、视频或其他类似的文件类型。对此类文件的扫描可以基于以下两种情况:
基于文件扩展名(Data ONTAP 原生支持)- 例如,阻止所有匹配 *.mp3 的文件。这种方法不太可靠。它不需要对文件进行数据访问。本机支持基于文件扩展名阻止文件、不需要连接到任何外部FPolicy服务器。

基于文件魔术签名(需要外部服务器) - 例如,阻止所有魔术和签名与 mp3 格式匹配的文件。这在进行签名匹配时更为准确、类似于防病毒扫描程序检测病毒的操作。

有关详细信息,请参阅以下链接:

ONTAP 9的FPolicy文件阻止

管理员为 CREATE、OPEN、CLOSE 和 RENAME 请求启用事件。当FPolicy服务器收到有关这些事件触发器的通知时、它可以根据两种机制(文件扩展名或文件签名)中的任一机制运行检查、并在发现匹配时拒绝请求。

示例配置:

执行以下步骤来配置 Native FPolicy。

  1. 配置策略事件:

Cluster::> vserver fpolicy policy event create -vserver SvmName -event-name Event -protocol cifs -file-operations create,open,rename
 

Cluster::> vserver fpolicy policy event show -vserver SvmName -event-name Event -instance
                     Vserver: SvmName
                       Event: Event
                    Protocol: cifs
                 File Operations: create, open, rename
                     Filters: -
          Is Volume Operation Required: false

  1. 配置策略:

Cluster::> vserver fpolicy policy create -vserver SvmName -policy-name blockext -events Event -engine native -is-mandatory true -allow-privileged-access no -is-passthrough-read-enabled false
 

Cluster::> vserver fpolicy policy show -vserver SvmName -instance 
                                  Vserver: SvmName
                                 Policy: blockext
                       Events to Monitor: Event
                          FPolicy Engine: native
              Is Mandatory Screening Required: true
                   Allow Privileged Access: no
               User Name for Privileged Access: -
                 Is Passthrough Read Enabled: false
                   Configure Policy Scope:

Cluster::> vserver fpolicy policy scope create -vserver SvmName -policy-name blockext -file-extensions-to-include mp3,mp4,flv,wmv -shares-to-include "*" -is-file-extension-check-on-directories-enabled true
 

Cluster::> vserver fpolicy policy scope show -vserver SvmName -instance
                                        Vserver: SvmName
                            Policy: blockext
                              Shares to Include: *
                              Shares to Exclude: -
                             Volumes to Include: -
                             Volumes to Exclude: -
                     Export Policies to Include: -
                     Export Policies to Exclude: -
                     File Extensions to Include: mp3, mp4, flv, wmv
                    File Extensions to Exclude: -
  Is File Extension Check on Directories Enabled: true

  1. 启用策略:不能为单个虚拟服务器下的多个策略分配相同的序列号,但对于不同虚拟服务器中的策略,可以使用先前虚拟服务器中使用的相同序列号。

Cluster::> vserver fpolicy enable -vserver SvmName -policy-name blockext -sequence-number 1

Cluster::> vserver fpolicy show -vserver SvmName
                      Sequence
Vserver  Policy Name  Number    Status  Engine
-------  -----------  --------  ------  ------
SvmName  blockext     1         on      native

Cluster::> event log show -time > 2m
Time                Node         Severity      Event
------------------- ------------ ------------- --------------------------
3/27/2017 10:35:34  cm2520n2-ams INFORMATIONAL mgmt.fpolicy.policy.enabled: FPolicy policy blockext is enabled on Vserver SvmName.

  1. 使用上述策略在 Windows 客户端测试结果:

Attempt to rename a file using mp3, mp4, flv, or wmv extension is Denied
Attempt to open a file with mp3, mp4, flv, or wmv extension is Denied
Attempt to delete a file with mp3, mp4, flv, or wmv extension is Denied
Attempt to copy a file with mp3, mp4, flv, or wmv extension to the share is Denied

 
有关更多信息,请参阅适用于您的 ONTAP 版本的《CIFS 和 NFS 审计指南》。

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.