During the configuration of the managed host:
- Select the required shares (managed paths) to scan.
- (Optional) Select to Collect activity for real-time security updates.
- (Optional) Select to Collect and aggregate resource activity.
When you add an agent, the managed host properties impact whether FPolicy is deployed, and what properties are set within the FPolicy itself:
- If both Collect activity for real-time security updates and Collect and aggregate activity are disabled on the managed host, FPolicy will not be created when the agent is deployed.
- If Collect activity for real-time security updates or Collect and aggregate activity is enabled, FPolicy will be created; however, there will be no registered settings until the agent starts up and receives the updated settings from the Data Governance servers.
- The agent must start its security scan before it registers with FPolicy. This means that managed paths must be set and the agent must hit its configured scanning schedule. (To force this scan, select the Immediately scan on agent restart or when managed paths change option and restart the agent.)
Monitored events
The following events are tracked on files and folders, as well as the identities associated with those events, when real-time security updates and/or resource activity collection is enabled:
- File create
- File rename
- File delete
- File write
- File open
- Setattr (Security changes including DACL, and Owner changes)
- Directory rename
- Directory delete
- Directory create
Enabling FPolicy on NetApp filers may impact system performance. Data Governance Edition uses 'async' mode and does not inspect any file data to try and minimize the performance impact. However, every event does require a round trip network request between the NetApp filer and the Data Governance agent.
Are rescans of all directory structures required to detect change?
To have Data Governance Edition watch for security changes, real-time security updates must be enabled. That is, select the Collect activity for real-time security updates option at the bottom of the Security Scanning page on the Managed Hosts Settings dialog for the target managed host. This will cause the FPolicy to be deployed and the security index to be updated when changes to the structure and security of the file system on the target managed host occur.
If you are using Quest Change Auditor for NetApp to monitor a filer that is also being scanned by Data Governance Edition, you have two options available.
Option 1: Collect activity directly from the Change Auditor database
When Change Auditor is installed, you can configure Data Governance Edition to collect resource activity directly from Change Auditor. When enabled, Change Auditor collects the selected activity events every 15 minutes on all managed hosts. The events received from Change Auditor are harvested by the Data Governance server, aggregated and placed directly into the Data Governance Resource Activity database.
When using Change Auditor to collect resource activity, NetApp managed hosts will not place an FPolicy for Data Governance Edition on the NetApp filer.
In addition, when using Change Auditor to collect resource activity, it is recommended to clear the Collect activity for real-time security updates option for NetApp managed hosts. The agents managing these host types should be configured to scan on a schedule and not run once. The performance gain in using Change Auditor's event collection will be lost if the Data Governance agent is also collecting activity from these storage devices for security updates.
For more information on configuring Data Governance Edition to collect resource activity directly from Change Auditor, see Configuring Change Auditor to collect resource activity
Option 2: Collect activity using Data Governance Edition
You can use Data Governance Edition to collect resource activity; however, for NetApp 7-Mode managed hosts, you must disable real-time security monitoring. You can disable security monitoring from the Resource Activity tab of the Managed Host Settings dialog.
To disable security monitoring
Note: This approach has the effect of setting the NetApp FPolicy option cifs_setattr to off.
You can verify this by running the following command on the NetApp filer: >fpolicy options <Agent instance>
Where <Agent instance> is in the following format: DGE_<DeploymentName>_<FQDN of managed host>
You will still see setattr as a monitored operation in FPolicy.
- In the Navigation view, select Data Governance | Managed hosts.
- In the Managed hosts view, select the required managed host.
- Select Edit host settings in the Tasks view or right-click menu.
- Open the Resource Activity page of the Managed Hosts Setting dialog and click the check box to clear the Security change event.
- After making the required change, click OK to save your selections and close the dialog.
Note: This will need to be completed for every NetApp agent. If it is necessary to disable “Security change” due to compatibility settings with Change Auditor for NetApp, ensure the Resource Activity setting is modified prior to the start of the agent scan.
EMC storage devices are added to the Data Governance Edition deployment as managed hosts with remote agents. Due to the EMC architecture, you must complete the following procedures when you add an EMC storage device as a managed host.
