Unable to setup WORM

[Birthdaycakemuffin]

Hello All,
I was able to download, install and setup TrueNAS-12.0-U8.1 on my NAS unit. I have the share accessible and everything looks good. However, I am trying to set this device as a WORM (Write once read many) and even though I set the permissions in the share to be worm I can still edit the files after +5 minutes.

Do I need to set the device to worm in a second location than just the share?

 

[ChrisRJ]

Are some legal requirements behind this scenario? Can you elaborate a bit more on the use-case?

What protocol do you use for sharing?

 

[Birthdaycakemuffin]

Are some legal requirements behind this scenario? Can you elaborate a bit more on the use-case?

What protocol do you use for sharing?

Yes, these will be contracts we need to store to prove to the courts we didn't alter any of the data.
As for the protocol I was thinking about a simple SMB.

 

[HoneyBadger]

Yes, these will be contracts we need to store to prove to the courts we didn't alter any of the data.

Unfortunately the vfs_worm module is likely not sufficient for legal purposes such as SEC 17a-4 compliance:

Using the worm VFS Module - SambaWiki

wiki.samba.org

The module does not provide complete WORM functions, like some archiving products do! It is not audit-proof, because the WORM function is only available on the client side, when accessing a share through SMB! If the same folder is shared by other services like NFS, the access only depents on the underlaying filesystem ACLs. Equally if you access the content directly on the server.

Emphasis added by myself.

I would look at producing hashes of the files, communicating these hashes back to customer/client, and then sending the files and hashes to something like an S3 bucket marked as immutable storage.

 

[Birthdaycakemuffin]

Unfortunately the vfs_worm module is likely not sufficient for legal purposes such as SEC 17a-4 compliance:

Using the worm VFS Module - SambaWiki

wiki.samba.org

I would look at producing hashes of the files, communicating these hashes back to customer/client, and then sending the files and hashes to something like an S3 bucket marked as immutable storage.

Ugh, are you 100% sure about it not being compliant? I ask because I'm worried your right. Setting up WORM on the SMB was already a major red flag for me.

This is really upsetting because I literally asked the vendor if it was compliant and they said yes.

 

[ChrisRJ]

There are basically two approaches to the requirement of document integrity/auditing. You can either go for a lower level solution like WORM, or you look into the direction of a DMS (Document Management System). I spent some time in this area in a former life and without additional information I daresay the DMS path is much easier.

Also, depending on your legal system, it might not be sufficient to have a system that is in principle able on a technical level to audit changes. There are also quite a few cases when in addition your specific implementation and also all the surrounding technical and organizational processes need to be formally certified.

Overall this is at least as much an organizational and legal issue as it is a technical one.

 

[Birthdaycakemuffin]

There are basically two approaches to the requirement of document integrity/auditing. You can either go for a lower level solution like WORM, or you look into the direction of a DMS (Document Management System). I spent some time in this area in a former life and without additional information I daresay the DMS path is much easier.

Also, depending on your legal system, it might not be sufficient to have a system that is in principle able on a technical level to audit changes. There are also quite a few cases when in addition your specific implementation and also all the surrounding technical and organizational processes need to be formally certified.

Overall this is at least as much an organizational and legal issue as it is a technical one.

Ya, I was hoping the TrueNas Mini would be my worm system! I even reached out to the vendor and they said it would work!

What DMS or physical worm systems do you recommend? I was looking at Stonefly or possibly laserfiche.

 

[ChrisRJ]

Nobody can answer your questions with a sufficient level of confidence at this time. We don't even know in what country you live. You need to get the legal requirements down as a first step. Those define what technical solutions would be a fit. The requirement "WORM" is by no means sufficient.

Just as a tiny example: Assuming you still find a vendor for physical WORMs (those were already exotic back in 2003), what if you had the legal requirement to delete documents after e.g. 10 years. You cannot do that selectively on a physical WORM disc. Instead you would need to define an organizational process that copies the to-be-kept documents to a new WORM disk and safely destroy the old one.

That is one small case, but I hope it illustrates the argument I am trying to make.

 

[HoneyBadger]

Ugh, are you 100% sure about it not being compliant? I ask because I'm worried your right. Setting up WORM on the SMB was already a major red flag for me.

Well, that is the samba.org (developer) site saying it, so they're probably more sure than me. @anodos do you have any additional input on this from either a business or technical perspective?

This is really upsetting because I literally asked the vendor if it was compliant and they said yes.

As @ChrisRJ mentions there are different levels of "compliance" that may be more or less stringent depending on your country, industry, and regulatory body. For an internal company audit the built-in SMB module could potentially be sufficient - for things like HIPAA or FINRA/SEC, probably less so as the module is relying on an "honest" SMB client to respect the immutability.

When you say "vendor" do you mean the hardware vendor that sold you the TrueNAS Mini, or the vendor of the software that you plan to use to write to this storage?

 

[anodos]

Ya, I was hoping the TrueNas Mini would be my worm system! I even reached out to the vendor and they said it would work!

Which vendor was this? If it was not directly from iX, you can send me via PM.

Well, that is the samba.org (developer) site saying it, so they're probably more sure than me. @anodos do you have any additional input on this from either a business or technical perspective?

I am not a lawyer and am not familiar with worm-related requirements for specific regulations. The help-text in the webui should explicitly state that this is for access over the SMB protocol only. Since it is implemented in smbd itself (not relying on filesystem flags / attributes), it is always possible that a bug in smbd can allow altering of files that should be readonly. I believe our docs should also link the Samba manpage (but these things sometimes change).

The feature was exposed due to end-user request, and it can be useful in some situations (where you want a drop-box over SMB where files become readonly - to prevent for instance an inattentive executive-assistant from deleting older files).

At various points in the past, I've considered altering the VFS module so we're setting SF_IMMUTABLE bit on files on close, but this would obviously probably present some interesting edge-cases, and would still probably not buy people much in terms of regulatory compliance.

I think most people's regular (non-compliance-related) needs are best met by keeping a reasonable snapshot schedule and setting permissions based on principle of least privilege. Filesystem ACLs (POSIX1E or NFSv4) are enforced by the Kernel regardless of access method, and ZFS snapshot contents are immutable (do note that the snapshot itself may be destroyed by administrative action).