ntfs-3g.secaudit

ntfs-3g.secaudit [options]

-v
    Displays verbose output, providing more detailed information about the audit process and any discrepancies found.

-d
    Shows the raw security descriptors found on the NTFS volume in hexadecimal format, useful for low-level analysis.

-a
    Displays the parsed Access Control Lists (ACLs) for each file or directory, presenting the individual Access Control Entries (ACEs).


    The path to the NTFS volume or partition to be audited (e.g., /dev/sda1). This is a mandatory argument.

ntfs-3g.secaudit is a utility from the ntfs-3g suite designed to audit and verify the consistency of security permissions on an NTFS volume. It plays a crucial role in ensuring that the security descriptors (Windows ACLs) stored on the NTFS filesystem are correctly reflected in the Linux permission model and extended attributes after being mounted by ntfs-3g.

The command primarily checks for discrepancies between the actual NTFS Access Control Lists (ACLs) and how they are represented by the Linux file permissions (mode bits) and the security.ntfs_acl extended attribute, if used. This audit is vital for maintaining security integrity, especially in environments where files might be accessed from both Windows and Linux systems, or when specific Windows-compatible security settings are expected to persist. It helps identify situations where the Linux-side representation of permissions might not accurately mirror the underlying NTFS ACLs, potentially leading to unintended access or security vulnerabilities.

It provides verbose output options to detail any findings and can display raw security descriptors or parsed ACLs for deeper investigation, but it does not modify the filesystem; it only reports.

The ntfs-3g.secaudit command is an auditing tool only; it does not fix or modify any permissions or security descriptors on the NTFS volume. Any discrepancies found must be addressed manually or by remounting with appropriate ntfs-3g options.

While it performs a read-only audit, it's generally recommended to ensure the volume is not actively being written to during the audit to avoid potential inconsistencies if data changes mid-scan. The accuracy of the audit regarding Linux permissions relies on the ntfs-3g mount having stored the Windows ACLs in extended attributes (e.g., using acl or xattr mount options). Without these, the Linux-side representation might not fully reflect the NTFS ACLs, leading to potentially incomplete or misleading audit results.

The command provides a clear exit status to indicate the audit result:

• 0: No discrepancies were found, indicating that the security permissions are consistent.
• 1: Discrepancies were detected, meaning there are inconsistencies between the NTFS ACLs and their Linux representation.
• 2: An error occurred during the audit process, preventing a complete report.

ntfs-3g.secaudit heavily relies on and checks the security.ntfs_acl extended attribute. When ntfs-3g is mounted with acl or xattr options, it attempts to store a binary representation of the Windows security descriptor as an extended attribute on files and directories. This utility compares the content of this security.ntfs_acl xattr (if present) with the actual security descriptor parsed directly from the NTFS volume, along with verifying the standard Linux mode bits against the effective permissions derived from the NTFS ACL. This feature is fundamental for preserving and auditing rich Windows permissions on a Linux system.

The ntfs-3g.secaudit utility is an integral part of the ntfs-3g project, which began development in 2006 to provide robust read-write access to NTFS filesystems from Linux and other Unix-like operating systems. As ntfs-3g evolved to support more advanced NTFS features, including Windows security descriptors and Access Control Lists (ACLs), tools like ntfs-3g.secaudit became necessary to verify the correctness and consistency of these complex permission mappings. It addresses the critical need for administrators to audit whether the Linux-exposed permissions and extended attributes accurately reflect the underlying NTFS security model, bridging the gap between Windows and Linux security paradigms. Its development paralleled the improvements in ntfs-3g's xattr and acl support, which are crucial for preserving Windows ACLs.

ntfs-3g(8), attr(1), setfattr(1), getfattr(1), mount(8), ls(1)