Isilon OneFS: Elenco dei valori del payload di audit Isilon

Di seguito è riportato un elenco dei possibili valori Isilon che possono essere visualizzati negli output raw di isi_audit Risultati.

Questo elenco non è specifico della versione. Alcuni di questi codici esistono solo in alcune versioni di OneFS. Le versioni successive di OneFS dispongono di opzioni estese; Questo articolo elenca tutti i payload di audit in tutte le versioni. Questo elenco ha lo scopo di fungere da riferimento per la revisione di singoli eventi di audit in generale.

L'audit può monitorare e tenere traccia delle azioni degli account connessi al file system OneFS su protocolli come SMB e NFS.

Le azioni registrate nella loro forma raw appaiono come segue (si verificano alcune variazioni tra le versioni e le ere di OneFS):

{"id":"8f0ae523-1741-12ea-8d1f-010e1ea7b298","timestamp":1575538065995502,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"delete","isDirectory":false,"clientIPAddr":"10.51.221.92","fileName":"\\ifs\\home\\user00001\\staging\\datareview\\infa\\client\\Temp\\datapoint_file.txt","userSID":"S-1-22-2000","userID":2000,"ntStatus":0,"fsId":1,"partialPath":"datapoint_file.txt","rootInode":4512436961,"inode":5128815920}}     

{"id":"87b8bbh5-181c-71ea-8d1f-000g1ia7j295","timestamp":1575522001272734,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload ":"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"create","createResult":"OPENED","isDirectory":true,"desiredAccess":0,"clientIPAddr":"10.14.73.184","createDispo":1,"userSID":"S-1-22-1-2000","userID":2000,"fileName":"\\ifs\\data\\project00004\\dev\\logs\\ABC\\that-one-project-data","ntStatus":0,"fsId":1,"inode":4725492968}}

All'interno di ciò, i termini sono definiti come:

• clientIPAddr: String of the IP of the user performing the action
• clientIp: The IP address of the client which initiated the request (causing the event)
• createDispo: Creation disposition specified by user at create/open time
• desiredAccess: Desired access specified by user at create/open time
• encodedNewName: The encoded new name, if there is a rename
• encodedPath: The encoded UNC Path of the file
• encodedRelativePath: The encoded relative path
• encodingType: The encoding used for values, if the value contains characters that cannot be included with XML
• event: The event that caused the check
• fileName: String of the absolute path of the file or "UNKNOWN" if audit cannot get the path. The path uses UNC style of path separators ("\\")
• fileSize: Size of the file at the time of manipulation
• flag: One of the CEPP_FLAG_XXX defined above
• fsId: File system Id of parent directory. This integer is the ID value of the file system in question (default value of 1)
• id: A value based on the cluster GUID and the audited Zone ID, and is unique for the audited event; this is a UUID for that event
• inode: Integer of the inode of the file or directory
• isDirectory: Boolean for whether the event is for a file or a directory
• newFSId: new file system id (if different from fsId) of target parent directory (rename)
• newName: The new name (on a rename operation)
• newParentInode: The inode of the target parent directory (rename)
• ntStatus: The NTSTATUS code of the action. (0 is STATUS_SUCCESS)
• ownerId: The id of the owner of the file
• ownerSid: Sid of the file owner
• parentInode: The inode of the containing directory
• partialPath: String of the relative path of the file or directory. The path uses UNC style of path separators ("\\")
• partialPathParentInode: parent inode of the partial path above
• path: UNC name of the file (or dir) - absolute path
• payload: The complete delivered audit event, encapsulating most of these values
• payloadType: String of "4b66b1eb-6e1a-416d-b80c-5a642a603a0b: For Protocol Activity Events
• payloadType: String of "7afb8d54-0aa7-4ed4-9691-341313ee37e3: For Audit Driver Loaded Audit Events
• payloadType: String of "bbce6a72-a92d-4330-a1f3-e9fd5aed8152: For Audit Driver Unload Audit Events
• payloadType: String of "c411a642-c139-4c7a-be58-93680bc20b41: For Protocol Data Events
• protocol: String of the protocol the action occurred under. Usually one of the following in OneFS 7.2 and later: "CIFS" (for SMB1); "SMB2"; "NFS" (for NFSv3); "NFS4"; "HDFS"
• relativePath: UNC name of the file (or dir) as accessed by the client
• rootInode: Integer of the inode of the directory where the partialPath is
• serverIp: The IP address of the server at which the event was recorded
• server: The Server name where the event occurred. Server IP for NFS
• share: The Share on the server; the Export name for NFS
• timeStamp: The time at which the file operation occurred (cluster local time). It is a 64-bit value, where the high 32 bits represent the time and the lower 32 bits represent the microseconds (Format: 0x1234abcd1234abcd)
• type: File, Directory, etc.
• userID: Integer of the UID of the user performing the action (OneFS 7.2 and later)
• userSID: String of the SID of the user performing the action ("userSID" is not available in "logon" failure events.)
• zoneID: Integer of the OneFS access zone ID the action is being performed on/through
• zoneName: String of the OneFS access zone name at the time of the event that the action is being performed on/through

Esistono alcuni altri valori e campi che possono avere alcune possibili variabili. 

Per il "eventType", alcuni tipi di evento dispongono di campi di payload aggiuntivi elencati sotto i tipi riportati di seguito:

• eventType = create: For creating or opening a file or directory
• eventType = close: For closing a file or directory

• • bytesRead: Integer of the total number of bytes read since the open or create
  • bytesWritten: Integer of the total number of bytes written since the opening
  • numberOfReads: Integer of the total number of reads made to the file since opening
  • numberOfWrites: Integer of the total number of writes made to the file
• eventType = read: The first read to a file since opening it

• • bytesRead: Integer of the number of bytes read in the first read.
• eventType = write: The first write to a file since opening it

• • bytesWritten: Integer of the number of bytes written in the first write
• eventType = rename: Rename of a file or directory.

• • newFileName: String of the absolute path of the new file name or "UNKNOWN"; the path uses UNC style of path separators ("\\").
  • newPartialPath: String of the relative path of the new file name. The path uses UNC style of path separators ("\\").
  • newRootInode: Integer of the new parent directory's inode that contains "newPartialPath"
• eventType = get-security: Get security information or permissions from the file or directory.

• eventType = set-security: Set security information or permissions on the file or directory.

• eventType = delete: Delete a file or directory.

• eventType = logon: Logging on.

• eventType = logoff: Logging off.

• eventType = tree-connect: Performing an SMB tree connect.
• • (nessun campo aggiuntivo)

Per gli eventi di controllo con payloadType = "7afb8d54-0aa7-4ed4-9691-341313ee37e3" (Eventi di controllo caricati dal driver di audit). 

• Si tratta di eventi di controllo che segnalano quando è stato caricato il driver del filtro di controllo.
• Questi eventi di controllo contengono un "payload" che contiene una stringa JSON che specifica quale driver di controllo è stato caricato.
• • Audit Driver: flt_audit Loaded: SMB audit driver loaded.
  • Audit Driver: flt_audit_nfs Loaded: NFS audit driver loaded.
  • Audit Driver: flt_audit_hdfs Loaded: HDFS audit driver loaded.

Per gli eventi di controllo con payloadType = "bbce6a72-a92d-4330-a1f3-e9fd5aed8152" (Eventi di controllo per scaricare driver). 

• Si tratta di eventi di controllo che segnalano quando è stato scaricato il driver del filtro di controllo.
• Questi eventi di controllo contengono un "payload" che contiene una stringa JSON che specifica quale driver di controllo è stato arrestato.
• • Shutting down audit driver: flt_audit: SMB audit driver stopped.
  • Shutting down audit driver: flt_audit_nfs: NFS audit driver loaded.
  • Shutting down audit driver: flt_audit_hdfs: HDFS audit driver loaded.
• eventType: String of the audit event type of action. One of:
  • create: Create or open a file or directory.
  • close: Close a file or directory.
  • read: First read on a file since opening it.
  • write: First write on a file since opening it.
  • rename: Rename a file or directory.
  • delete: Delete a file or directory.
  • set-security: Set security information or permissions on a file or directory.
  • get-security: Get security information or permissions on a file or directory.
• createDispo: Integer of the create/open disposition; this is the request of how the file or directory should be opened or created:
  • 0 - FILE_SUPERSEDE - Replace an existing file or create it.
  • 1 - FILE_OPEN - Open an existing file or fail.
  • 2 - FILE_CREATE - Create a nonexisting file or fail.
  • 3 - FILE_OPEN_IF - Open an existing file or create it.
  • 4 - FILE_OVERWRITE - Open and overwrite an existing file or fail.
  • 5 - FILE_OVERWRITE_IF - Open and overwrite an existing file or create it.
• createResult: String of the create/open result. One of:
  • SUPERSEDED: The file existed and was replaced.
  • OPENED: The file existed and was opened.
  • CREATED: The file did not exist and was created.
  • EXISTS: The file exists and was not created.
  • DOES_NOT_EXIST: The file did not exist and was not opened.
  • UNKNOWN: Unknown
• desiredAccess: Integer of the bitwise combined wanted access of the following:
  • 2.2.1.4.1 File_Pipe_Printer_Access_Mask (Link esterno)
  • 2.2.1.4.2 Directory_Access_Mask (Link esterno)