Isilon OneFS: Isilon 감사 페이로드 값 목록

다음은 의 원시 출력에서 볼 수 있는 가능한 Isilon 값 목록입니다. isi_audit 결과.

이 목록은 특정 버전이 아닙니다. 이러한 코드 중 일부는 특정 버전의 OneFS에만 존재합니다. 최신 버전의 OneFS에는 확장된 옵션이 있습니다. 이 문서에는 모든 버전의 모든 감사 페이로드가 나열되어 있습니다. 이 목록은 일반적으로 개별 감사 이벤트를 검토할 때 참조하기 위한 것입니다.

감사는 SMB 및 NFS와 같은 프로토콜에서 OneFS 파일 시스템에 연결된 계정의 작업을 모니터링하고 추적할 수 있습니다.

원시 형식으로 기록된 작업은 다음과 같이 나타납니다(OneFS의 버전과 시대에 약간의 차이가 있음).

{"id":"8f0ae523-1741-12ea-8d1f-010e1ea7b298","timestamp":1575538065995502,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"delete","isDirectory":false,"clientIPAddr":"10.51.221.92","fileName":"\\ifs\\home\\user00001\\staging\\datareview\\infa\\client\\Temp\\datapoint_file.txt","userSID":"S-1-22-2000","userID":2000,"ntStatus":0,"fsId":1,"partialPath":"datapoint_file.txt","rootInode":4512436961,"inode":5128815920}}     

{"id":"87b8bbh5-181c-71ea-8d1f-000g1ia7j295","timestamp":1575522001272734,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload ":"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"create","createResult":"OPENED","isDirectory":true,"desiredAccess":0,"clientIPAddr":"10.14.73.184","createDispo":1,"userSID":"S-1-22-1-2000","userID":2000,"fileName":"\\ifs\\data\\project00004\\dev\\logs\\ABC\\that-one-project-data","ntStatus":0,"fsId":1,"inode":4725492968}}

그 내에서 용어는 다음과 같이 정의됩니다.

• clientIPAddr: String of the IP of the user performing the action
• clientIp: The IP address of the client which initiated the request (causing the event)
• createDispo: Creation disposition specified by user at create/open time
• desiredAccess: Desired access specified by user at create/open time
• encodedNewName: The encoded new name, if there is a rename
• encodedPath: The encoded UNC Path of the file
• encodedRelativePath: The encoded relative path
• encodingType: The encoding used for values, if the value contains characters that cannot be included with XML
• event: The event that caused the check
• fileName: String of the absolute path of the file or "UNKNOWN" if audit cannot get the path. The path uses UNC style of path separators ("\\")
• fileSize: Size of the file at the time of manipulation
• flag: One of the CEPP_FLAG_XXX defined above
• fsId: File system Id of parent directory. This integer is the ID value of the file system in question (default value of 1)
• id: A value based on the cluster GUID and the audited Zone ID, and is unique for the audited event; this is a UUID for that event
• inode: Integer of the inode of the file or directory
• isDirectory: Boolean for whether the event is for a file or a directory
• newFSId: new file system id (if different from fsId) of target parent directory (rename)
• newName: The new name (on a rename operation)
• newParentInode: The inode of the target parent directory (rename)
• ntStatus: The NTSTATUS code of the action. (0 is STATUS_SUCCESS)
• ownerId: The id of the owner of the file
• ownerSid: Sid of the file owner
• parentInode: The inode of the containing directory
• partialPath: String of the relative path of the file or directory. The path uses UNC style of path separators ("\\")
• partialPathParentInode: parent inode of the partial path above
• path: UNC name of the file (or dir) - absolute path
• payload: The complete delivered audit event, encapsulating most of these values
• payloadType: String of "4b66b1eb-6e1a-416d-b80c-5a642a603a0b: For Protocol Activity Events
• payloadType: String of "7afb8d54-0aa7-4ed4-9691-341313ee37e3: For Audit Driver Loaded Audit Events
• payloadType: String of "bbce6a72-a92d-4330-a1f3-e9fd5aed8152: For Audit Driver Unload Audit Events
• payloadType: String of "c411a642-c139-4c7a-be58-93680bc20b41: For Protocol Data Events
• protocol: String of the protocol the action occurred under. Usually one of the following in OneFS 7.2 and later: "CIFS" (for SMB1); "SMB2"; "NFS" (for NFSv3); "NFS4"; "HDFS"
• relativePath: UNC name of the file (or dir) as accessed by the client
• rootInode: Integer of the inode of the directory where the partialPath is
• serverIp: The IP address of the server at which the event was recorded
• server: The Server name where the event occurred. Server IP for NFS
• share: The Share on the server; the Export name for NFS
• timeStamp: The time at which the file operation occurred (cluster local time). It is a 64-bit value, where the high 32 bits represent the time and the lower 32 bits represent the microseconds (Format: 0x1234abcd1234abcd)
• type: File, Directory, etc.
• userID: Integer of the UID of the user performing the action (OneFS 7.2 and later)
• userSID: String of the SID of the user performing the action ("userSID" is not available in "logon" failure events.)
• zoneID: Integer of the OneFS access zone ID the action is being performed on/through
• zoneName: String of the OneFS access zone name at the time of the event that the action is being performed on/through

몇 가지 가능한 변수가 있을 수 있는 몇 가지 다른 값과 필드가 있습니다. 

"에 대한eventType" 오브젝트가 있는 경우 일부 이벤트 유형에는 아래 유형 아래에 나열된 추가 페이로드 필드가 있습니다.

• eventType = create: For creating or opening a file or directory
• eventType = close: For closing a file or directory

• • bytesRead: Integer of the total number of bytes read since the open or create
  • bytesWritten: Integer of the total number of bytes written since the opening
  • numberOfReads: Integer of the total number of reads made to the file since opening
  • numberOfWrites: Integer of the total number of writes made to the file
• eventType = read: The first read to a file since opening it

• • bytesRead: Integer of the number of bytes read in the first read.
• eventType = write: The first write to a file since opening it

• • bytesWritten: Integer of the number of bytes written in the first write
• eventType = rename: Rename of a file or directory.

• • newFileName: String of the absolute path of the new file name or "UNKNOWN"; the path uses UNC style of path separators ("\\").
  • newPartialPath: String of the relative path of the new file name. The path uses UNC style of path separators ("\\").
  • newRootInode: Integer of the new parent directory's inode that contains "newPartialPath"
• eventType = get-security: Get security information or permissions from the file or directory.

• eventType = set-security: Set security information or permissions on the file or directory.

• eventType = delete: Delete a file or directory.

• eventType = logon: Logging on.

• eventType = logoff: Logging off.

• eventType = tree-connect: Performing an SMB tree connect.
• • (추가 필드 없음)

다음을 포함하는 감사 이벤트의 경우 payloadType = "7afb8d54-0aa7-4ed4-9691-341313ee37e3" (감사 드라이버가 로드한 감사 이벤트). 

• 감사 필터 드라이버가 로드된 시기를 알리는 감사 이벤트입니다.
• 이러한 감사 이벤트에는 로드된 감사 드라이버를 지정하는 JSON 문자열이 포함된 "페이로드"가 포함됩니다.
• • Audit Driver: flt_audit Loaded: SMB audit driver loaded.
  • Audit Driver: flt_audit_nfs Loaded: NFS audit driver loaded.
  • Audit Driver: flt_audit_hdfs Loaded: HDFS audit driver loaded.

다음을 포함하는 감사 이벤트의 경우 payloadType = "bbce6a72-a92d-4330-a1f3-e9fd5aed8152" (감사 드라이버 언로드 감사 이벤트). 

• 감사 필터 드라이버가 언로드된 시기를 알리는 감사 이벤트입니다.
• 이러한 감사 이벤트에는 중지된 감사 드라이버를 지정하는 JSON 문자열이 포함된 "페이로드"가 포함되어 있습니다.
• • Shutting down audit driver: flt_audit: SMB audit driver stopped.
  • Shutting down audit driver: flt_audit_nfs: NFS audit driver loaded.
  • Shutting down audit driver: flt_audit_hdfs: HDFS audit driver loaded.
• eventType: String of the audit event type of action. One of:
  • create: Create or open a file or directory.
  • close: Close a file or directory.
  • read: First read on a file since opening it.
  • write: First write on a file since opening it.
  • rename: Rename a file or directory.
  • delete: Delete a file or directory.
  • set-security: Set security information or permissions on a file or directory.
  • get-security: Get security information or permissions on a file or directory.
• createDispo: Integer of the create/open disposition; this is the request of how the file or directory should be opened or created:
  • 0 - FILE_SUPERSEDE - Replace an existing file or create it.
  • 1 - FILE_OPEN - Open an existing file or fail.
  • 2 - FILE_CREATE - Create a nonexisting file or fail.
  • 3 - FILE_OPEN_IF - Open an existing file or create it.
  • 4 - FILE_OVERWRITE - Open and overwrite an existing file or fail.
  • 5 - FILE_OVERWRITE_IF - Open and overwrite an existing file or create it.
• createResult: String of the create/open result. One of:
  • SUPERSEDED: The file existed and was replaced.
  • OPENED: The file existed and was opened.
  • CREATED: The file did not exist and was created.
  • EXISTS: The file exists and was not created.
  • DOES_NOT_EXIST: The file did not exist and was not opened.
  • UNKNOWN: Unknown
• desiredAccess: Integer of the bitwise combined wanted access of the following:
  • 2.2.1.4.1 File_Pipe_Printer_Access_Mask (외부 링크)
  • 2.2.1.4.2 Directory_Access_Mask (외부 링크)