Isilon OneFS : Liste des valeurs de charge utile d’audit Isilon

Vous trouverez ci-dessous une liste des valeurs Isilon possibles qui peuvent être vues dans les sorties brutes de isi_audit Résultats.

Cette liste n’est pas spécifique à une version. Certains de ces codes existent uniquement sur certaines versions de OneFS. Les versions ultérieures de OneFS disposent d’options étendues. Cet article répertorie toutes les charges utiles d’audit sur toutes les versions. Cette liste est destinée à servir de référence pour l’examen des événements d’audit individuels en général.

L’audit peut surveiller et suivre les actions des comptes connectés au système de fichiers OneFS sur des protocoles tels que SMB et NFS.

Les actions enregistrées sous leur forme brute apparaissent comme suit (certaines variations se produisent entre les versions et les époques de OneFS) :

{"id":"8f0ae523-1741-12ea-8d1f-010e1ea7b298","timestamp":1575538065995502,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"delete","isDirectory":false,"clientIPAddr":"10.51.221.92","fileName":"\\ifs\\home\\user00001\\staging\\datareview\\infa\\client\\Temp\\datapoint_file.txt","userSID":"S-1-22-2000","userID":2000,"ntStatus":0,"fsId":1,"partialPath":"datapoint_file.txt","rootInode":4512436961,"inode":5128815920}}     

{"id":"87b8bbh5-181c-71ea-8d1f-000g1ia7j295","timestamp":1575522001272734,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload ":"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"create","createResult":"OPENED","isDirectory":true,"desiredAccess":0,"clientIPAddr":"10.14.73.184","createDispo":1,"userSID":"S-1-22-1-2000","userID":2000,"fileName":"\\ifs\\data\\project00004\\dev\\logs\\ABC\\that-one-project-data","ntStatus":0,"fsId":1,"inode":4725492968}}

Dans ce cadre, les termes sont définis comme suit :

• clientIPAddr: String of the IP of the user performing the action
• clientIp: The IP address of the client which initiated the request (causing the event)
• createDispo: Creation disposition specified by user at create/open time
• desiredAccess: Desired access specified by user at create/open time
• encodedNewName: The encoded new name, if there is a rename
• encodedPath: The encoded UNC Path of the file
• encodedRelativePath: The encoded relative path
• encodingType: The encoding used for values, if the value contains characters that cannot be included with XML
• event: The event that caused the check
• fileName: String of the absolute path of the file or "UNKNOWN" if audit cannot get the path. The path uses UNC style of path separators ("\\")
• fileSize: Size of the file at the time of manipulation
• flag: One of the CEPP_FLAG_XXX defined above
• fsId: File system Id of parent directory. This integer is the ID value of the file system in question (default value of 1)
• id: A value based on the cluster GUID and the audited Zone ID, and is unique for the audited event; this is a UUID for that event
• inode: Integer of the inode of the file or directory
• isDirectory: Boolean for whether the event is for a file or a directory
• newFSId: new file system id (if different from fsId) of target parent directory (rename)
• newName: The new name (on a rename operation)
• newParentInode: The inode of the target parent directory (rename)
• ntStatus: The NTSTATUS code of the action. (0 is STATUS_SUCCESS)
• ownerId: The id of the owner of the file
• ownerSid: Sid of the file owner
• parentInode: The inode of the containing directory
• partialPath: String of the relative path of the file or directory. The path uses UNC style of path separators ("\\")
• partialPathParentInode: parent inode of the partial path above
• path: UNC name of the file (or dir) - absolute path
• payload: The complete delivered audit event, encapsulating most of these values
• payloadType: String of "4b66b1eb-6e1a-416d-b80c-5a642a603a0b: For Protocol Activity Events
• payloadType: String of "7afb8d54-0aa7-4ed4-9691-341313ee37e3: For Audit Driver Loaded Audit Events
• payloadType: String of "bbce6a72-a92d-4330-a1f3-e9fd5aed8152: For Audit Driver Unload Audit Events
• payloadType: String of "c411a642-c139-4c7a-be58-93680bc20b41: For Protocol Data Events
• protocol: String of the protocol the action occurred under. Usually one of the following in OneFS 7.2 and later: "CIFS" (for SMB1); "SMB2"; "NFS" (for NFSv3); "NFS4"; "HDFS"
• relativePath: UNC name of the file (or dir) as accessed by the client
• rootInode: Integer of the inode of the directory where the partialPath is
• serverIp: The IP address of the server at which the event was recorded
• server: The Server name where the event occurred. Server IP for NFS
• share: The Share on the server; the Export name for NFS
• timeStamp: The time at which the file operation occurred (cluster local time). It is a 64-bit value, where the high 32 bits represent the time and the lower 32 bits represent the microseconds (Format: 0x1234abcd1234abcd)
• type: File, Directory, etc.
• userID: Integer of the UID of the user performing the action (OneFS 7.2 and later)
• userSID: String of the SID of the user performing the action ("userSID" is not available in "logon" failure events.)
• zoneID: Integer of the OneFS access zone ID the action is being performed on/through
• zoneName: String of the OneFS access zone name at the time of the event that the action is being performed on/through

Il existe d’autres valeurs et champs qui peuvent avoir quelques variables possibles. 

Pour l’option «eventType" , certains types d’événements ont des champs de charge utile supplémentaires répertoriés sous les types ci-dessous :

• eventType = create: For creating or opening a file or directory
• eventType = close: For closing a file or directory

• • bytesRead: Integer of the total number of bytes read since the open or create
  • bytesWritten: Integer of the total number of bytes written since the opening
  • numberOfReads: Integer of the total number of reads made to the file since opening
  • numberOfWrites: Integer of the total number of writes made to the file
• eventType = read: The first read to a file since opening it

• • bytesRead: Integer of the number of bytes read in the first read.
• eventType = write: The first write to a file since opening it

• • bytesWritten: Integer of the number of bytes written in the first write
• eventType = rename: Rename of a file or directory.

• • newFileName: String of the absolute path of the new file name or "UNKNOWN"; the path uses UNC style of path separators ("\\").
  • newPartialPath: String of the relative path of the new file name. The path uses UNC style of path separators ("\\").
  • newRootInode: Integer of the new parent directory's inode that contains "newPartialPath"
• eventType = get-security: Get security information or permissions from the file or directory.

• eventType = set-security: Set security information or permissions on the file or directory.

• eventType = delete: Delete a file or directory.

• eventType = logon: Logging on.

• eventType = logoff: Logging off.

• eventType = tree-connect: Performing an SMB tree connect.
• • (pas de champs supplémentaires)

Pour les événements d’audit avec payloadType = "7afb8d54-0aa7-4ed4-9691-341313ee37e3" (Événements d’audit chargés par le pilote d’audit). 

• Il s’agit d’événements d’audit signalant le chargement du pilote de filtre d’audit.
• Ces événements d’audit contiennent une « charge utile » qui contient une chaîne JSON spécifiant le pilote d’audit chargé.
• • Audit Driver: flt_audit Loaded: SMB audit driver loaded.
  • Audit Driver: flt_audit_nfs Loaded: NFS audit driver loaded.
  • Audit Driver: flt_audit_hdfs Loaded: HDFS audit driver loaded.

Pour les événements d’audit avec payloadType = "bbce6a72-a92d-4330-a1f3-e9fd5aed8152" (Événements d’audit de déchargement du pilote d’audit). 

• Il s’agit d’événements d’audit signalant le moment où le pilote du filtre d’audit a été déchargé.
• Ces événements d’audit contiennent une « charge utile » qui contient une chaîne JSON spécifiant le pilote d’audit arrêté.
• • Shutting down audit driver: flt_audit: SMB audit driver stopped.
  • Shutting down audit driver: flt_audit_nfs: NFS audit driver loaded.
  • Shutting down audit driver: flt_audit_hdfs: HDFS audit driver loaded.
• eventType: String of the audit event type of action. One of:
  • create: Create or open a file or directory.
  • close: Close a file or directory.
  • read: First read on a file since opening it.
  • write: First write on a file since opening it.
  • rename: Rename a file or directory.
  • delete: Delete a file or directory.
  • set-security: Set security information or permissions on a file or directory.
  • get-security: Get security information or permissions on a file or directory.
• createDispo: Integer of the create/open disposition; this is the request of how the file or directory should be opened or created:
  • 0 - FILE_SUPERSEDE - Replace an existing file or create it.
  • 1 - FILE_OPEN - Open an existing file or fail.
  • 2 - FILE_CREATE - Create a nonexisting file or fail.
  • 3 - FILE_OPEN_IF - Open an existing file or create it.
  • 4 - FILE_OVERWRITE - Open and overwrite an existing file or fail.
  • 5 - FILE_OVERWRITE_IF - Open and overwrite an existing file or create it.
• createResult: String of the create/open result. One of:
  • SUPERSEDED: The file existed and was replaced.
  • OPENED: The file existed and was opened.
  • CREATED: The file did not exist and was created.
  • EXISTS: The file exists and was not created.
  • DOES_NOT_EXIST: The file did not exist and was not opened.
  • UNKNOWN: Unknown
• desiredAccess: Integer of the bitwise combined wanted access of the following:
  • 2.2.1.4.1 File_Pipe_Printer_Access_Mask (Lien externe)
  • 2.2.1.4.2 Directory_Access_Mask (lien externe)