Isilon OneFS. Список значений полезной нагрузки аудита Isilon

Ниже приведен список возможных значений Isilon, которые можно увидеть в необработанных выходных данных isi_audit Результаты.

Этот список не привязан к конкретной версии. Некоторые из этих кодов существуют только в определенных версиях OneFS. В более поздних версиях OneFS расширены параметры; В этой статье перечислены все полезные данные аудита во всех версиях. Данный список предназначен в качестве справочного материала при рассмотрении отдельных событий аудита в целом.

Функция аудита позволяет осуществлять мониторинг и отслеживание действий учетных записей, подключенных к файловой системе OneFS по таким протоколам, как SMB и NFS.

Действия, записанные в исходном виде, выглядят следующим образом (существуют некоторые различия между версиями и эпохами OneFS):

{"id":"8f0ae523-1741-12ea-8d1f-010e1ea7b298","timestamp":1575538065995502,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"delete","isDirectory":false,"clientIPAddr":"10.51.221.92","fileName":"\\ifs\\home\\user00001\\staging\\datareview\\infa\\client\\Temp\\datapoint_file.txt","userSID":"S-1-22-2000","userID":2000,"ntStatus":0,"fsId":1,"partialPath":"datapoint_file.txt","rootInode":4512436961,"inode":5128815920}}     

{"id":"87b8bbh5-181c-71ea-8d1f-000g1ia7j295","timestamp":1575522001272734,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload ":"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"create","createResult":"OPENED","isDirectory":true,"desiredAccess":0,"clientIPAddr":"10.14.73.184","createDispo":1,"userSID":"S-1-22-1-2000","userID":2000,"fileName":"\\ifs\\data\\project00004\\dev\\logs\\ABC\\that-one-project-data","ntStatus":0,"fsId":1,"inode":4725492968}}

В рамках этого термина определяются как:

• clientIPAddr: String of the IP of the user performing the action
• clientIp: The IP address of the client which initiated the request (causing the event)
• createDispo: Creation disposition specified by user at create/open time
• desiredAccess: Desired access specified by user at create/open time
• encodedNewName: The encoded new name, if there is a rename
• encodedPath: The encoded UNC Path of the file
• encodedRelativePath: The encoded relative path
• encodingType: The encoding used for values, if the value contains characters that cannot be included with XML
• event: The event that caused the check
• fileName: String of the absolute path of the file or "UNKNOWN" if audit cannot get the path. The path uses UNC style of path separators ("\\")
• fileSize: Size of the file at the time of manipulation
• flag: One of the CEPP_FLAG_XXX defined above
• fsId: File system Id of parent directory. This integer is the ID value of the file system in question (default value of 1)
• id: A value based on the cluster GUID and the audited Zone ID, and is unique for the audited event; this is a UUID for that event
• inode: Integer of the inode of the file or directory
• isDirectory: Boolean for whether the event is for a file or a directory
• newFSId: new file system id (if different from fsId) of target parent directory (rename)
• newName: The new name (on a rename operation)
• newParentInode: The inode of the target parent directory (rename)
• ntStatus: The NTSTATUS code of the action. (0 is STATUS_SUCCESS)
• ownerId: The id of the owner of the file
• ownerSid: Sid of the file owner
• parentInode: The inode of the containing directory
• partialPath: String of the relative path of the file or directory. The path uses UNC style of path separators ("\\")
• partialPathParentInode: parent inode of the partial path above
• path: UNC name of the file (or dir) - absolute path
• payload: The complete delivered audit event, encapsulating most of these values
• payloadType: String of "4b66b1eb-6e1a-416d-b80c-5a642a603a0b: For Protocol Activity Events
• payloadType: String of "7afb8d54-0aa7-4ed4-9691-341313ee37e3: For Audit Driver Loaded Audit Events
• payloadType: String of "bbce6a72-a92d-4330-a1f3-e9fd5aed8152: For Audit Driver Unload Audit Events
• payloadType: String of "c411a642-c139-4c7a-be58-93680bc20b41: For Protocol Data Events
• protocol: String of the protocol the action occurred under. Usually one of the following in OneFS 7.2 and later: "CIFS" (for SMB1); "SMB2"; "NFS" (for NFSv3); "NFS4"; "HDFS"
• relativePath: UNC name of the file (or dir) as accessed by the client
• rootInode: Integer of the inode of the directory where the partialPath is
• serverIp: The IP address of the server at which the event was recorded
• server: The Server name where the event occurred. Server IP for NFS
• share: The Share on the server; the Export name for NFS
• timeStamp: The time at which the file operation occurred (cluster local time). It is a 64-bit value, where the high 32 bits represent the time and the lower 32 bits represent the microseconds (Format: 0x1234abcd1234abcd)
• type: File, Directory, etc.
• userID: Integer of the UID of the user performing the action (OneFS 7.2 and later)
• userSID: String of the SID of the user performing the action ("userSID" is not available in "logon" failure events.)
• zoneID: Integer of the OneFS access zone ID the action is being performed on/through
• zoneName: String of the OneFS access zone name at the time of the event that the action is being performed on/through

Существует несколько других значений и полей, которые могут иметь несколько возможных переменных. 

Для «eventType" некоторые типы событий имеют дополнительные поля полезных данных, перечисленные в следующих типах:

• eventType = create: For creating or opening a file or directory
• eventType = close: For closing a file or directory

• • bytesRead: Integer of the total number of bytes read since the open or create
  • bytesWritten: Integer of the total number of bytes written since the opening
  • numberOfReads: Integer of the total number of reads made to the file since opening
  • numberOfWrites: Integer of the total number of writes made to the file
• eventType = read: The first read to a file since opening it

• • bytesRead: Integer of the number of bytes read in the first read.
• eventType = write: The first write to a file since opening it

• • bytesWritten: Integer of the number of bytes written in the first write
• eventType = rename: Rename of a file or directory.

• • newFileName: String of the absolute path of the new file name or "UNKNOWN"; the path uses UNC style of path separators ("\\").
  • newPartialPath: String of the relative path of the new file name. The path uses UNC style of path separators ("\\").
  • newRootInode: Integer of the new parent directory's inode that contains "newPartialPath"
• eventType = get-security: Get security information or permissions from the file or directory.

• eventType = set-security: Set security information or permissions on the file or directory.

• eventType = delete: Delete a file or directory.

• eventType = logon: Logging on.

• eventType = logoff: Logging off.

• eventType = tree-connect: Performing an SMB tree connect.
• • (без лишних полей)

Для событий аудита с payloadType = "7afb8d54-0aa7-4ed4-9691-341313ee37e3" (Аудит событий аудита, загруженных драйвером). 

• Это события аудита, сигнализирующие о том, что драйвер фильтра аудита был загружен.
• Эти события аудита содержат полезные данные, которые содержат строку JSON, указывающую загруженный драйвер аудита.
• • Audit Driver: flt_audit Loaded: SMB audit driver loaded.
  • Audit Driver: flt_audit_nfs Loaded: NFS audit driver loaded.
  • Audit Driver: flt_audit_hdfs Loaded: HDFS audit driver loaded.

Для событий аудита с payloadType = "bbce6a72-a92d-4330-a1f3-e9fd5aed8152" (Драйвер аудита, выгрузка, события аудита). 

• Это события аудита, сигнализирующие о том, что драйвер фильтра аудита был выгружен.
• Эти события аудита содержат полезные данные, которые содержат строку JSON, указывающую, какой драйвер аудита остановлен.
• • Shutting down audit driver: flt_audit: SMB audit driver stopped.
  • Shutting down audit driver: flt_audit_nfs: NFS audit driver loaded.
  • Shutting down audit driver: flt_audit_hdfs: HDFS audit driver loaded.
• eventType: String of the audit event type of action. One of:
  • create: Create or open a file or directory.
  • close: Close a file or directory.
  • read: First read on a file since opening it.
  • write: First write on a file since opening it.
  • rename: Rename a file or directory.
  • delete: Delete a file or directory.
  • set-security: Set security information or permissions on a file or directory.
  • get-security: Get security information or permissions on a file or directory.
• createDispo: Integer of the create/open disposition; this is the request of how the file or directory should be opened or created:
  • 0 - FILE_SUPERSEDE - Replace an existing file or create it.
  • 1 - FILE_OPEN - Open an existing file or fail.
  • 2 - FILE_CREATE - Create a nonexisting file or fail.
  • 3 - FILE_OPEN_IF - Open an existing file or create it.
  • 4 - FILE_OVERWRITE - Open and overwrite an existing file or fail.
  • 5 - FILE_OVERWRITE_IF - Open and overwrite an existing file or create it.
• createResult: String of the create/open result. One of:
  • SUPERSEDED: The file existed and was replaced.
  • OPENED: The file existed and was opened.
  • CREATED: The file did not exist and was created.
  • EXISTS: The file exists and was not created.
  • DOES_NOT_EXIST: The file did not exist and was not opened.
  • UNKNOWN: Unknown
• desiredAccess: Integer of the bitwise combined wanted access of the following:
  • 2.2.1.4.1 File_Pipe_Printer_Access_Mask (Внешняя ссылка)
  • 2.2.1.4.2 Directory_Access_Mask (Внешняя ссылка)