Isilon OneFS: Lista de valores de carga útil de auditoría de Isilon

La siguiente es una lista de posibles valores de Isilon que se pueden ver en las salidas sin procesar de isi_audit resultados.

Este listado no es específico de la versión. Algunos de estos códigos solo existen en ciertas versiones de OneFS. Las versiones posteriores de OneFS tienen opciones ampliadas; En este artículo, se enumeran todas las cargas útiles de auditoría en todas las versiones. Esta lista está diseñada para ser una referencia en la revisión de eventos de auditoría individuales en general.

La auditoría puede monitorear y rastrear las acciones de las cuentas conectadas al sistema de archivos de OneFS en protocolos como SMB y NFS.

Las acciones registradas en su formato crudo tienen el siguiente aspecto (se producen algunas variaciones entre las versiones y las épocas de OneFS):

{"id":"8f0ae523-1741-12ea-8d1f-010e1ea7b298","timestamp":1575538065995502,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload":{"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"delete","isDirectory":false,"clientIPAddr":"10.51.221.92","fileName":"\\ifs\\home\\user00001\\staging\\datareview\\infa\\client\\Temp\\datapoint_file.txt","userSID":"S-1-22-2000","userID":2000,"ntStatus":0,"fsId":1,"partialPath":"datapoint_file.txt","rootInode":4512436961,"inode":5128815920}}     

{"id":"87b8bbh5-181c-71ea-8d1f-000g1ia7j295","timestamp":1575522001272734,"payloadType":"c411a642-c139-4c7a-be58-93680bc20b41","payload ":"protocol":"NFS","zoneID":5,"zoneName":"AuditedZone","eventType":"create","createResult":"OPENED","isDirectory":true,"desiredAccess":0,"clientIPAddr":"10.14.73.184","createDispo":1,"userSID":"S-1-22-1-2000","userID":2000,"fileName":"\\ifs\\data\\project00004\\dev\\logs\\ABC\\that-one-project-data","ntStatus":0,"fsId":1,"inode":4725492968}}

Dentro de eso, los términos se definen como:

• clientIPAddr: String of the IP of the user performing the action
• clientIp: The IP address of the client which initiated the request (causing the event)
• createDispo: Creation disposition specified by user at create/open time
• desiredAccess: Desired access specified by user at create/open time
• encodedNewName: The encoded new name, if there is a rename
• encodedPath: The encoded UNC Path of the file
• encodedRelativePath: The encoded relative path
• encodingType: The encoding used for values, if the value contains characters that cannot be included with XML
• event: The event that caused the check
• fileName: String of the absolute path of the file or "UNKNOWN" if audit cannot get the path. The path uses UNC style of path separators ("\\")
• fileSize: Size of the file at the time of manipulation
• flag: One of the CEPP_FLAG_XXX defined above
• fsId: File system Id of parent directory. This integer is the ID value of the file system in question (default value of 1)
• id: A value based on the cluster GUID and the audited Zone ID, and is unique for the audited event; this is a UUID for that event
• inode: Integer of the inode of the file or directory
• isDirectory: Boolean for whether the event is for a file or a directory
• newFSId: new file system id (if different from fsId) of target parent directory (rename)
• newName: The new name (on a rename operation)
• newParentInode: The inode of the target parent directory (rename)
• ntStatus: The NTSTATUS code of the action. (0 is STATUS_SUCCESS)
• ownerId: The id of the owner of the file
• ownerSid: Sid of the file owner
• parentInode: The inode of the containing directory
• partialPath: String of the relative path of the file or directory. The path uses UNC style of path separators ("\\")
• partialPathParentInode: parent inode of the partial path above
• path: UNC name of the file (or dir) - absolute path
• payload: The complete delivered audit event, encapsulating most of these values
• payloadType: String of "4b66b1eb-6e1a-416d-b80c-5a642a603a0b: For Protocol Activity Events
• payloadType: String of "7afb8d54-0aa7-4ed4-9691-341313ee37e3: For Audit Driver Loaded Audit Events
• payloadType: String of "bbce6a72-a92d-4330-a1f3-e9fd5aed8152: For Audit Driver Unload Audit Events
• payloadType: String of "c411a642-c139-4c7a-be58-93680bc20b41: For Protocol Data Events
• protocol: String of the protocol the action occurred under. Usually one of the following in OneFS 7.2 and later: "CIFS" (for SMB1); "SMB2"; "NFS" (for NFSv3); "NFS4"; "HDFS"
• relativePath: UNC name of the file (or dir) as accessed by the client
• rootInode: Integer of the inode of the directory where the partialPath is
• serverIp: The IP address of the server at which the event was recorded
• server: The Server name where the event occurred. Server IP for NFS
• share: The Share on the server; the Export name for NFS
• timeStamp: The time at which the file operation occurred (cluster local time). It is a 64-bit value, where the high 32 bits represent the time and the lower 32 bits represent the microseconds (Format: 0x1234abcd1234abcd)
• type: File, Directory, etc.
• userID: Integer of the UID of the user performing the action (OneFS 7.2 and later)
• userSID: String of the SID of the user performing the action ("userSID" is not available in "logon" failure events.)
• zoneID: Integer of the OneFS access zone ID the action is being performed on/through
• zoneName: String of the OneFS access zone name at the time of the event that the action is being performed on/through

Hay algunos otros valores y campos que pueden tener algunas variables posibles. 

Para el "eventType" , algunos tipos de eventos tienen campos de carga útil adicionales que se enumeran en los siguientes tipos:

• eventType = create: For creating or opening a file or directory
• eventType = close: For closing a file or directory

• • bytesRead: Integer of the total number of bytes read since the open or create
  • bytesWritten: Integer of the total number of bytes written since the opening
  • numberOfReads: Integer of the total number of reads made to the file since opening
  • numberOfWrites: Integer of the total number of writes made to the file
• eventType = read: The first read to a file since opening it

• • bytesRead: Integer of the number of bytes read in the first read.
• eventType = write: The first write to a file since opening it

• • bytesWritten: Integer of the number of bytes written in the first write
• eventType = rename: Rename of a file or directory.

• • newFileName: String of the absolute path of the new file name or "UNKNOWN"; the path uses UNC style of path separators ("\\").
  • newPartialPath: String of the relative path of the new file name. The path uses UNC style of path separators ("\\").
  • newRootInode: Integer of the new parent directory's inode that contains "newPartialPath"
• eventType = get-security: Get security information or permissions from the file or directory.

• eventType = set-security: Set security information or permissions on the file or directory.

• eventType = delete: Delete a file or directory.

• eventType = logon: Logging on.

• eventType = logoff: Logging off.

• eventType = tree-connect: Performing an SMB tree connect.
• • (sin campos adicionales)

Para eventos de auditoría con payloadType = "7afb8d54-0aa7-4ed4-9691-341313ee37e3" (Eventos de auditoría cargados por controlador de auditoría). 

• Estos son eventos de auditoría que indican cuándo se cargó el controlador del filtro de auditoría.
• Estos eventos de auditoría contienen una "carga útil" que contiene una cadena JSON que especifica qué controlador de auditoría se carga.
• • Audit Driver: flt_audit Loaded: SMB audit driver loaded.
  • Audit Driver: flt_audit_nfs Loaded: NFS audit driver loaded.
  • Audit Driver: flt_audit_hdfs Loaded: HDFS audit driver loaded.

Para eventos de auditoría con payloadType = "bbce6a72-a92d-4330-a1f3-e9fd5aed8152" (El controlador de auditoría descarga los eventos de auditoría). 

• Estos son eventos de auditoría que indican cuando se descargó el controlador del filtro de auditoría.
• Estos eventos de auditoría contienen una "carga útil" que contiene una cadena JSON que especifica qué controlador de auditoría se detuvo.
• • Shutting down audit driver: flt_audit: SMB audit driver stopped.
  • Shutting down audit driver: flt_audit_nfs: NFS audit driver loaded.
  • Shutting down audit driver: flt_audit_hdfs: HDFS audit driver loaded.
• eventType: String of the audit event type of action. One of:
  • create: Create or open a file or directory.
  • close: Close a file or directory.
  • read: First read on a file since opening it.
  • write: First write on a file since opening it.
  • rename: Rename a file or directory.
  • delete: Delete a file or directory.
  • set-security: Set security information or permissions on a file or directory.
  • get-security: Get security information or permissions on a file or directory.
• createDispo: Integer of the create/open disposition; this is the request of how the file or directory should be opened or created:
  • 0 - FILE_SUPERSEDE - Replace an existing file or create it.
  • 1 - FILE_OPEN - Open an existing file or fail.
  • 2 - FILE_CREATE - Create a nonexisting file or fail.
  • 3 - FILE_OPEN_IF - Open an existing file or create it.
  • 4 - FILE_OVERWRITE - Open and overwrite an existing file or fail.
  • 5 - FILE_OVERWRITE_IF - Open and overwrite an existing file or create it.
• createResult: String of the create/open result. One of:
  • SUPERSEDED: The file existed and was replaced.
  • OPENED: The file existed and was opened.
  • CREATED: The file did not exist and was created.
  • EXISTS: The file exists and was not created.
  • DOES_NOT_EXIST: The file did not exist and was not opened.
  • UNKNOWN: Unknown
• desiredAccess: Integer of the bitwise combined wanted access of the following:
  • 2.2.1.4.1 File_Pipe_Printer_Access_Mask (Enlace externo)
  • 2.2.1.4.2 Directory_Access_Mask (Enlace externo)