Google 存储审核日志 - 查找谁在尝试访问
Google Storage AuditLogs - finding who is trying to access
我有一个启用了审核日志的 google 存储桶。每 one\two 天我都会收到有关 PERMISSION DENIED 的日志。日志指定请求者要求的访问类型。但是,没有给我足够的信息来回答这个问题 - 谁在请求?
这是日志消息:
{
"insertId": "rr6wsd...",
"logName": "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"authorizationInfo": [
{
"permission": "storage.buckets.get",
"resource": "projects//buckets/BUCKET_NAME",
"resourceAttributes": {}
}
],
"methodName": "storage.buckets.get",
"requestMetadata": {
"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
"destinationAttributes": {},
"requestAttributes": {
"auth": {},
"reason": "8uSywAZKWkhOZWVkZWQg...",
"time": "2021-01-20T03:43:38.405230045Z"
}
},
"resourceLocation": {
"currentLocations": [
"us-central1"
]
},
"resourceName": "projects//buckets/BUCKET_NAME",
"serviceName": "storage.googleapis.com",
"status": {
"code": 7,
"message": "PERMISSION_DENIED"
}
},
"receiveTimestamp": "2021-01-20T03:43:38.488787956Z",
"resource": {
"labels": {
"bucket_name": "BUCKET_NAME",
"location": "us-central1",
"project_id": "PROJECT_ID"
},
"type": "gcs_bucket"
},
"severity": "ERROR",
"timestamp": "2021-01-20T03:43:38.399417759Z"
}
如您所见,唯一谈论“谁正在尝试访问”的信息是
"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
但这意味着什么?对我来说毫无意义。
我如何了解谁在尝试访问此权限?
callerSuppliedUserAgent 可以是客户端应用程序在其请求 header 中放入的任何内容 - 忽略它,因为此 header 可能是伪造的。只有合法的应用程序才会在 header.
中放置任何有意义的内容
这是一个未经身份验证的请求。没有身份可以记录。很可能是巨魔扫描互联网寻找打开的桶。
注意 auth 键是空的。请求中未提供授权。
"requestAttributes": {
"auth": {},
"reason": "8uSywAZKWkhOZWVkZWQg...",
"time": "2021-01-20T03:43:38.405230045Z"
}
我有一个启用了审核日志的 google 存储桶。每 one\two 天我都会收到有关 PERMISSION DENIED 的日志。日志指定请求者要求的访问类型。但是,没有给我足够的信息来回答这个问题 - 谁在请求?
这是日志消息:
{
"insertId": "rr6wsd...",
"logName": "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {},
"authorizationInfo": [
{
"permission": "storage.buckets.get",
"resource": "projects//buckets/BUCKET_NAME",
"resourceAttributes": {}
}
],
"methodName": "storage.buckets.get",
"requestMetadata": {
"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
"destinationAttributes": {},
"requestAttributes": {
"auth": {},
"reason": "8uSywAZKWkhOZWVkZWQg...",
"time": "2021-01-20T03:43:38.405230045Z"
}
},
"resourceLocation": {
"currentLocations": [
"us-central1"
]
},
"resourceName": "projects//buckets/BUCKET_NAME",
"serviceName": "storage.googleapis.com",
"status": {
"code": 7,
"message": "PERMISSION_DENIED"
}
},
"receiveTimestamp": "2021-01-20T03:43:38.488787956Z",
"resource": {
"labels": {
"bucket_name": "BUCKET_NAME",
"location": "us-central1",
"project_id": "PROJECT_ID"
},
"type": "gcs_bucket"
},
"severity": "ERROR",
"timestamp": "2021-01-20T03:43:38.399417759Z"
}
如您所见,唯一谈论“谁正在尝试访问”的信息是
"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
但这意味着什么?对我来说毫无意义。
我如何了解谁在尝试访问此权限?
callerSuppliedUserAgent 可以是客户端应用程序在其请求 header 中放入的任何内容 - 忽略它,因为此 header 可能是伪造的。只有合法的应用程序才会在 header.
这是一个未经身份验证的请求。没有身份可以记录。很可能是巨魔扫描互联网寻找打开的桶。
注意 auth 键是空的。请求中未提供授权。
"requestAttributes": {
"auth": {},
"reason": "8uSywAZKWkhOZWVkZWQg...",
"time": "2021-01-20T03:43:38.405230045Z"
}