Auditing Data Access Operations

Describes file system, HPE Ezmeral Data Fabric Database, and HPE Ezmeral Data Fabric Streams operations that are audited by default, and operations that can be selectively enabled or disabled for auditing.

This type of auditing is for operations that are managed by the file system, HPE Ezmeral Data Fabric Database, and HPE Ezmeral Data Fabric Streams. These operations take place within volumes and have effects at the level of the data-fabric filesystem.

NOTE Auditing of data access operations is not supported for HPE Ezmeral Data Fabric Object Store.

Auditing of Operations on Directories and Files

The following table shows whether (Y) or not (N) the following operations on files and directories are audited. In the table, the operations with Y in the Selective Auditing Support column can be included and/or excluded from auditing. Operations with N in the Selective Auditing Support column are audited by default and cannot be excluded from auditing. Use the name specified in the Operation Name to use for Selective Auditing column when you run the maprcli command to enable or disable auditing for that operation.

Operation Name in Audit Logs Operation Name to use for Selective Auditing Directories Files Selective Auditing Support
Change group owner CHGRP chgrp Y Y Y
Change owner CHOWN chown Y Y Y
Change permissions CHPERM chperm Y Y Y
Create CREATE create N/A Y Y
Create device (not used) CREATEDEV createdev N/A Y Y
Create symbolic link CREATESYM createsym Y Y Y
Delete file DELETE delete N/A Y Y
Disable auditing DISABLEAUDIT N/A Y Y N
Enable auditing ENABLEAUDIT N/A Y Y N
Offload file to tiered storage FILE_OFFLOAD fileoffload or filetieroffloadevent N/A Y Y
Recall file from tiered storage FILE_RECALL filerecall or filetierrecallevent N/A Y Y
Scan offset ranges owned by given FID. Used in tiered operations to get owned offsets during offload and recall operations. FILE_SCAN filescan N/A Y Y
Abort ongoing offload or recall of file FILE_TIER_JOBABORT filetierjobabort N/A Y Y
Retrieve status for an existing file level tier job (offload/recall) FILE_TIER_JOBSTATUS filetierjobstatus N/A Y Y
Audit event generated on file server while purging data during offload operation FILE_TIER_OFFLOAD_EVENT filetieroffloadevent N/A N Y
Audit event generated on file server while recalling data during recall operation FILE_TIER_RECALL_EVENT filetierrecallevent N/A N Y
Get attributes GETATTR geattr N N Y
Obtains the file path given the File ID GETPATHFORFID getpathforfid Y Y Y
Get extended attributes GETXATTR getxattr Y Y Y
Get the mode bits for files/directories accessed over NFS GETPERM getperm Y Y Y
Create hardlink HARDLINK hardlink Y Y Y
List extended attributes LISTXATTR listxattr Y Y Y
Lookup LOOKUP lookup Y Y Y
Create directory MKDIR mkdir Y N/A Y
Read a file READ read N/A Y Y
Read a directory READDIR readdir Y N/A Y
Remove extended attributes REMOVEXATTR removexattr Y Y Y
Rename RENAME rename Y Y Y
Delete a directory RMDIR rmdir Y N/A Y
Set attributes SETATTR setattr1 Y Y Y
Set extended attributes SETXATTR setxattr Y Y Y
Truncate a file TRUNCATE truncate N/A Y Y
Write to a file WRITE write N/A Y Y
1Enabling setattr automatically enables the following operations:
  • chown
  • chgrp
  • chperm

If you disable setattr, these operations are automatically disabled. If you do nothing with setattr (neither enable nor disable), you can enable or disable chown, chgrp, and chperm in any combination.

Auditing of Operations on HPE Ezmeral Data Fabric Database Binary Tables and JSON Tables

The following operations on both types of HPE Ezmeral Data Fabric Database tables are audited by default. Operations with Y in the Selective Auditing Support column can be included or excluded from auditing. Operations with N in the Selective Auditing Support column are audited by default and cannot be excluded from auditing. Use the name specified in the Operation Name to use for Selective Auditing column when you run the maprcli command to enable or disable auditing for that operation.

Operation Name in Audit Logs Operation Name to use for Selective Auditing Selective Auditing Support
Create a column family DB_CFCREATE tablecfcreate Y
Modify a column family DB_CFMODIFY tablecfmodify Y
Delete a column family DB_CFREMOVE tablecfdelete Y
Scan a column DB_CFSCAN tablecfscan Y
Get data DB_GET tableget Y
Perform incremental bulk load DB_IMPORTBUCKET N/A N
Perform full bulk load DB_IMPORTSEGMENT N/A N
Put data DB_PUT tableput Y
Compact a table region DB_REGIONCOMPACT N/A N
Look up a region on the current node DB_REGIONLOOKUP N/A N
Merge two consecutive regions DB_REGIONMERGE N/A N
Split a region into two DB_REGIONSPLIT N/A N
Configure a replica for a table DB_REPLICAADD N/A N
Edit the replica for a table DB_REPLICAEDIT N/A N
List the replicas for a table DB_REPLICALIST N/A N
Remove a replica for a table DB_REPLICAREMOVE N/A N
Scan a table DB_SCAN tablescan Y
Create a table DB_TABLECREATE tablecreate Y
View information about a table DB_TABLEINFO tableinfo Y
Modify a table DB_TABLEMODIFY tablemodify Y
Add an upstream source to a replica DB_UPSTREAMADD N/A N
List all upstream sources for a replica DB_UPSTREAMLIST N/A N
Remove an upstream source for a replica DB_UPSTREAMREMOVE N/A N

Auditing of Operations on HPE Ezmeral Data Fabric Streams

The following operations on HPE Ezmeral Data Fabric Streams are audited by default. Operations with Y in the Selective Auditing Support column can be included or excluded from auditing. Operations with N in the Selective Auditing Support column are audited by default and cannot be excluded from auditing. Use the name specified in the Operation Name to use for Selective Auditing column when you run the maprcli command to enable or disable auditing for that operation.

Operation Name in Audit Logs Operation Name to use for Selective Auditing Selective Auditing Support
Modify attributes or permissions of a stream DB_CFMODIFY tablecfmodify Y
Produce messages to topics of a stream DB_PUT tableput Y
Add a replica DB_REPLICAADD N/A N
Edit a replica DB_REPLICAEDIT N/A N
List the replicas for a stream DB_REPLICALIST N/A N
Remove a replica DB_REPLICAREMOVE N/A N
Consume messages from topics of a stream DB_SCAN tablescan Y
Add an upstream source to a replica DB_UPSTREAMADD N/A N
List all upstream sources for a replica DB_UPSTREAMLIST N/A N
Remove an upstream source from a replica DB_UPSTREAMREMOVE N/A N