mc admin audit

Describes how S3 auditing works in HPE Ezmeral Data Fabric Object Store. Provides the command for bucket and account operations auditing. Also provides the command to view the audit status of bucket and account operations.

Starting in HPE Ezmeral Data Fabric 7.3.0, Object Store supports auditing of S3 operations at the global, account, and bucket levels. You can run the mc admin audit set alias command to set auditing flags at each level. Flags are disabled by default.

The following table lists the flag levels with descriptions:
Flag Level Description Operations Audited Supported Flags
Global Controls all levels of auditing. When enabled, this flag audits operations on the MOSS server, accounts, and buckets. When disabled, no operations are audited.
  • Create account
  • Delete account
  • Changes to account properties
auditenable
Account Controls auditing of operations at the account level. When enabled, operations on accounts are audited.

Use forceauditenable to override the global audit setting for accounts.

When the forceauditenable flag is enabled at the account level, all operations at the account and bucket levels are audited regardless of the bucket level audit setting. For example, if the auditenable flag is disabled at the bucket level, all account-level and bucket-level operations are audited.

  • IAM operations:
    • Create users/groups/policies
    • Delete users/groups/policies
    • Edit users/groups/policies
auditenable, forceauditenable
Bucket Controls auditing at the bucket level. When enabled, operations on buckets are audited.
  • Create object
  • Delete object
  • Changes to object properties
auditenable

You can also run the mc admin audit info alias command to get the audit status of buckets and accounts.

Audit Logs

The CLDB creates a volume for audit records when the first MOSS server registers with the cluster. When the MOSS server starts, it creates a folder in the audit volume that stores audit logs for each node:
/var/mapr/local/mapr.s3.audit/
For example:
# hadoop fs -ls /var/mapr/local/mapr.s3.audit/
drw-r--r--   - mapr mapr          1 2023-04-11 07:25 /var/mapr/local/mapr.s3.audit/<FQDN-1>
drw-r--r--   - mapr mapr          0 2023-04-11 07:22 /var/mapr/local/mapr.s3.audit/<FQDN-2>
drw-r--r--   - mapr mapr          0 2023-04-11 07:22 /var/mapr/local/mapr.s3.audit/<FQDN-3>
drw-r--r--   - mapr mapr          0 2023-04-11 07:22 /var/mapr/local/mapr.s3.audit/<FQDN-4>

Audit Commands

The following topics provide the commands to enable auditing of account and bucket operations in HPE Ezmeral Data Fabric Object Store: