mc admin audit

Describes how S3 auditing works in HPE Ezmeral Data Fabric Object Store. Provides the command for bucket and account operations auditing. Also provides the command to view the audit status of bucket and account operations.

Starting in HPE Ezmeral Data Fabric 7.3.0, Object Store supports auditing of S3 operations at the global, account, and bucket levels. You can run the mc admin audit set alias command to set auditing flags at each level. Flags are disabled by default.

The following table lists the flag levels with descriptions:

Flag Level Description Operations Audited Supported Flags

Global

Controls all levels of auditing. When enabled, this flag audits operations on the MOSS server, accounts, and buckets. When disabled, no operations are audited.

Flag Level	Description	Operations Audited	Supported Flags
Global	Controls all levels of auditing. When enabled, this flag audits operations on the MOSS server, accounts, and buckets. When disabled, no operations are audited.	Create account Delete account Changes to account properties	`auditenable`
Account	Controls auditing of operations at the account level. When enabled, operations on accounts are audited. Use `forceauditenable` to override the global audit setting for accounts. When the `forceauditenable` flag is enabled at the account level, all operations at the account and bucket levels are audited regardless of the bucket level audit setting. For example, if the `auditenable` flag is disabled at the bucket level, all account-level and bucket-level operations are audited.	IAM operations: Create users/groups/policies Delete users/groups/policies Edit users/groups/policies	`auditenable`, `forceauditenable`
Bucket	Controls auditing at the bucket level. When enabled, operations on buckets are audited.	Create object Delete object Changes to object properties	`auditenable`

Create account
Delete account
Changes to account properties

auditenable

Account

Controls auditing of operations at the account level. When enabled, operations on accounts are audited.

Use forceauditenable to override the global audit setting for accounts.

When the forceauditenable flag is enabled at the account level, all operations at the account and bucket levels are audited regardless of the bucket level audit setting. For example, if the auditenable flag is disabled at the bucket level, all account-level and bucket-level operations are audited.

IAM operations:
- Create users/groups/policies
- Delete users/groups/policies
- Edit users/groups/policies

auditenable, forceauditenable

Bucket

Controls auditing at the bucket level. When enabled, operations on buckets are audited.

Create object
Delete object
Changes to object properties

auditenable

You can also run the mc admin audit info alias command to get the audit status of buckets and accounts.

Audit Logs

The CLDB creates a volume for audit records when the first MOSS server registers with the cluster. When the MOSS server starts, it creates a folder in the audit volume that stores audit logs for each node:

/var/mapr/local/mapr.s3.audit/

For example:

# hadoop fs -ls /var/mapr/local/mapr.s3.audit/
drw-r--r--   - mapr mapr          1 2023-04-11 07:25 /var/mapr/local/mapr.s3.audit/<FQDN-1>
drw-r--r--   - mapr mapr          0 2023-04-11 07:22 /var/mapr/local/mapr.s3.audit/<FQDN-2>
drw-r--r--   - mapr mapr          0 2023-04-11 07:22 /var/mapr/local/mapr.s3.audit/<FQDN-3>
drw-r--r--   - mapr mapr          0 2023-04-11 07:22 /var/mapr/local/mapr.s3.audit/<FQDN-4>

Audit Commands

The following topics provide the commands to enable auditing of account and bucket operations in HPE Ezmeral Data Fabric Object Store:

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0