Auditing Data Access Operations
Describes file system, HPE Ezmeral Data Fabric Database, and HPE Ezmeral Data Fabric Streams operations that are audited by default, and operations that can be selectively enabled or disabled for auditing.
This type of auditing is for operations that are managed by the file system, HPE Ezmeral Data Fabric Database, and HPE Ezmeral Data Fabric Streams. These operations take place within volumes and have effects at the level of the Data Fabric file system.
Auditing of Operations on Directories and Files
The following table shows whether (Y) or
not (N) the following operations on files and directories are
audited. In the table, the operations with Y in the Selective
Auditing Support column can be included and/or excluded from auditing.
Operations with N in the Selective Auditing Support column
are audited by default and cannot be excluded from auditing. Use the name specified
in the Operation Name to use for Selective Auditing column when you run the
maprcli command to enable or
disable auditing for that operation.
| Operation | Name in Audit Logs | Operation Name to use for Selective Auditing | Directories | Files | Selective Auditing Support |
|---|---|---|---|---|---|
| Change group owner | CHGRP | chgrp | Y | Y | Y |
| Change owner | CHOWN | chown | Y | Y | Y |
| Change permissions | CHPERM | chperm | Y | Y | Y |
| Create | CREATE | create | N/A | Y | Y |
| Create device (not used) | CREATEDEV | createdev | N/A | Y | Y |
| Create symbolic link | CREATESYM | createsym | Y | Y | Y |
| Delete file | DELETE | delete | N/A | Y | Y |
| Disable auditing | DISABLEAUDIT | N/A | Y | Y | N |
| Enable auditing | ENABLEAUDIT | N/A | Y | Y | N |
| Offload file to tiered storage | FILE_OFFLOAD | fileoffload or filetieroffloadevent | N/A | Y | Y |
| Recall file from tiered storage | FILE_RECALL | filerecall or filetierrecallevent | N/A | Y | Y |
| Scan offset ranges owned by given FID. Used in tiered operations to get owned offsets during offload and recall operations. | FILE_SCAN | filescan | N/A | Y | Y |
| Abort ongoing offload or recall of file | FILE_TIER_JOBABORT | filetierjobabort | N/A | Y | Y |
| Retrieve status for an existing file level tier job (offload/recall) | FILE_TIER_JOBSTATUS | filetierjobstatus | N/A | Y | Y |
| Audit event generated on file server while purging data during offload operation | FILE_TIER_OFFLOAD_EVENT | filetieroffloadevent | N/A | N | Y |
| Audit event generated on file server while recalling data during recall operation | FILE_TIER_RECALL_EVENT | filetierrecallevent | N/A | N | Y |
| Get attributes | GETATTR | geattr | N | N | Y |
| Get extended attributes | GETXATTR | getxattr | Y | Y | Y |
| Get the mode bits for files/directories accessed over NFS | GETPERM | getperm | Y | Y | Y |
| Create hardlink | HARDLINK | hardlink | Y | Y | Y |
| List extended attributes | LISTXATTR | listxattr | Y | Y | Y |
| Lookup | LOOKUP | lookup | Y | Y | Y |
| Create directory | MKDIR | mkdir | Y | N/A | Y |
| Read a file | READ | read | N/A | Y | Y |
| Read a directory | READDIR | readdir | Y | N/A | Y |
| Remove extended attributes | REMOVEXATTR | removexattr | Y | Y | Y |
| Rename | RENAME | rename | Y | Y | Y |
| Delete a directory | RMDIR | rmdir | Y | N/A | Y |
| Set attributes | SETATTR | setattr1 | Y | Y | Y |
| Set extended attributes | SETXATTR | setxattr | Y | Y | Y |
| Truncate a file | TRUNCATE | truncate | N/A | Y | Y |
| Write to a file | WRITE | write | N/A | Y | Y |
setattr automatically enables the
following operations:chownchgrpchperm
If you disable setattr, these operations are automatically
disabled. If you do nothing with setattr (neither enable nor
disable), you can enable or disable chown, chgrp, and
chperm in any combination.
Auditing of Operations on HPE Ezmeral Data Fabric Database Binary Tables and JSON Tables
The following operations on both types of HPE Ezmeral Data Fabric Database
tables are audited by default. Operations with Y in the
Selective Auditing Support column can be included or excluded from
auditing. Operations with N in the Selective Auditing
Support column are audited by default and cannot be excluded from auditing.
Use the name specified in the Operation Name to use for Selective Auditing
column when you run the maprcli
command to enable or disable auditing for that operation.
| Operation | Name in Audit Logs | Operation Name to use for Selective Auditing | Selective Auditing Support |
|---|---|---|---|
| Create a column family | DB_CFCREATE | tablecfcreate | Y |
| Modify a column family | DB_CFMODIFY | tablecfmodify | Y |
| Delete a column family | DB_CFREMOVE | tablecfdelete | Y |
| Scan a column | DB_CFSCAN | tablecfscan | Y |
| Get data | DB_GET | tableget | Y |
| Perform incremental bulk load | DB_IMPORTBUCKET | N/A | N |
| Perform full bulk load | DB_IMPORTSEGMENT | N/A | N |
| Put data | DB_PUT | tableput | Y |
| Compact a table region | DB_REGIONCOMPACT | N/A | N |
| Look up a region on the current node | DB_REGIONLOOKUP | N/A | N |
| Merge two consecutive regions | DB_REGIONMERGE | N/A | N |
| Split a region into two | DB_REGIONSPLIT | N/A | N |
| Configure a replica for a table | DB_REPLICAADD | N/A | N |
| Edit the replica for a table | DB_REPLICAEDIT | N/A | N |
| List the replicas for a table | DB_REPLICALIST | N/A | N |
| Remove a replica for a table | DB_REPLICAREMOVE | N/A | N |
| Scan a table | DB_SCAN | tablescan | Y |
| Create a table | DB_TABLECREATE | tablecreate | Y |
| View information about a table | DB_TABLEINFO | tableinfo | Y |
| Modify a table | DB_TABLEMODIFY | tablemodify | Y |
| Add an upstream source to a replica | DB_UPSTREAMADD | N/A | N |
| List all upstream sources for a replica | DB_UPSTREAMLIST | N/A | N |
| Remove an upstream source for a replica | DB_UPSTREAMREMOVE | N/A | N |
Auditing of Operations on HPE Ezmeral Data Fabric Streams
The following operations on HPE Ezmeral Data Fabric Streams are audited
by default. Operations with Y in the Selective Auditing
Support column can be included or excluded from auditing. Operations with
N in the Selective Auditing Support column are audited
by default and cannot be excluded from auditing. Use the name specified in the
Operation Name to use for Selective Auditing column when you run the
maprcli command to enable or disable auditing for that operation.
| Operation | Name in Audit Logs | Operation Name to use for Selective Auditing | Selective Auditing Support |
|---|---|---|---|
| Modify attributes or permissions of a stream | DB_CFMODIFY | tablecfmodify | Y |
| Produce messages to topics of a stream | DB_PUT | tableput | Y |
| Add a replica | DB_REPLICAADD | N/A | N |
| Edit a replica | DB_REPLICAEDIT | N/A | N |
| List the replicas for a stream | DB_REPLICALIST | N/A | N |
| Remove a replica | DB_REPLICAREMOVE | N/A | N |
| Consume messages from topics of a stream | DB_SCAN | tablescan | Y |
| Add an upstream source to a replica | DB_UPSTREAMADD | N/A | N |
| List all upstream sources for a replica | DB_UPSTREAMLIST | N/A | N |
| Remove an upstream source from a replica | DB_UPSTREAMREMOVE | N/A | N |