File audit logging events
Use this information to learn more about which I/O operations result in the ten events for file audit logging.
Event name | Description | Examples |
---|---|---|
ACCESS_DENIED | A user was denied access to operate on a file. | open() with O_WRONLY where user has no write
permission. |
ACLCHANGE* | A file's or directory's ACL permissions were modified. | mmputacl, chown, chgrp, chmod |
CLOSE | A file was closed. | close(), cp, touch, echo,
policy MIGRATE rule. |
CREATE* | A file or directory was created. | open(create flag) , vi , ln ,
dd , mkdir |
GPFSATTRCHANGE* | A file's or directory's IBM Storage Scale attributes were changed. | mmchattr -i -e --indefinite-retention |
OPEN | A file or directory was opened for reading, writing, or creation. | open() , mmlsattr , cat ,
cksum , ls (only for directories), policy LIST rule |
RENAME* | A file or directory was renamed. | rename() , mv |
RMDIR* | A directory was removed. | rmdir() , rm , rmdir |
UNLINK* | A file or directory was unlinked from its parent directory. When the linkcount = 0, the file is deleted. | unlink() , rm
hardlink/softlink |
XATTRCHANGE* | A file's or directory's extended attributes were changed. | mmchattr --set-attr --delete-attr |
Note: The * shows that these events are not applicable to a file system
mounted as read-only.
For more information, see JSON reporting issues in file audit logging.