File audit logging events
Use this information to learn more about which I/O operations result in the ten events for file audit logging.
| Event name | Description | Examples |
|---|---|---|
| ACCESS_DENIED | A user was denied access to operate on a file. | open() with O_WRONLY where user has no write
permission. |
| ACLCHANGE* | A file's or directory's ACL permissions were modified. | mmputacl, chown, chgrp, chmod |
| CLOSE | A file was closed. | close(), cp, touch, echo,
policy MIGRATE rule. |
| CREATE* | A file or directory was created. | open(create flag), vi, ln,
dd, mkdir |
| GPFSATTRCHANGE* | A file's or directory's IBM Storage Scale attributes were changed. | mmchattr -i -e --indefinite-retention |
| OPEN | A file or directory was opened for reading, writing, or creation. | open(), mmlsattr, cat,
cksum, ls (only for directories), policy LIST rule |
| RENAME* | A file or directory was renamed. | rename(), mv |
| RMDIR* | A directory was removed. | rmdir(), rm, rmdir |
| UNLINK* | A file or directory was unlinked from its parent directory. When the linkcount = 0, the file is deleted. | unlink(), rm
hardlink/softlink |
| XATTRCHANGE* | A file's or directory's extended attributes were changed. | mmchattr --set-attr --delete-attr |
Note: The * shows that these events are not applicable to a file system
mounted as read-only.
For more information, see JSON reporting issues in file audit logging.