The file audit logging fileset

The audited events are logged in an independent file audit logging fileset.

The user can also supply a previously created fileset if it is already in IAM mode noncompliant (or IAM mode compliant if the --compliant flag is given). Using IAM mode noncompliant or compliant is a requirement so that audit logs are not altered accidentally. This requirement also allows a retention period to be set on the files within the audit fileset. By default, the file audit logging fileset is IAM mode noncompliant, so the root user can change the expiration date on files and then delete them if needed to free up space. If file audit logging is enabled with the optional --compliant flag, then not even the root user can change the expiration date on files within the audit fileset. In that case, no files can be deleted before the expiration date. This previously created fileset must also be linked directly from the root mount point: <FS_Mount_Point>/<Fileset_Name>. The user specifies this fileset during enablement by using the --log-fileset option on the mmaudit command.

File audit logging records for a file system are arranged in the following manner:

<FS_Mount_Point>/<Fileset_Name>/Topic/Year/Month/Day
  • FS_Mount_Point: The default mount point of the device being audited is designated to hold the file audit logging destination fileset.
  • Fileset_Name: The fileset name indicates the file audit logging destination fileset. If no other fileset name is given, then the default is .audit_log.
  • Topic: The topic that is associated with the file system that is being audited. It consists of the following structure:
    <Device_Minor Number>_<Cluster_ID>_<Generation_Number>_audit
  • Year/Month/Day: Details when the individual file that is being written was first created.
Note: The mmbackupconfig command does not save the file audit logging enabled state of a file system. However, the IAM noncompliant or IAM-compliant mode of the file audit logging fileset is saved. Therefore, when you restore the configuration information with the mmrestoreconfig command, file audit logging must be reenabled on the file system with the mmaudit command. You need to specify --log-fileset and any other enable flags if you are not using the default values. For more information, see IAM modes and their effects on file operations on immutable files.