Requirements, limitations, and support for file audit logging

Use this information to understand requirements, limitations, and support for installing file audit logging.

OS requirements
File audit logging is supported on all Linux® OS versions supported by IBM Storage Scale. For more information, refer to IBM Storage Scale FAQ in IBM® Documentation.
Security requirements and limitations
  • Root authority is required to run mmaudit.
Restrictions imposed by mixed environments and protocols
  • Events generated on non-Linux nodes are not audited.
  • IBM Storage Scale file audit logging has full support for the following protocols (support for all other protocols must be considered limited):
    • NFS ganesha
    • SMB
    • Native UNIX file access
  • Events are not generated at or below the cesSharedRoot path.
File audit logging attributes availability and limitations
  • For more information about the availability and limitations of the file audit logging attributes, see the JSON attributes in file audit logging topic.
  • File audit logging in AFM supports only the following scenarios:
    • File audit logging is enabled on home and cache clusters but each cluster uses a file audit logging fileset that is local to the cluster and is not an AFM fileset. That is, the file audit logging fileset of the home cluster is a local fileset on the home cluster and the file audit logging fileset of the cache cluster is a local fileset on the cache cluster. In this scenario, the AFM fileset events on the home or cache cluster appear in the home file audit logging fileset and the cache file audit logging fileset. Also, when the mmdiag --eventproducer command is issued, the AFM fileset events appear on both clusters.
    • The audit logging fileset of the home cluster is AFM enabled and exported to the cache cluster in the read-only mode. In this scenario, file audit events on the home cluster within the same AFM enabled file audit logging fileset appear on both the home and the cache cluster. When the mmdiag --eventproducer command is issued, the file audit events appear only on the home cluster.
  • Specifying an AFM fileset as a file audit logging fileset for the cache cluster is not supported.
GPFS file system requirements and limitations
  • File audit logging can be enabled only for file systems that are created or upgraded to IBM Storage Scale 5.0.0 or later.
  • Space provisioning must be considered to store the generated events in the .audit_log fileset.
  • The .audit_log fileset is protected from tampering. It cannot be easily deleted to free up space in the file system. This is done by creating the fileset in the IAM noncompliant mode (default) or compliant mode, which allows expiration dates to be set on the files containing the audit records within the fileset. If the fileset is created in IAM mode noncompliant, then the root user can change the expiration date to the current date so that audit files can be removed to free up disk space. If the fileset is created in IAM mode compliant (because of the use of the --compliant option), not even the root user can change the expiration dates of the audit logging files and they cannot be removed until the expiration date.
  • Events are not generated for file system activity within the file audit logging fileset itself.
  • There is a limit of 20 filesets for file system prior to 5.1.3 (27.0 file system version).
GPFS and spectrumscale functional limitations
  • Conversion of a file audit logging fileset to AFM DR is not supported.
  • When file audit logging or clustered watch folder is enabled on a file system, changing the file system name or deleting the file system is not allowed. To change file system name or delete the file system, file audit logging and clustered watch folder must first be disabled.
Miscellaneous requirements, limitations, recommendations, and support statements
  • File audit logging is available in IBM Storage Scale Advanced Edition, IBM Storage Scale Data Management Edition, IBM Storage Scale Developer Edition, or IBM Storage Scale Erasure Code Edition.
  • File audit logging is supported in SELinux enforcing, permissive, and disabled modes. When file audit logging is run in enforcing mode, there is an extra event generated that is related to attributes due to the SELinux labeling of files.
  • File audit logging uses buffered IO. This means that when a file system operation generates an event, the event is then appended to a buffer rather than writing directly to the disk. Therefore, if a file system operation returns successfully, it is not guaranteed that the operation would be logged in the audit log. For example, if the node goes down after an operation completes, but before the buffered IO is written to disk, then that operation will never be written to the audit log. Another example is when the buffers we use in memory to store events before writing to disk become full. Rather than throttle the filesystem waiting for buffer space to free up, we will try for a short period of time to find available buffer space before dropping the event.
  • File audit logging is not supported by Kafka message queue in IBM Storage Scale 5.1.1 or later.
  • The mmrestorefs command does not restore files that are located in the .audit_log fileset or configuration fileset. The current configuration would not be overwritten and audit records would not be removed or restored.