mmaudit command

Manages setting and viewing the file audit logging configuration in IBM Storage Scale.

Synopsis

mmaudit Device enable [--log-fileset FilesetName ] 
                      [--retention Days] [--events {Event[,Event...] | ALL}] 
                      [--compliant]
                      [--filesets {Fileset[,Fileset...]|ListFilePath}| 
                      --skip-filesets {Fileset[,Fileset...]|ListFilePath}] [-q]

or

mmaudit Device disable [-q]

or

mmaudit Device update 
           {--events {Event[,Event...]|ALL}|
            --enable-filesets {Fileset[,Fileset...]|ListFilePath}| 
            --disable-filesets {Fileset[,Fileset...]|ListFilePath}} [-q]

or

mmaudit Device list [--events] [-Y]

or

mmaudit all list [--events] [-Y]

or

mmaudit all producerRestart -N { NodeName[,NodeName...] | NodeFile | NodeClass } [-q]

Availability

Available with IBM Storage Scale Advanced Edition, IBM Storage Scale Data Management Edition, IBM Storage Scale Developer Edition, or IBM Storage Scale Erasure Code Edition. Available on Linux® x86 and Linux PPC LE.

Description

Enables, disables, and lists configuration data for file audit logging in a specified file system. Lists all file audit logging enabled file systems in the cluster. Command messages are written to the /var/adm/ras/mmaudit.log file. The audit records are stored in the audit log fileset in a /Device/.audit_log/audit_topic/Year/Month/Day directory structure. The audit log files are named auditLogFile_hostname_date_time. The audit log files are rotated, compressed, and a retention date is set.
Note: When file audit logging is enabled on a file system, a fileset is created in the file system that is being audited. This fileset contains the audit logging files that contain the audit events. By default, this fileset is created as IAM mode noncompliant, but it can be created as IAM mode compliant if file audit logging is enabled with the --compliant option. By using either IAM mode, expiration dates are set for all files within the audit fileset. If the fileset is created in IAM mode noncompliant (the default), then the root user can change the expiration date to the current date so that audit files can be removed to free up disk space. If the fileset is created in IAM mode compliant (because of the use of the --compliant option), not even the root user can change the expiration dates of the audit logging files and they cannot be removed until the expiration date.

Parameters

Device
Specifies the device name of the file system upon which the audit log configuration change or listing is to occur.
all
Specifies that the command is executed against all devices configured for file audit logging. Currently, the only supported sub-command is list .
enable
Enables file audit logging for the given device. Enablement entails setting up configuration and putting the audit policies in place.
Start of change
--log-fileset
Specifies the fileset name where the audit log records for the file system will be held. The default is .audit_log. The --retention Days option specifies the number of days to set the expiration date on all audit log record files when they are created. The default is 365 days.
--events
Specifies the list of events that will be audited. For more information about the events that are supported, see File audit logging events . The default is ALL.
--compliant
Specifies that the file audit logging fileset that is created to hold the file audit logging files will be IAM mode compliant. The default is noncompliant. In compliant mode, not even the root user can change the expiration dates of the file audit logging files to the past to free up space.
--filesets Fileset[,Fileset...] |ListFilePath}|
Specifies one or more filesets within the file system to audit. The fileset list can be specified on the command line or by the pathname to a file containing a list of filesets where each fileset name is listed on a single line followed by newline. File system activity is only audited within these filesets and no other areas of the file system.
--skip-filesets Fileset[,Fileset...] ListFilePath}|
Specifies one or more filesets within the file system not to audit. The fileset list can be specified on the command line or by the pathname to a file containing a list of filesets where each fileset name is listed on a single line followed by newline not to audit. Audit events are generated for all file system activity except activity within this list of filesets.
End of change
Note:

There is a limit of 20 filesets for file system prior to 5.1.3 (27.0 file system version).

ListFilePath can be an absolute or relative path to a file (for example, /root/ListOfFilesets.txt, ./ListOfFilesets.txt or ../ListofFilesets.txt).

ListFilePath must be a plain text file containing one or more fileset names, one per line.

disable
Disables file audit logging for the given device. Disablement removes audit policies and audit configurations that are specific to the device. Existing file audit records are changed to immutable and the retention period remains.
update

The --events { Event[,Event...] | ALL } option updates the list of events. The new event list will replace the existing set of events. The --events option cannot be specified with the --enable-filesets or --disable-filesets option.

The --enable-filesets {Fileset[,Fileset...] | ListFilePath} option will update the list of filesets that will be audited within the filesystem. The list is added to the list specified during enable. The fileset list can be specified on the command line or by the pathname to a file containing a list of filesets where each fileset name is listed on a single line followed by newline filesets where each fileset name is listed on a single line followed by newline. The --enable-filesets option cannot be specified with the --events or --disable-filesets option.

The --disable-filesets {Fileset[,Fileset...] | ListFilePath} option will update the list of filesets that will not be under audit. The new list is added to the list of skipped filesets defined during the initial enable. The fileset list can be specified on the command line or by the pathname to a file containing a list of filesets where each fileset name is listed on a single line followed by newline. The --disable-filesets option cannot be specified with the --events or --enable-filesets option.

list --events [-Y]
Displays the file audit logging configuration information for the given device. The all option displays the file audit logging configuration information for all devices enabled for file audit logging. The --events option displays the device minor number, audit generation number, and a list of events that are being audited. The -Y option provides output in machine-readable (colon-delimited) format.
producerRestart -N { NodeName[,NodeName...] | NodeFile | NodeClass }
Restarts the producers for all file systems under audit on the nodes specified by the -N option. The -N option supports a comma-separated list of nodes, a full path name to a file containing node names, or a predefined node class.
Note: Issuing this command causes the event producers for clustered watch folder to be restarted as well.
-q
Suppresses all [I] informational messages.

Exit status

0
Successful completion.
nonzero
A failure has occurred. Errors are written to /var/adm/ras/mmaudit.log and /var/log/messages.

Security

You must have root authority to run the mmaudit command.

The node on which the command is issued must be able to execute remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages.

Examples

  1. To enable a file system with the default settings, issue the following command:
    
# mmaudit watch1 enable
[I] Successfully verified File Audit Logging type set to: FSYS
[I] Successfully updated File Audit Logging configuration for device: watch1
[I] Successfully checked or created File Audit Logging global catchall and config fileset skip partitions for device: watch1
[I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /watch1/.audit_log
[I] Successfully created File Audit Logging policy partition(s) to audit device: watch1
[I] Successfully enabled File Audit Logging for device: watch1
  2. To enable a file system for a specific set of events, issue the following command:
    
# mmaudit watch1 enable --events OPEN,CLOSE
[I] Successfully verified File Audit Logging type set to: FSYS
[I] Successfully updated File Audit Logging configuration for device: watch1
[I] Successfully checked or created File Audit Logging global catchall and config fileset skip partitions for device: watch1
[I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /watch1/.audit_log
[I] Successfully created File Audit Logging policy partition(s) to audit device: watch1
[I] Successfully enabled File Audit Logging for device: watch1
  3. To enable a file system with a different retention period, issue the following command:
    
# mmaudit watch1 enable --retention 90
[I] Successfully verified File Audit Logging type set to: FSYS
[I] Successfully updated File Audit Logging configuration for device: watch1
[I] Successfully checked or created File Audit Logging global catchall and config fileset skip partitions for device: watch1
[I] Successfully created/linked File Audit Logging audit fileset .audit_log with link point /watch1/.audit_log
[I] Successfully created File Audit Logging policy partition(s) to audit device: watch1
[I] Successfully enabled File Audit Logging for device: watch1
  4. To specify one or more filesets to audit, issue the following command:
    # mmaudit watch1 enable --log-fileset auditFset --retention 25 --filesets dep1,dep2,ind1,ind2
[I] Successfully verified filesets for File Audit Logging type: FILESET
[I] Successfully updated File Audit Logging configuration for device: watch1
[I] Successfully checked or created File Audit Logging global catchall and config fileset skip partitions for device: watch1
[I] Successfully created/linked File Audit Logging audit fileset auditFset with link point /watch1/auditFset
[I] Successfully created File Audit Logging policy partition(s) to audit device: watch1
[I] Successfully enabled File Audit Logging for device: watch1
  5. To disable a file system that was previously enabled, issue the following command:
    
# mmaudit watch1 disable
[I] Successfully deleted File Audit Logging policy partition(s) for device: watch1
[I] Successfully updated File Audit Logging configuration for device: watch1
[I] Successfully checked or removed File Audit Logging global catchall and config fileset skip partitions for device: watch1
[I] Successfully disabled File Audit Logging for device: watch1
  6. To update the list of events that are being audited for a specific file system to available events, issue the following command: 
    # mmaudit fs3 update --events ALL
[I] Successfully updated the File Audit Logging policies for device fs3
  7. To see which compliance type the file audit logging fileset is configured with, issue the following command:
    # mmaudit all list -Y
mmaudit::HEADER:version:RESERVED:RESERVED:complianceType:auditDeviceName:cluster
ID:auditFilesetDeviceName:auditFilesetName:auditRetention:topicGenNum:eventTypes:
partitionMultiplier:auditType:filesets:
mmaudit:::3:::compliant:fs1:6666561368407265810:fs1:compliant:365:54:ACLCHANGE,
CLOSE,CREATE,GPFSATTRCHANGE,OPEN,RENAME,RMDIR,UNLINK,XATTRCHANGE:2:FSYS::
  8. To see which file systems are currently configured for file audit logging, issue the following command:
    # mmaudit all list
Audit              Cluster              Audit Fileset      Retention  Audit Type          
Device             ID                   Name               (Days)     (Possible Filesets)
------------------------------------------------------------------------------------------
fs0                11430652110915196903 john1              25         FILESET            
                                                                      dep1,dep2,ind1,ind2
fs1                11430652110915196903 john2              75         SKIPFILESET        
                                                                      dep1,dep2,ind1,ind2
fs2                11430652110915196903 john3              25         FSYS
  9. To see which events are currently enabled for a file system, issue the following command:
    # mmaudit fs3 list --events

Audit       Device    Audit     Event    
Device      Minor     Gen       Types    
-----------------------------------------------------------------------------------------
fs3         152       7         CLOSE,OPEN

See also

Location

/usr/lpp/mmfs/bin