File audit logging events
Use this information to learn more about which I/O operations result in the 11 events for file audit logging.
| Event name | Description | Examples |
|---|---|---|
| ACCESS_DENIED | A user was denied access to operate on a file. | open() with O_WRONLY where user has no write
permission. |
| ACLCHANGE* | A file's or directory's ACL permissions were modified. | mmputacl, chown, chgrp, chmod |
| CLOSEWRITE* | A file was opened for writing and then closed. | cp, echo, write(), close() |
| CLOSE | A file was closed. | close(), touch,
policy MIGRATE rule. |
| CREATE* | A file or directory was created. | open(create flag), vi, ln,
dd, mkdir |
| GPFSATTRCHANGE* | A file's or directory's IBM Storage Scale attributes were changed. | mmchattr -i -e --indefinite-retention |
| OPEN | A file or directory was opened for reading, writing, or creation. | open(), mmlsattr, cat,
cksum, ls (only for directories), policy LIST rule |
| RENAME* | A file or directory was renamed. | rename(), mv |
| RMDIR* | A directory was removed. | rmdir(), rm, rmdir |
| UNLINK* | A file or directory was unlinked from its parent directory. When the linkcount = 0, the file is deleted. | unlink(), rm
hardlink/softlink |
| XATTRCHANGE* | A file's or directory's extended attributes were changed. | mmchattr --set-attr --delete-attr |
| * These events are not applicable to a file system mounted as read-only. | ||
Note: If a file is opened for write and only the
CLOSE event is enabled, only a
CLOSE event is reported. If both CLOSEWRITE and
CLOSE are enabled, both events are recorded as appropriate.For more information, see JSON reporting issues in file audit logging.