Requirements and limitations for file audit logging
Use this information to understand the requirements and limitations for installing file audit logging.
- RPM and package requirements
- Every node that is capable of hosting any combination of brokers, zookeepers, producers, and
consumers must have the following packages installed:
- GPFS™ Java™ (gpfs.java rpm/package)
- openssl and libssl-dev Linux libraries
- librdkafka (gpfs.librdkafka rpm/package)
- Kafka (gpfs.kafka rpm/package)
- OS and hardware requirements
- RHEL 7.x on x86, RHEL 7.x on Power8 Little Endian, or Ubuntu 16.04/16.04.01 on x86.
- Linux Kernel on all platforms must be greater than or equal to 31000123.
- Minimum of three Linux quorum nodes running on approved OS and hardware (zookeepers).
- Minimum of three nodes to act as message queue servers (brokers) running on approved OS and
hardware.Note: The nodes acting as zookeepers and brokers can be the same nodes (for example, a node acting as a zookeeper can also take on the broker role and vice versa).
- Message queue and broker nodes require 5 GB of local disk space (for the /opt/kafka directory) for every file system that is monitored by file audit logging. If this amount of space is not available, file audit logging enablement will fail. 10 GB of local disk space (for the /opt/kafka directory) is recommended and values lower than that will result in a warning when you enable a file system for file audit logging.
- Security requirements and limitations
- SELinux in enforcing mode is not supported. For more
information about support for SELinux in IBM Spectrum Scale™, see
the IBM Spectrum
Scale FAQ in IBM® Knowledge Center and the IBM Spectrum
Scale Wiki.
- Root authority is required to run mmmsgqueue and mmaudit.
- The following TCP ports must be open on all nodes in the cluster:
- 2181, 9092, and 9093 along with the range 2888:3888
- Sudo wrappers are not supported.
- Restrictions imposed by mixed environments and protocols
- Events generated on non-Linux nodes will not be audited.
- Events generated on SLES Linux nodes will not be audited.
- IBM Spectrum
Scale file audit logging has full support for
the following protocols (support for all other protocols should be considered limited):
- NFS ganesha
- SMB
- Native UNIX file access
- Multi-cluster environments are not supported. Remote mounts work, but access is not fully audited. Some error messages might be seen depending on which cluster file audit logging is enabled on.
- Events are not generated at or below the cesSharedRoot path.
- GPFS file system requirements and limitations
- File audit logging can be enabled only for file systems that have been created or upgraded to IBM Spectrum Scale 5.0.0 or later.
- Space provisioning must be considered to store the generated events in the .audit_log fileset.
- The .audit_log fileset is protected from tampering. It cannot be easily deleted to free up space in the file system. This is done by creating the fileset in the IAM noncompliant mode, which allows expiration dates to be set on the files containing the audit records within the fileset.
- Events are not generated for file system activity within the file audit logging fileset itself.
- GPFS and spectrumscale functional limitations
- The mmrestorefs command is not supported when restoring to a file system that contains a file audit Logging fileset.
- Conversion of a file audit logging fileset to AFM DR is not supported.
- Miscellaneous requirements
- File audit logging is available in the IBM Spectrum Scale Advanced Edition or IBM Spectrum Scale Data Management Edition only.