Requirements, limitations, and support for file audit logging

Use this information to understand requirements, limitations, and support for installing file audit logging.

RPM and package requirements
Every node that can host any combination of brokers, ZooKeepers, producers, and consumers require the following packages to be installed:
  • GPFS Java™ (gpfs.java rpm/package)
  • For RHEL, the librdkafka package requires the openssl-devel and cyrus-sasl-devel packages.
  • For Ubuntu, the librdkafka package requires the libssl-dev and libsasl2-dev packages.
  • librdkafka (gpfs.librdkafka rpm/package)
  • Kafka (gpfs.kafka rpm/package)
OS and hardware requirements
Note: Not all of these requirements apply to the support of remotely mounted file systems.
  • RHEL 7.x on x86, Power8 Little Endian, and Linux® on IBM® Z, Ubuntu 16.04 or 18.04 on x86 and Linux on IBM Z.
  • Linux Kernel on all platforms must be greater than or equal to RHEL 7.0 3.10.0-123.
  • Minimum of three Linux quorum nodes running on approved OS and hardware (ZooKeepers).
  • Minimum of three nodes to act as message queue servers (brokers) running on approved OS and hardware.
    Note: The nodes acting as ZooKeepers and brokers can be the same nodes (for example, a node acting as a ZooKeeper can also take on the broker role and vice versa).
  • As part of the performance improvements that have come with file audit logging in the 5.0.2 release, new local disk space requirements have been implemented. There is now a 20 GB local disk space requirement (40 GB of local disk space is recommended) for all file systems enabled for file audit logging. By making this increase in local disk space required for the message queue (broker) nodes, more parallelism and better performance are achieved for file audit logging.
    • When enabling file audit logging with the mmaudit command, it might now suggest to enable file audit logging in degraded mode if there is at least 10 GB of local disk space available, but not the required 20 GB of local disk space available on all message queue (broker) nodes. By enabling file audit logging on a file system with the --degraded flag, you are reducing some of the parallelism that was added to improve performance. If local disk space availability on the message queue (broker) nodes is a high commodity and the file system enabled for file audit logging will not have an high amount of activity, this is a potential option for the user. One can always change to the increased amount of parallelism once local disk space is freed up on the message queue (broker) nodes. This can be accomplished by disabling file audit logging and then re-enabling it for the file system that was previously enabled with the degraded option. For more information about the --degraded option, see mmaudit command.
Security requirements and limitations
  • Root authority is required to run mmmsgqueue and mmaudit.
  • The following TCP ports must be open on all nodes in the cluster:
    • 2181, 9092, and 9093 along with the range 2888:3888
  • If the message queue is disabled and then enabled again, a new set of passwords is generated to use between the message queue servers, producers, and consumers. While the producer is fetching the new password during the first IO on the given node, some file system activity might not be audited for a small window of time.
Restrictions imposed by mixed environments and protocols
  • Events generated on non-Linux nodes will not be audited.
  • Events generated on SLES Linux nodes will not be audited.
  • IBM Spectrum Scale file audit logging has full support for the following protocols (support for all other protocols should be considered limited):
    • NFS ganesha
    • SMB
    • Native UNIX file access
  • Events are not generated at or below the cesSharedRoot path.
File audit logging attributes availability and limitations
GPFS file system requirements and limitations
  • File audit logging can be enabled only for file systems that have been created or upgraded to IBM Spectrum Scale 5.0.0 or later.
  • Space provisioning must be considered to store the generated events in the .audit_log fileset.
  • The .audit_log fileset is protected from tampering. It cannot be easily deleted to free up space in the file system. This is done by creating the fileset in the IAM noncompliant mode, which allows expiration dates to be set on the files containing the audit records within the fileset.
  • Events are not generated for file system activity within the file audit logging fileset itself.
  • Start of changeThere is a limit of 20 filesets that can be specified for the --filesets option and the --skip-filesets option.End of change
GPFS and spectrumscale functional limitations
  • The mmrestorefs command is not supported when restoring to a file system that contains a file audit logging fileset.
  • Conversion of a file audit logging fileset to AFM DR is not supported.
Start of changeMiscellaneous requirements, limitations, recommendations, and support statementsEnd of change
  • File audit logging is available in IBM Spectrum Scale Advanced Edition, IBM Spectrum Scale Data Management Edition, IBM Spectrum Scale Developer Edition, or IBM Spectrum Scale Erasure Code Edition.
  • Start of changeFile audit logging is supported in SELinux enforcing, permissive, and disabled modes. When file audit logging is run in enforcing mode, there is an extra event generated that is related to attributes due to the SELinux labeling of files.End of change
  • Start of changeFile audit logging is not supported in a stretch cluster environment.End of change