Audit messages for cluster configuration changes

As an aid to troubleshooting and to improve cluster security, IBM Spectrum Scale™ can send an audit message to syslog and the GPFS™ log whenever a GPFS command changes the configuration of the cluster.

You can use the features of syslog to mine, process, or redirect the audit messages.

Restriction: Audit messages are not available on Windows operating systems.

Configuring syslog

On Linux operating systems, syslog typically is enabled by default. On AIX®, syslog must be set up and configured. Check your operating system and its documentation for details.

Configuring audit messages

By default, audit messages are enabled and messages are sent to syslog but not to the GPFS log. You can control audit messages with the commandAudit attribute of the mmchconfig command. For more information, see mmchconfig command.

Audit messages are not affected by the systemLogLevel attribute of the mmchconfig command.

If audit logs are enabled, the GUI receives the updates on configuration changes that you made through CLI and updates its configuration cache to reflect the changes in the GUI. You can also disable audit logging with the mmchconfig command. If the audit logs are disabled, the GUI does not show the configuration changes immediately and might be as much as an hour late in reflecting configuration changes that are made through the CLI .

Message format

For security, the text of sensitive information such as a password is replaced with asterisks (*) in the audit message.

Audit messages are sent to syslog with an identity of mmfs, a facility code of user, and a severity level of informational.

The format of the message depends on the source of the GPFS command:

Messages about GPFS commands that are entered at the command line have the following format:
```
CLI user_name user_name [AUDIT_TYPE1,AUDIT_TYPE2] 'command' RC=return_code
```
where:
CLI

The source of the command. Indicates that the command was entered from the command line.

user_name user_name

The name of the user who entered the command, such as root. The same name appears twice.

AUDIT_TYPE1

The point in the command when the message was sent to syslog. Always EXIT.

AUDIT_TYPE2

The action taken by the command. Always CHANGE.

command

The text of the command.

return_code

The return code of the GPFS command.
Messages about GPFS commands that are issued by GUI commands have a similar format:
```
GUI-CLI user_name GUI_user_name [AUDIT_TYPE1,AUDIT_TYPE2] 'command' RC=return_code
```
where:
GUI-CLI

The source of the command. Indicates that the command was called by a GUI command.

user_name

The name of the user, such as root.

GUI_user_name

The name of the user who logged on to the GUI.

The remaining fields are the same as in the CLI message.

The following lines are examples from a syslog:

Apr 24 13:56:26 c12c3apv12 mmfs[63655]: CLI root root [EXIT, CHANGE] 'mmchconfig autoload=yes' RC=0
Apr 24 13:58:42 c12c3apv12 mmfs[65315]: CLI root root [EXIT, CHANGE] 'mmchconfig deadlockBreakupDelay=300' RC=0
Apr 24 14:04:47 c12c3apv12 mmfs[67384]: CLI root root [EXIT, CHANGE] 'mmchconfig FIPS1402mode=no' RC=0

The following lines are examples from a syslog where GUI is the originator:

Apr 24 13:56:26 c12c3apv12 mmfs[63655]: GUI-CLI root admin [EXIT, CHANGE] 'mmchconfig autoload=yes' RC=0

Commands

The product sends audit messages to syslog for the following commands and options:

mmaddcallback
mmadddisk
mmaddnode
mmafmconfig add
mmafmconfig delete
mmafmconfig disable
mmafmconfig enable
mmafmconfig update
mmafmctl
mmapplypolicy
mmauth add
mmauth delete
mmauth deny
mmauth gencert
mmauth genkey
mmauth grant
mmauth update
mmbackup
mmbackupconfig
mmces address add
mmces address change
mmces address move
mmces address remove
mmces log
mmces node resume
mmces node suspent
mmces service disable
mmces service enable
mmces service start
mmces service stop
mmcesdr
mmcesmonitor
mmchcluster
mmchconfig
mmchdisk
mmchfileset
mmchfs
mmchlicense
mmchmgr
mmchnode
mmchnodeclass
mmchnsd
mmchpolicy
mmchpool
mmchqos
mmcloudgateway account create
mmcloudgateway account delete
mmcloudgateway account update
mmcloudgateway config set
mmcloudgateway config unset
mmcloudgateway files delete
mmcloudgateway files migrate
mmcloudgateway files recall
mmcloudgateway files reconcile
mmcloudgateway files restore
mmcloudgateway filesystem create
mmcloudgateway filesystem delete
mmcloudgateway service start
mmcloudgateway service stop
mmcrcluster
mmcrfileset
mmcrfs
mmcrnodeclass
mmcrnsd
mmcrsnapshot
mmdefedquota
mmdefquotaoff
mmdefquotaon
mmdefragfs
mmdelcallback
mmdeldisk
mmdelfileset
mmdelfs
mmdelnode
mmdelnodeclass
mmdelnsd
mmdelsnapshot
mmedquota
mmexpelnode
mmexportfs
mmfsctl
mmimgbackup
mmimgrestore
mmimportfs
mmkeyserv
mmlinkfileset
mmmigratefs
mmnfs configuration change
mmnfs export add
mmnfs export change
mmnfs export load
mmnfs export remove
mmnsddiscover
mmobj config change
mmobj file access
mmobj multiregion enable
mmobj multiregion export
mmobj multiregion import
mmobj multiregion remove
mmobj policy change
mmobj policy create
mmobj policy deprecate
mmobj swift base
mmperfmon config add
mmperfmon config delete
mmperfmon config generate
mmperfmon config update
mmpsnap create
mmpsnap delete
mmquotaoff
mmquotaon
mmremotecluster add
mmremotecluster delete
mmremotecluster update
mmremotefs add
mmremotefs delete
mmremotefs update
mmrestoreconfig
mmrestorefs
mmrestripefile
mmrestripefs
mmrpldisk
mmsdrrestore
mmsetquota
mmshutdown
mmsmb config change
mmsmb export add
mmsmb export change
mmsmb export remove
mmsmb exportacl add
mmsmb exportacl change
mmsmb exportacl delete
mmsmb exportacl remove
mmsmb exportacl replace
mmsnapdir
mmstartup
mmumount
mmumount
mmunlinkfileset
mmuserauth service create
mmuserauth service remove
mmwinservctl