Auditing Data Access Operations

Describes MapR-FS, MapR-DB, and MapR-ES operations that are audited by default and operations that can be selectively enabled or disabled for auditing.

This type of auditing is for operations that are managed by the MapR-FS, MapR-DB, and MapR-ES. These operations take place within volumes and have effects at the level of the MapR file system.

Auditing of Operations on Directories and Files

The following table shows whether (Y) or not (N) the following operations on files and directories are audited. In the table, the operations with Y in the Selective Auditing Support column can be included and/or excluded from auditing and operations with N in the Selective Auditing Support column are audited by default and cannot be excluded from auditing. Use the name specified in the Operation Name to use for Selective Auditing column when you run the maprcli command to enable or disable auditing for that operation.

Operation Name in Audit Logs Operation Name to use for Selective Auditing Directories Files Selective Auditing Support
Change group owner CHGRP chgrp Y Y Y
Change owner CHOWN chown Y Y Y
Change permissions CHPERM chperm Y Y Y
Create CREATE create N/A Y Y
Create symbolic link CREATESYM createsym Y Y Y
Delete DELETE delete N/A Y Y
Disable auditing DISABLEAUDIT N/A Y Y N
Enable auditing ENABLEAUDIT N/A Y Y N
Get attributes GETATTR geattr N N Y
Get extended attributes GETXATTR getxattr Y Y Y
Get the mode bits for files/directories accessed over NFS GETPERM getperm Y Y Y
List extended attributes LISTXATTR listxattr Y Y Y
Lookup LOOKUP lookup Y Y Y
Create directory MKDIR mkdir Y N/A Y
Read a file READ read N/A Y Y
Read a directory READDIR readdir Y N/A Y
Remove extended attributes REMOVEXATTR removexattr Y Y Y
Rename RENAME rename Y Y Y
Delete a directory RMDIR rmdir Y N/A Y
Set attributes SETATTR setattr Y Y Y
Set extended attributes SETXATTR setxattr Y Y Y
Truncate a file TRUNCATE truncate N/A Y Y
Write to a file WRITE write N/A Y Y

Auditing of Operations on MapR-DB Binary Tables and JSON Tables

The following operations on both types of MapR-DB tables are audited by default. Operations with Y in the Selective Auditing Support column can be included and/or excluded from auditing. Operations with N in the Selective Auditing Support column are audited by default and cannot be excluded from auditing. Use the name specified in the Operation Name to use for Selective Auditing column when you run the maprcli command to enable or disable auditing for that operation.

Operation Name in Audit Logs Operation Name to use for Selective Auditing Selective Auditing Support
Create a column family DB_CFCREATE tablecfcreate Y
Modify a column family DB_CFMODIFY tablecfmodify Y
Delete a column family DB_CFREMOVE tablecfdelete Y
Scan a column DB_CFSCAN tablecfscan Y
Get data DB_GET tableget Y
Perform incremental bulk load DB_IMPORTBUCKET N/A N
Perform full bulk load DB_IMPORTSEGMENT N/A N
Put data DB_PUT tableput Y
Compact a table region DB_REGIONCOMPACT N/A N
Look up a region on the current node DB_REGIONLOOKUP N/A N
Merge two consecutive regions DB_REGIONMERGE N/A N
Split a region into two DB_REGIONSPLIT N/A N
Configure a replica for a table DB_REPLICAADD N/A N
Edit the replica for a table DB_REPLICAEDIT N/A N
List the replicas for a table DB_REPLICALIST N/A N
Remove a replica for a table DB_REPLICAREMOVE N/A N
Scan a table DB_SCAN tablescan Y
Create a table DB_TABLECREATE tablecreate Y
View information about a table DB_TABLEINFO tableinfo Y
Modify a table DB_TABLEMODIFY tablemodify Y
Add an upstream source to a replica DB_UPSTREAMADD N/A N
List all upstream sources for a replica DB_UPSTREAMLIST N/A N
Remove an upstream source for a replica DB_UPSTREAMREMOVE N/A N

Auditing of Operations on MapR-ES

The following operations on MapR-ES are audited by default. Operations with Y in the Selective Auditing Support column can be included and/or excluded from auditing. Operations with N in the Selective Auditing Support column are audited by default and cannot be excluded from auditing. Use the name specified in the Operation Name to use for Selective Auditing column when you run the maprcli command to enable or disable auditing for that operation.

Operation Name in Audit Logs Operation Name to use for Selective Auditing Selective Auditing Support
Modify attributes or permissions of a stream DB_CFMODIFY tablecfmodify Y
Produce messages to topics of a stream DB_PUT tableput Y
Add a replica DB_REPLICAADD N/A N
Edit a replica DB_REPLICAEDIT N/A N
List the replicas for a stream DB_REPLICALIST N/A N
Remove a replica DB_REPLICAREMOVE N/A N
Consume messages from topics of a stream DB_SCAN tablescan Y
Add an upstream source to a replica DB_UPSTREAMADD N/A N
List all upstream sources for a replica DB_UPSTREAMLIST N/A N
Remove an upstream source from a replica DB_UPSTREAMREMOVE N/A N