Administration Guide


[Return to Library] [Contents] [Previous Topic] [Bottom of Topic] [Next Topic] [Index]


Appendix D. AIX Audit Events

This Appendix provides a complete listing of the AFS events that can be audited on AIX file server machines. See Chapter Monitoring and Auditing AFS Performance for instructions on auditing AFS events on AIX file server machines.


Introduction

Below is a list of the AFS events contained in the file /afs/usr/local/audit/events.sample. Each entry contains information on the event class, the name of the event, the parameters associated with the event, and a description of the event.

Most events have an associated error code that shows the outcome of the event (since each event is recorded after it occurs), an AFSName (the authentication identify of the requesting process), and a host ID (from which the request originated). Many events follow the RPC server entry calls defined in the AFS Programmer's Reference Manual.

Events are classed by functionality (this is AIX specific). Some events possibly fall into one of more of the following classes which are defined by the file /usr/afs/local/config.sample:


Audit-Specific Events


Event Class Parameters Description
AFS_Audit_WR None <string> The file "/usr/afs/Audit" has been written to (AIX specific event).
AFS_Aud_On S ECode Auditing is on for this server process (recorded on startup of a server).
AFS_Aud_Off S ECode Auditing is off for this server process (recorded on startup of a server).
AFS_Aud_Unauth S ECode Event Event triggered by an unauthorized user.
Note:The following audit-specific events indicate an error has occurred while recording the event. Most events have an AFSName associated with them and a host ID. If this information cannot be gathered out of the Rx structure, one of these events is raised.

Event Class Parameters Description
AFS_Aud_NoCall S ECode Event No rx call structure with this event. Cannot get security, AFS ID, or origin of call.
AFS_Aud_NoConn S ECode Event No connection info associated with rx call. Cannot get security, AFS ID, or origin of call.
AFS_Aud_UnknSec S ECode Event Security of call is unknown (must be authorized or unauthorized caller).
AFS_Aud_NoAFSId S ECode Event No AFS ID/name associated with a secure event.
AFS_Aud_NoHost S ECode Event No information about origin (machine) of caller.
AFS_Aud_EINVAL None Event Error in audit event parameter (can't record the event parameter).

Volume Server Events


Event Class Parameters Description
AFS_VS_Start P C ECode The volume server has started.
AFS_VS_Finish C ECode The volume server has finished. Finish events are rare since the server process is normally aborted.
AFS_VS_Exit C ECode The volume server has exited. Exit events are rare since the server process is normally aborted.
AFS_VS_TransCr None ECode AFSName HostID Trans VolID AFSVolTransCreate - Create transaction for a [volume, partition]
AFS_VS_EndTrn None ECode AFSName HostID Trans AFSVolEndTrans - End a transaction.
AFS_VS_CrVol P O ECode AFSName HostID Trans VolID VolName Type ParentID AFSVolCreateVolume - Create a volume (volumeId volumeName)
AFS_VS_DelVol P O ECode AFSName HostID Trans AFSVolDeleteVolume - Delete a volume.
AFS_VS_NukVol P O ECode AFSName HostID VolID AFSVolNukeVolume - Obliterate a volume completely (volume ID).
AFS_VS_Dump None ECode AFSName HostID Trans AFSVolDump - Dump the contents of a volume.
AFS_VS_SigRst P M ECode AFSName HostID VolName AFSVolSignalRestore - Show intention to call AFSVolRestore.
AFS_VS_Restore P O ECode AFSName HostID Trans AFSVolRestore - Recreate a volume from a dump.
AFS_VS_Forward P O ECode AFSName HostID FromTrans Host DestTrans AFSVolForward - Dump a volume, then restore to a given server and volume.
AFS_VS_Clone P O ECode AFSName HostID Trans Purge NewName NewType NewVolID AFSVolClone - Clone (and optionally purge) a volume.
AFS_VS_ReClone P O ECode AFSName HostID Trans CloneVolID AFSVolReClone - Reclone a volume.
AFS_VS_SetForw P M ECode AFSName HostID Trans NewHost AFSVolSetForwarding - Set forwarding information for a moved volume.
AFS_VS_GetFlgs None ECode AFSName HostID Trans AFSVolGetFlags - Get volume flags for a transaction.
AFS_VS_SetFlgs P M ECode AFSName HostID Trans Flags AFSVolSetFlags - Set volume flags for a transaction.
AFS_VS_GetName None ECode AFSName HostID Trans AFSVolGetName - Get the volume name associated with a transaction.
AFS_VS_GetStat None ECode AFSName HostID Trans AFSVolGetStatus - Get status of a transaction/volume.
AFS_VS_SetIdTy P M ECode AFSName HostID Trans VolName Type ParentId CloneID BackupID AFSVolSetIdsTypes - Set header information for a volume.
AFS_VS_SetDate P M ECode AFSName HostID Trans Date AFSVolSetDate - Set creation date in a volume.
AFS_VS_ListPar None ECode AFSName HostID AFSVolListPartitions - Return a list of AFS partitions on a server.
AFS_VS_ParInf None ECode AFSName HostID PartName AFSVolPartitionInfo - Get partition information.
AFS_VS_ListVol None ECode AFSName HostID AFSVolListVolumes - Return a list of volumes on a server.
AFS_VS_XLstVol None ECode AFSName HostID AFSVolXListVolumes - Return a (detailed) list of volumes on a server.
AFS_VS_Lst1Vol None ECode AFSName HostID VolID AFSVolListOneVolume - Return header information for a single volume.
AFS_VS_XLst1Vl None ECode AFSName HostID VolID AFSVolXListOneVolume - Return (detailed) header information for a single volume.
AFS_VS_GetNVol None ECode AFSName HostID VolID AFSVolGetNthVolume - Get volume header given its index.
AFS_VS_Monitor None ECode AFSName HostID AFSVolMonitor - Collect server transaction state.
AFS_VS_SetInfo P O M ECode AFSName HostID Trans AFSVolSetInfo - Set volume status.

Backup Server Events


Event Class Parameters Description
AFS_BUDB_Start P ECode The backup server has started.
AFS_BUDB_Finish None ECode The backup server has finished. Finish events are rare since the server process is normally aborted.
AFS_BUDB_Exit None ECode The backup server has exited. Exit events are rare since the server process is normally aborted.
AFS_BUDB_CrDmp P O ECode AFSName HostID dumpId BUDB_CreateDump - Create a new dump.
AFS_BUDB_AppDmp P ECode AFSName HostID dumpId BUDB_makeDumpAppended - Make the dump an appended dump.
AFS_BUDB_DelDmp P O ECode AFSName HostID dumpId BUDB_DeleteDump - Delete a dump.
AFS_BUDB_FinDmp P ECode AFSName HostID dumpId BUDB_FinishDump- Notify buserver that dump is finished.
AFS_BUDB_UseTpe P M ECode AFSName HostID dumpId BUDB_UseTape - Create/add a tape entry to a dump.
AFS_BUDB_DelTpe P M ECode AFSName HostID dumpId BUDB_DeleteTape - Remove a tape from the database.
AFS_BUDB_FinTpe P ECode AFSName HostID dumpId BUDB_FinishTape - Writing to a tape is completed.
AFS_BUDB_AddVol P M ECode AFSName HostID volId BUDB_AddVolume - Add a volume to a particular dump and tape.
AFS_BUDB_GetTxV None ECode AFSName HostID Type BUDB_GetTextVersion - Get the version number for hosts/volume-sets/dump-hierarchy.
AFS_BUDB_GetTxt P ECode AFSName HostID Type BUDB_GetText - Get the information about hosts/volume-sets/dump-hierarchy.
AFS_BUDB_SavTxt M ECode AFSName HostID Type BUDB_SaveText - Overwrite the information about hosts/volume-sets/dump-hierarchy.
AFS_BUDB_GetLck None ECode AFSName HostID BUDB_GetLock - Take a lock for reading/writing text information.
AFS_BUDB_FrALck None ECode AFSName HostID BUDB_FreeLock - Free a lock.
AFS_BUDB_FreLck None ECode AFSName HostID BUDB_FreeAllLocks - Free all locks.
AFS_BUDB_GetIId None ECode AFSName HostID BUDB_GetInstanceId - Get lock instance id.
AFS_BUDB_DmpDB None ECode AFSName HostID BUDB_DumpDB - Start dumping the database.
AFS_BUDB_RstDBH None ECode AFSName HostID BUDB_RestoreDbHeader - Restore the database header.
AFS_BUDB_DBVfy None ECode AFSName HostID BUDB_DbVerify - Verify the database.
AFS_BUDB_FndDmp P ECode AFSName HostID volName BUDB_FindDump - Find the dump a volume belongs to.
AFS_BUDB_GetDmp P ECode AFSName HostID BUDB_GetDumps - Get a list of dumps in the database.
AFS_BUDB_FnLTpe P ECode AFSName HostID dumpId BUDB_FindLastTape - Find last tape, and last volume on tape of a dump.
AFS_BUDB_GetTpe P ECode AFSName HostID BUDB_GetTapes - Find a list of tapes based on name or dump ID.
AFS_BUDB_GetVol P ECode AFSName HostID BUDB_GetVolumes - Find a list of volumes based on dump or tape name.
AFS_BUDB_DelVDP P M ECode AFSName HostID dumpSetName BUDB_DeleteVDP - Delete dumps with given name and dump path.
AFS_BUDB_FndCln P M ECode AFSName HostID volName BUDB_FindClone - Find clone time of volume.
AFS_BUDB_FndLaD P ECode AFSName HostID volName BUDB_FindLatestDump - Find the latest dump a volume belongs to.
AFS_BUDB_TGetVr None ECode AFSName HostID BUDB_T_GetVersion - Test Get version.
AFS_BUDB_TDmpHa P ECode AFSName HostID file BUDB_T_DumpHashTable - Test dump of hash table.
AFS_BUDB_TDmpDB P ECode AFSName HostID file BUDB_T_DumpDatabase - Test dump of database.

Protection Server Events


Event Class Parameters Description
AFS_PTS_Start P ECode The protection server has started.
AFS_PTS_Finish C ECode The protection server has finished. Finish events are rare since the server process is normally aborted.
AFS_PTS_Exit C ECode The protection server has exited. Exit events are rare since the server process is normally aborted.
AFS_PTS_NmToId None ECode AFSName HostID PR_NameToID - Perform one or more name-to-ID translations.
AFS_PTS_IdToNm None ECode AFSName HostID GroupId PR_IDToName - Perform one or more ID-to-name translations.
AFS_PTS_NewEnt None ECode AFSName HostID GroupId Name OwnerId PR_NewEntry - Create a PDB (Protection DataBase) entry for the given name.
AFS_PTS_INewEnt None ECode AFSName HostID GroupId Name OwnerId PR_INewEntry - Create a PDB entry for the given name and ID.
AFS_PTS_LstEnt None ECode AFSName HostID GroupId PR_ListEntry - Get the contents of a PDB entry based on its ID.
AFS_PTS_DmpEnt None ECode AFSName HostID Position PR_DumpEntry - Get the contents of a PDB entry based on its offset.
AFS_PTS_ChgEnt None ECode AFSName HostID GroupId NewName NewOwnerId NewId PR_ChangeEntry - Change an existing PDB entry's ID, name, owner, or a combination.
AFS_PTS_SetFEnt None ECode AFSName HostID GroupId PR_SetFieldsEntry - Change miscellaneous fields in an existing PDB entry.
AFS_PTS_Del None ECode AFSName HostID GroupId PR_Delete - Delete an existing PDB entry.
FS_PTS_WheIsIt None ECode AFSName HostID GroupId Position PR_WhereIsIt - Get the PDB byte offset of the entry for a given ID.
AFS_PTS_AdToGrp None ECode AFSName HostID GroupId UserId PR_AddToGroup - Add a user to a group.
AFS_PTS_RmFmGrp None ECode AFSName HostID GroupId UserId PR_RemoveFromGroup - Remove a user from a chosen group.
AFS_PTS_LstMax None ECode AFSName HostID PR_ListMax - Get the largest allocated user and group ID.
AFS_PTS_SetMax None ECode AFSName HostID GroupId flag PR_SetMax - Set the largest allocated user and group ID.
AFS_PTS_LstEle None ECode AFSName HostID GroupId PR_ListElements - List all IDs associated with a user or group.
AFS_PTS_GetCPS None ECode AFSName HostID GroupId PR_GetCPS - Get the CPS (Current Protection Subdomain) for the given ID.
AFS_PTS_GetCPS2 None ECode AFSName HostID GroupId Host PR_GetCPS2 - Get the CPS for the given id and host.
AFS_PTS_GetHCPS None ECode AFSName HostID Host PR_GetHostCPS - Get the CPS for the given host.
AFS_PTS_LstOwn None ECode AFSName HostID GroupId PR_ListOwned - Get all IDs owned by the given ID.
AFS_PTS_IsMemOf None ECode AFSName HostID UserId GroupId PR_IsAMemberOf - Is a given user ID a member of a specified group?

Authentication Events


Event Class Parameters Description
AFS_KAA_ChPswd S ECode AFSName HostID name instance KAA_ChangePassword - Change password.
AFS_KAA_Auth A S ECode AFSName HostID name instance KAA_Authenticate - Authenticate to the cell.
AFS_KAA_AuthO S ECode AFSName HostID name instance KAA_Authenticate_old - Old style authentication.
AFS_KAT_GetTkt A S ECode AFSName HostID name instance KAT_GetTicket - An attempt was made to get an AFS ticket for some principal listed in the Authentication Database.
AFS_KAT_GetTktO S ECode AFSName HostID name instance KAT_GetTicket_old - An attempt was made to get an AFS ticket for some principal listed in the Authentication Database.
AFS_KAM_CrUser S P ECode AFSName HostID name instance KAM_CreateUser - Create a user.
AFS_KAM_DelUser S P ECode AFSName HostID name instance KAM_DeleteUser - Delete a user.
AFS_KAM_SetPswd S ECode AFSName HostID name instance KAM_SetPassword - Set the password for a user.
AFS_KAM_GetPswd S ECode AFSName HostID name KAM_GetPassword - Get the password of a user.
AFS_KAM_GetEnt S ECode AFSName HostID name instance KAM_GetEntry - The RPC made by the kas examine command to get one entry from the Authentication Database (by index entry).
AFS_KAM_LstEnt S ECode AFSName HostID index KAM_ListEntry - The RPC made to list one or more entries in the Authentication Database.
AFS_KAM_Dbg S ECode AFSName HostID KAM_Debug - The RPC that produces a debugging trace for the Authentication Server.
AFS_KAM_SetFld S P ECode AFSName HostID name instance flags date lifetime maxAssoc KAM_SetFields - The RPC used by the kas setfields command to manipulate the Authentication Database.
AFS_KAM_GetStat S ECode AFSName HostID KAM_GetStatus - An RPC used to get statistics on the Authentication Server.
AFS_KAM_GRnKey S ECode AFSName HostID KAM_GetRandomKey - An RPC used to generate a random encryption key.
AFS_UnlockUser S ECode AFSName HostID name instance KAM_Unlock - The RPC used to initiate the kas unlock command.
AFS_LockStatus None ECode AFSName HostID name instance KAM_LockStatus - The RPC used to determine whether a user's Authentication Database entry is locked.
AFS_UseOfPriv P ECode AFSName HostID name instance cell An authorized command was issued and allowed because the user had privilege.
AFS_UnAth S ECode AFSName HostID name instance cell An authorized command was issued and allowed because the system was running in noauth mode.
AFS_UDPAuth A S ECode name instance An authentication attempt was made with a Kerberos client.
AFS_UDPGetTckt A S ECode name instance cell name instance An attempt was made to get a Kerberos ticket.
AFS_RunNoAuth S ECode Check was made and some random server is running noauth.
AFS_NoAuthDsbl S P ECode Server is set to run in authenticated mode.
AFS_NoAuthEnbl S P ECode Server is set to run in unauthenticated mode.

File Server and Cache Manager Interface Events


Event Class Parameters Description
AFS_SRX_FchACL None ECode AFSName HostID (FID) RXAFS_FetchACL - Fetch the ACL associated with the given AFS file identifier.
AFS_SRX_FchStat None ECode AFSName HostID (FID) RXAFS_FetchStatus - Fetch the status information for a file system object.
AFS_SRX_StACL M ECode AFSName HostID (FID) RXAFS_StoreACL - Associate an ACL with the names directory.
AFS_SRX_StStat M ECode AFSName HostID (FID) RXAFS_StoreStatus - Store status information for the specified file.
AFS_SRX_RmFile O ECode AFSName HostID (FID) name RXAFS_RemoveFile - Delete the given file.
AFS_SRX_CrFile O ECode AFSName HostID (FID) name RXAFS_CreateFile - Create the given file.
AFS_SRX_RNmFile O M ECode AFSName HostID (oldFID) oldName (newFID) newName RXAFS_Rename - Rename the specified file in the given directory.
AFS_SRX_SymLink O ECode AFSName HostID (FID) name RXAFS_Symlink - Create a symbolic link.
AFS_SRX_Link O ECode AFSName HostID (FID) name (FID) RXAFS_Link - Create a hard link.
AFS_SRX_MakeDir O ECode AFSName HostID (FID) name RXAFS_MakeDir - Create a directory.
AFS_SRX_RmDir O ECode AFSName HostID (FID) name RXAFS_RemoveDir - Remove a directory.
AFS_SRX_SetLock None ECode AFSName HostID (FID) type RXAFS_SetLock - Set an advisory lock on the given file identifier.
AFS_SRX_ExtLock None ECode AFSName HostID (FID) RXAFS_ExtendLock - Extend an advisory lock on a file.
AFS_SRX_RelLock None ECode AFSName HostID (FID) RXAFS_ReleaseLock - Release the advisory lock on a file.
AFS_SRX_FchData None ECode AFSName HostID (FID) StartRXAFS_FetchData - Begin a request to fetch file data.
AFS_SRX_StData O ECode AFSName HostID (FID) StartRXAFS_StoreData - Begin a request to store file data.
AFS_SRX_BFchSta None ECode AFSName HostID (FID) RXAFS_BulkStatus - Fetch status information regarding a set of file system objects.
AFS_SRX_SetVolS M ECode AFSName HostID volId volName RXAFS_SetVolumeStatus - Set the basic status information for the named volume.
AFS_Priv P ECode viceId callRoutine Checking Permission Rights of user - user has permissions.
AFS_PrivSet P ECode viceId callRoutine Set the privileges of a user.

BOS Server Events


Event Class Parameters Description
AFS_BOS_CreBnod P C ECode AFSName HostID BOZO_CreateBnode - Create a process instance.
AFS_BOS_DelBnod P C ECode AFSName HostID instance BOZO_DeleteBnode - Delete a process instance.
AFS_BOS_SetReSt P M C ECode AFSName HostID BOZO_Restart - Restart a given process instance.
AFS_BOS_GetLog P ECode AFSName HostID StartBOZO_GetLog - Pass the IN params when fetching a BOS Server log file.
AFS_BOS_SetStat P M C ECode AFSName HostID instance BOZO_SetStatus - Set process instance status and goal.
AFS_BOS_SetTSta P M C ECode AFSName HostID instance BOZO_SetTStatus - Temporarily set process instance status and goal.
AFS_BOS_StartAl P C ECode AFSName HostID BOZO_StartupAll - Start all existing process instances.
AFS_BOS_ShtdAll P C ECode AFSName HostID BOZO_ShutdownAll - Shut down all process instances.
AFS_BOS_ReStAll P C ECode AFSName HostID BOZO_RestartAll - Shut down, then restart all process instances.
AFS_BOS_ReBos P C ECode AFSName HostID BOZO_ReBozo - Shut down, then restart all process instances and the BOS Server itself.
AFS_BOS_ReBosIn P C ECode BOZO_ReBozo - Same as AFS_BOS_ReBos but done internally (server restarts).
AFS_BOS_ReStart P C ECode AFSName HostID instance BOZO_Restart - Restart a given process instance.
AFS_BOS_WaitAll P C ECode AFSName HostID BOZO_WaitAll - Wait until all process instances have reached their goals.
AFS_BOS_AddSUsr S P ECode AFSName HostID BOZO_AddSUser - Add a user to the UserList.
AFS_BOS_DelSUsr S P ECode AFSName HostID BOZO_DeleteSUser - Delete a user from the UserList.
AFS_BOS_LstSUsr None ECode AFSName HostID BOZO_ListSUsers - Get the name of the user in the given position in the UserList file.
AFS_BOS_LstKey P ECode AFSName HostID BOZO_ListKeys - List information about the key at a given index in the key file.
AFS_BOS_LstKeyU P ECode AFSName HostID BOZO_ListKeys - Same as AFS_BOS_LstKey, but unauthorized.
AFS_BOS_AddKey S P ECode AFSName HostID BOZO_AddKey - Add a key to the key file.
AFS_BOS_DelKey S P ECode AFSName HostID BOZO_DeleteKey - Delete the entry for an AFS key.
AFS_BOS_SetNoAu S P ECode AFSName HostID flag BOZO_SetNoAuthFlag - Enable or disable authenticated call requirements.
AFS_BOS_SetCell S P ECode AFSName HostID name BOZO_SetCellName - Set the name of the cell to which the BOS Server belongs.
AFS_BOS_AddHst S P ECode AFSName HostID name BOZO_AddCellHost - Add an entry to the list of database server hosts.
AFS_BOS_DelHst S P ECode AFSName HostID name BOZO_DeleteCellHost - Delete an entry from the list of database server hosts.
AFS_BOS_Inst P O M ECode AFSName HostID name

StartBOZO_Install - Pass the IN parameters when installing a server binary.

EndBOZO_Install - Get the OUT parameters when installing a server binary.

AFS_BOS_UnInst P O M ECode AFSName HostID name BOZO_UnInstall - Roll back from a server binary installation.
AFS_BOS_PrnLog P O ECode AFSName HostID BOZO_Prune - Throw away old versions of server binaries and core file.
AFS_BOS_Exec P C ECode AFSName HostID cmd BOZO_Exec - Execute a shell command at the server.
AFS_BOS_DoExec P C ECode exec The bosserver process was restarted.
AFS_BOS_StpProc P C ECode cmd An RPC to stop any process controlled by the BOS Server.

Volume Location Server Events


Event Class Parameters Description
AFS_VL_CreEnt P M ECode AFSName HostID name VL_CreateEntry - Create a VLDB entry.
AFS_VL_DelEnt P M ECode AFSName HostID volID VL_DeleteEntry - Delete a VLDB entry.
AFS_VL_GetNVlID None ECode AFSName HostID VL_GetNewVolumeId - Generate a new volume ID.
AFS_VL_RepEnt P M ECode AFSName HostID volID VL_ReplaceEntry - Replace entire contents of VLDB entry.
AFS_VL_UpdEnt P M ECode AFSName HostID volID VL_UpdateEntry - Update contents of VLDB entry.
AFS_VL_SetLck P ECode AFSName HostID volID VL_SetLock - Lock VLDB entry.
AFS_VL_RelLck P ECode AFSName HostID volID VL_ReleaseLock - Unlock VLDB entry.


[Return to Library] [Contents] [Previous Topic] [Top of Topic] [Next Topic] [Index]



© IBM Corporation 2000. All Rights Reserved