AIX Audit EventsThis Appendix provides a complete listing of the AFS events that can be audited on AIX file server machines. See Chapter
Monitoring and Auditing AFS Performance for instructions on auditing AFS events on AIX file server
machines.IntroductionBelow is a list of the AFS events contained in the file /afs/usr/local/audit/events.sample. Each entry contains information on the event class, the name of the
event, the parameters associated with the event, and a description of the event.Most events have an associated error code that shows the outcome of the event (since each event is recorded after it
occurs), an AFSName (the authentication identify of the requesting process), and a host ID (from which the request originated).
Many events follow the RPC server entry calls defined in the AFS Programmer's Reference Manual.Events are classed by functionality (this is AIX specific). Some events possibly fall into one of more of the following
classes which are defined by the file /usr/afs/local/config.sample: A (afsauthent): Authentication and Identification EventsS (afssecurity): Security EventsP (afsprivilege): Privilege Required EventsO (afsobjects): Object Creation and Deletion EventsM (afsattributes): Attribute modificationC (afsprocess): Process Control EventsAudit-Specific EventsEventClassParametersDescriptionAFS_Audit_WRNone<string>The file "/usr/afs/Audit" has been written to (AIX specific event).AFS_Aud_OnSECodeAuditing is on for this server process (recorded on startup of a server).AFS_Aud_OffSECodeAuditing is off for this server process (recorded on startup of a server).AFS_Aud_UnauthSECode EventEvent triggered by an unauthorized user.The following audit-specific events indicate an error has occurred while recording the event. Most events have an
AFSName associated with them and a host ID. If this information cannot be gathered out of the Rx structure, one of these
events is raised.EventClassParametersDescriptionAFS_Aud_NoCallSECode EventNo rx call structure with this event. Cannot get security, AFS ID, or origin of call.AFS_Aud_NoConnSECode EventNo connection info associated with rx call. Cannot get security, AFS ID, or origin of call.AFS_Aud_UnknSecSECode EventSecurity of call is unknown (must be authorized or unauthorized caller).AFS_Aud_NoAFSIdSECode EventNo AFS ID/name associated with a secure event.AFS_Aud_NoHostSECode EventNo information about origin (machine) of caller.AFS_Aud_EINVALNoneEventError in audit event parameter (can't record the event parameter).Volume Server EventsEventClassParametersDescriptionAFS_VS_StartP CECodeThe volume server has started.AFS_VS_FinishCECodeThe volume server has finished. Finish events are rare since the server process is normally aborted.AFS_VS_ExitCECodeThe volume server has exited. Exit events are rare since the server process is normally aborted.AFS_VS_TransCrNoneECode AFSName HostID Trans VolIDAFSVolTransCreate - Create transaction for a [volume, partition]AFS_VS_EndTrnNoneECode AFSName HostID TransAFSVolEndTrans - End a transaction.AFS_VS_CrVolP OECode AFSName HostID Trans VolID VolName Type ParentIDAFSVolCreateVolume - Create a volume (volumeId volumeName)AFS_VS_DelVolP OECode AFSName HostID TransAFSVolDeleteVolume - Delete a volume.AFS_VS_NukVolP OECode AFSName HostID VolIDAFSVolNukeVolume - Obliterate a volume completely (volume ID).AFS_VS_DumpNoneECode AFSName HostID TransAFSVolDump - Dump the contents of a volume.AFS_VS_SigRstP MECode AFSName HostID VolNameAFSVolSignalRestore - Show intention to call AFSVolRestore.AFS_VS_RestoreP OECode AFSName HostID TransAFSVolRestore - Recreate a volume from a dump.AFS_VS_ForwardP OECode AFSName HostID FromTrans Host DestTransAFSVolForward - Dump a volume, then restore to a given server and volume.AFS_VS_CloneP OECode AFSName HostID Trans Purge NewName NewType NewVolIDAFSVolClone - Clone (and optionally purge) a volume.AFS_VS_ReCloneP OECode AFSName HostID Trans CloneVolIDAFSVolReClone - Reclone a volume.AFS_VS_SetForwP MECode AFSName HostID Trans NewHostAFSVolSetForwarding - Set forwarding information for a moved volume.AFS_VS_GetFlgsNoneECode AFSName HostID TransAFSVolGetFlags - Get volume flags for a transaction.AFS_VS_SetFlgsP MECode AFSName HostID Trans FlagsAFSVolSetFlags - Set volume flags for a transaction.AFS_VS_GetNameNoneECode AFSName HostID TransAFSVolGetName - Get the volume name associated with a transaction.AFS_VS_GetStatNoneECode AFSName HostID TransAFSVolGetStatus - Get status of a transaction/volume.AFS_VS_SetIdTyP MECode AFSName HostID Trans VolName Type ParentId CloneID BackupIDAFSVolSetIdsTypes - Set header information for a volume.AFS_VS_SetDateP MECode AFSName HostID Trans DateAFSVolSetDate - Set creation date in a volume.AFS_VS_ListParNoneECode AFSName HostIDAFSVolListPartitions - Return a list of AFS partitions on a server.AFS_VS_ParInfNoneECode AFSName HostID PartNameAFSVolPartitionInfo - Get partition information.AFS_VS_ListVolNoneECode AFSName HostIDAFSVolListVolumes - Return a list of volumes on a server.AFS_VS_XLstVolNoneECode AFSName HostIDAFSVolXListVolumes - Return a (detailed) list of volumes on a server.AFS_VS_Lst1VolNoneECode AFSName HostID VolIDAFSVolListOneVolume - Return header information for a single volume.AFS_VS_XLst1VlNoneECode AFSName HostID VolIDAFSVolXListOneVolume - Return (detailed) header information for a single volume.AFS_VS_GetNVolNoneECode AFSName HostID VolIDAFSVolGetNthVolume - Get volume header given its index.AFS_VS_MonitorNoneECode AFSName HostIDAFSVolMonitor - Collect server transaction state.AFS_VS_SetInfoP O MECode AFSName HostID TransAFSVolSetInfo - Set volume status.Backup Server EventsEventClassParametersDescriptionAFS_BUDB_StartPECodeThe backup server has started.AFS_BUDB_FinishNoneECodeThe backup server has finished. Finish events are rare since the server process is normally aborted.AFS_BUDB_ExitNoneECodeThe backup server has exited. Exit events are rare since the server process is normally aborted.AFS_BUDB_CrDmpP OECode AFSName HostID dumpIdBUDB_CreateDump - Create a new dump.AFS_BUDB_AppDmpPECode AFSName HostID dumpIdBUDB_makeDumpAppended - Make the dump an appended dump.AFS_BUDB_DelDmpP OECode AFSName HostID dumpIdBUDB_DeleteDump - Delete a dump.AFS_BUDB_FinDmpPECode AFSName HostID dumpIdBUDB_FinishDump- Notify buserver that dump is finished.AFS_BUDB_UseTpeP MECode AFSName HostID dumpIdBUDB_UseTape - Create/add a tape entry to a dump.AFS_BUDB_DelTpeP MECode AFSName HostID dumpIdBUDB_DeleteTape - Remove a tape from the database.AFS_BUDB_FinTpePECode AFSName HostID dumpIdBUDB_FinishTape - Writing to a tape is completed.AFS_BUDB_AddVolP MECode AFSName HostID volIdBUDB_AddVolume - Add a volume to a particular dump and tape.AFS_BUDB_GetTxVNoneECode AFSName HostID TypeBUDB_GetTextVersion - Get the version number for hosts/volume-sets/dump-hierarchy.AFS_BUDB_GetTxtPECode AFSName HostID TypeBUDB_GetText - Get the information about hosts/volume-sets/dump-hierarchy.AFS_BUDB_SavTxtMECode AFSName HostID TypeBUDB_SaveText - Overwrite the information about hosts/volume-sets/dump-hierarchy.AFS_BUDB_GetLckNoneECode AFSName HostIDBUDB_GetLock - Take a lock for reading/writing text information.AFS_BUDB_FrALckNoneECode AFSName HostIDBUDB_FreeLock - Free a lock.AFS_BUDB_FreLckNoneECode AFSName HostIDBUDB_FreeAllLocks - Free all locks.AFS_BUDB_GetIIdNoneECode AFSName HostIDBUDB_GetInstanceId - Get lock instance id.AFS_BUDB_DmpDBNoneECode AFSName HostIDBUDB_DumpDB - Start dumping the database.AFS_BUDB_RstDBHNoneECode AFSName HostIDBUDB_RestoreDbHeader - Restore the database header.AFS_BUDB_DBVfyNoneECode AFSName HostIDBUDB_DbVerify - Verify the database.AFS_BUDB_FndDmpPECode AFSName HostID volNameBUDB_FindDump - Find the dump a volume belongs to.AFS_BUDB_GetDmpPECode AFSName HostIDBUDB_GetDumps - Get a list of dumps in the database.AFS_BUDB_FnLTpePECode AFSName HostID dumpIdBUDB_FindLastTape - Find last tape, and last volume on tape of a dump.AFS_BUDB_GetTpePECode AFSName HostIDBUDB_GetTapes - Find a list of tapes based on name or dump ID.AFS_BUDB_GetVolPECode AFSName HostIDBUDB_GetVolumes - Find a list of volumes based on dump or tape name.AFS_BUDB_DelVDPP MECode AFSName HostID dumpSetNameBUDB_DeleteVDP - Delete dumps with given name and dump path.AFS_BUDB_FndClnP MECode AFSName HostID volNameBUDB_FindClone - Find clone time of volume.AFS_BUDB_FndLaDPECode AFSName HostID volNameBUDB_FindLatestDump - Find the latest dump a volume belongs to.AFS_BUDB_TGetVrNoneECode AFSName HostIDBUDB_T_GetVersion - Test Get version.AFS_BUDB_TDmpHaPECode AFSName HostID fileBUDB_T_DumpHashTable - Test dump of hash table.AFS_BUDB_TDmpDBPECode AFSName HostID fileBUDB_T_DumpDatabase - Test dump of database.Protection Server EventsEventClassParametersDescriptionAFS_PTS_StartPECodeThe protection server has started.AFS_PTS_FinishCECodeThe protection server has finished. Finish events are rare since the server process is normally aborted.AFS_PTS_ExitCECodeThe protection server has exited. Exit events are rare since the server process is normally aborted.AFS_PTS_NmToIdNoneECode AFSName HostIDPR_NameToID - Perform one or more name-to-ID translations.AFS_PTS_IdToNmNoneECode AFSName HostID GroupIdPR_IDToName - Perform one or more ID-to-name translations.AFS_PTS_NewEntNoneECode AFSName HostID GroupId Name OwnerIdPR_NewEntry - Create a PDB (Protection DataBase) entry for the given name.AFS_PTS_INewEntNoneECode AFSName HostID GroupId Name OwnerIdPR_INewEntry - Create a PDB entry for the given name and ID.AFS_PTS_LstEntNoneECode AFSName HostID GroupIdPR_ListEntry - Get the contents of a PDB entry based on its ID.AFS_PTS_DmpEntNoneECode AFSName HostID PositionPR_DumpEntry - Get the contents of a PDB entry based on its offset.AFS_PTS_ChgEntNoneECode AFSName HostID GroupId NewName NewOwnerId NewIdPR_ChangeEntry - Change an existing PDB entry's ID, name, owner, or a combination.AFS_PTS_SetFEntNoneECode AFSName HostID GroupIdPR_SetFieldsEntry - Change miscellaneous fields in an existing PDB entry.AFS_PTS_DelNoneECode AFSName HostID GroupIdPR_Delete - Delete an existing PDB entry.FS_PTS_WheIsItNoneECode AFSName HostID GroupId PositionPR_WhereIsIt - Get the PDB byte offset of the entry for a given ID.AFS_PTS_AdToGrpNoneECode AFSName HostID GroupId UserIdPR_AddToGroup - Add a user to a group.AFS_PTS_RmFmGrpNoneECode AFSName HostID GroupId UserIdPR_RemoveFromGroup - Remove a user from a chosen group.AFS_PTS_LstMaxNoneECode AFSName HostIDPR_ListMax - Get the largest allocated user and group ID.AFS_PTS_SetMaxNoneECode AFSName HostID GroupId flagPR_SetMax - Set the largest allocated user and group ID.AFS_PTS_LstEleNoneECode AFSName HostID GroupIdPR_ListElements - List all IDs associated with a user or group.AFS_PTS_GetCPSNoneECode AFSName HostID GroupIdPR_GetCPS - Get the CPS (Current Protection Subdomain) for the given ID.AFS_PTS_GetCPS2NoneECode AFSName HostID GroupId HostPR_GetCPS2 - Get the CPS for the given id and host.AFS_PTS_GetHCPSNoneECode AFSName HostID HostPR_GetHostCPS - Get the CPS for the given host.AFS_PTS_LstOwnNoneECode AFSName HostID GroupIdPR_ListOwned - Get all IDs owned by the given ID.AFS_PTS_IsMemOfNoneECode AFSName HostID UserId GroupIdPR_IsAMemberOf - Is a given user ID a member of a specified group?Authentication EventsEventClassParametersDescriptionAFS_KAA_ChPswdSECode AFSName HostID name instanceKAA_ChangePassword - Change password.AFS_KAA_AuthA SECode AFSName HostID name instanceKAA_Authenticate - Authenticate to the cell.AFS_KAA_AuthOSECode AFSName HostID name instanceKAA_Authenticate_old - Old style authentication.AFS_KAT_GetTktA SECode AFSName HostID name instanceKAT_GetTicket - An attempt was made to get an AFS ticket for some principal listed in the Authentication
Database.AFS_KAT_GetTktOSECode AFSName HostID name instanceKAT_GetTicket_old - An attempt was made to get an AFS ticket for some principal listed in the Authentication
Database.AFS_KAM_CrUserS PECode AFSName HostID name instanceKAM_CreateUser - Create a user.AFS_KAM_DelUserS PECode AFSName HostID name instanceKAM_DeleteUser - Delete a user.AFS_KAM_SetPswdSECode AFSName HostID name instanceKAM_SetPassword - Set the password for a user.AFS_KAM_GetPswdSECode AFSName HostID nameKAM_GetPassword - Get the password of a user.AFS_KAM_GetEntSECode AFSName HostID name instanceKAM_GetEntry - The RPC made by the kas examine command to get one entry from the
Authentication Database (by index entry).AFS_KAM_LstEntSECode AFSName HostID indexKAM_ListEntry - The RPC made to list one or more entries in the Authentication Database.AFS_KAM_DbgSECode AFSName HostIDKAM_Debug - The RPC that produces a debugging trace for the Authentication Server.AFS_KAM_SetFldS PECode AFSName HostID name instance flags date lifetime maxAssocKAM_SetFields - The RPC used by the kas setfields command to manipulate the
Authentication Database.AFS_KAM_GetStatSECode AFSName HostIDKAM_GetStatus - An RPC used to get statistics on the Authentication Server.AFS_KAM_GRnKeySECode AFSName HostIDKAM_GetRandomKey - An RPC used to generate a random encryption key.AFS_UnlockUserSECode AFSName HostID name instanceKAM_Unlock - The RPC used to initiate the kas unlock command.AFS_LockStatusNoneECode AFSName HostID name instanceKAM_LockStatus - The RPC used to determine whether a user's Authentication Database entry is locked.AFS_UseOfPrivPECode AFSName HostID name instance cellAn authorized command was issued and allowed because the user had privilege.AFS_UnAthSECode AFSName HostID name instance cellAn authorized command was issued and allowed because the system was running in noauth mode.AFS_UDPAuthA SECode name instanceAn authentication attempt was made with a Kerberos client.AFS_UDPGetTcktA SECode name instance cell name instanceAn attempt was made to get a Kerberos ticket.AFS_RunNoAuthSECodeCheck was made and some random server is running noauth.AFS_NoAuthDsblS PECodeServer is set to run in authenticated mode.AFS_NoAuthEnblS PECodeServer is set to run in unauthenticated mode.File Server and Cache Manager Interface EventsEventClassParametersDescriptionAFS_SRX_FchACLNoneECode AFSName HostID (FID)RXAFS_FetchACL - Fetch the ACL associated with the given AFS file identifier.AFS_SRX_FchStatNoneECode AFSName HostID (FID)RXAFS_FetchStatus - Fetch the status information for a file system object.AFS_SRX_StACLMECode AFSName HostID (FID)RXAFS_StoreACL - Associate an ACL with the names directory.AFS_SRX_StStatMECode AFSName HostID (FID)RXAFS_StoreStatus - Store status information for the specified file.AFS_SRX_RmFileOECode AFSName HostID (FID) nameRXAFS_RemoveFile - Delete the given file.AFS_SRX_CrFileOECode AFSName HostID (FID) nameRXAFS_CreateFile - Create the given file.AFS_SRX_RNmFileO MECode AFSName HostID (oldFID) oldName (newFID) newNameRXAFS_Rename - Rename the specified file in the given directory.AFS_SRX_SymLinkOECode AFSName HostID (FID) nameRXAFS_Symlink - Create a symbolic link.AFS_SRX_LinkOECode AFSName HostID (FID) name (FID)RXAFS_Link - Create a hard link.AFS_SRX_MakeDirOECode AFSName HostID (FID) nameRXAFS_MakeDir - Create a directory.AFS_SRX_RmDirOECode AFSName HostID (FID) nameRXAFS_RemoveDir - Remove a directory.AFS_SRX_SetLockNoneECode AFSName HostID (FID) typeRXAFS_SetLock - Set an advisory lock on the given file identifier.AFS_SRX_ExtLockNoneECode AFSName HostID (FID)RXAFS_ExtendLock - Extend an advisory lock on a file.AFS_SRX_RelLockNoneECode AFSName HostID (FID)RXAFS_ReleaseLock - Release the advisory lock on a file.AFS_SRX_FchDataNoneECode AFSName HostID (FID)StartRXAFS_FetchData - Begin a request to fetch file data.AFS_SRX_StDataOECode AFSName HostID (FID)StartRXAFS_StoreData - Begin a request to store file data.AFS_SRX_BFchStaNoneECode AFSName HostID (FID)RXAFS_BulkStatus - Fetch status information regarding a set of file system objects.AFS_SRX_SetVolSMECode AFSName HostID volId volNameRXAFS_SetVolumeStatus - Set the basic status information for the named volume.AFS_PrivPECode viceId callRoutineChecking Permission Rights of user - user has permissions.AFS_PrivSetPECode viceId callRoutineSet the privileges of a user.BOS Server EventsEventClassParametersDescriptionAFS_BOS_CreBnodP CECode AFSName HostIDBOZO_CreateBnode - Create a process instance.AFS_BOS_DelBnodP CECode AFSName HostID instanceBOZO_DeleteBnode - Delete a process instance.AFS_BOS_SetReStP M CECode AFSName HostIDBOZO_Restart - Restart a given process instance.AFS_BOS_GetLogPECode AFSName HostIDStartBOZO_GetLog - Pass the IN params when fetching a BOS Server log file.AFS_BOS_SetStatP M CECode AFSName HostID instanceBOZO_SetStatus - Set process instance status and goal.AFS_BOS_SetTStaP M CECode AFSName HostID instanceBOZO_SetTStatus - Temporarily set process instance status and goal.AFS_BOS_StartAlP CECode AFSName HostIDBOZO_StartupAll - Start all existing process instances.AFS_BOS_ShtdAllP CECode AFSName HostIDBOZO_ShutdownAll - Shut down all process instances.AFS_BOS_ReStAllP CECode AFSName HostIDBOZO_RestartAll - Shut down, then restart all process instances.AFS_BOS_ReBosP CECode AFSName HostIDBOZO_ReBozo - Shut down, then restart all process instances and the BOS Server itself.AFS_BOS_ReBosInP CECodeBOZO_ReBozo - Same as AFS_BOS_ReBos but done internally (server restarts).AFS_BOS_ReStartP CECode AFSName HostID instanceBOZO_Restart - Restart a given process instance.AFS_BOS_WaitAllP CECode AFSName HostIDBOZO_WaitAll - Wait until all process instances have reached their goals.AFS_BOS_AddSUsrS PECode AFSName HostIDBOZO_AddSUser - Add a user to the UserList.AFS_BOS_DelSUsrS PECode AFSName HostIDBOZO_DeleteSUser - Delete a user from the UserList.AFS_BOS_LstSUsrNoneECode AFSName HostIDBOZO_ListSUsers - Get the name of the user in the given position in the UserList file.AFS_BOS_LstKeyPECode AFSName HostIDBOZO_ListKeys - List information about the key at a given index in the key file.AFS_BOS_LstKeyUPECode AFSName HostIDBOZO_ListKeys - Same as AFS_BOS_LstKey, but unauthorized.AFS_BOS_AddKeyS PECode AFSName HostIDBOZO_AddKey - Add a key to the key file.AFS_BOS_DelKeyS PECode AFSName HostIDBOZO_DeleteKey - Delete the entry for an AFS key.AFS_BOS_SetNoAuS PECode AFSName HostID flagBOZO_SetNoAuthFlag - Enable or disable authenticated call requirements.AFS_BOS_SetCellS PECode AFSName HostID nameBOZO_SetCellName - Set the name of the cell to which the BOS Server belongs.AFS_BOS_AddHstS PECode AFSName HostID nameBOZO_AddCellHost - Add an entry to the list of database server hosts.AFS_BOS_DelHstS PECode AFSName HostID nameBOZO_DeleteCellHost - Delete an entry from the list of database server hosts.AFS_BOS_InstP O MECode AFSName HostID nameStartBOZO_Install - Pass the IN parameters when installing a server binary.EndBOZO_Install -
Get the OUT parameters when installing a server binary.AFS_BOS_UnInstP O MECode AFSName HostID nameBOZO_UnInstall - Roll back from a server binary installation.AFS_BOS_PrnLogP OECode AFSName HostIDBOZO_Prune - Throw away old versions of server binaries and core file.AFS_BOS_ExecP CECode AFSName HostID cmdBOZO_Exec - Execute a shell command at the server.AFS_BOS_DoExecP CECode execThe bosserver process was restarted.AFS_BOS_StpProcP CECode cmdAn RPC to stop any process controlled by the BOS Server.Volume Location Server EventsEventClassParametersDescriptionAFS_VL_CreEntP MECode AFSName HostID nameVL_CreateEntry - Create a VLDB entry.AFS_VL_DelEntP MECode AFSName HostID volIDVL_DeleteEntry - Delete a VLDB entry.AFS_VL_GetNVlIDNoneECode AFSName HostIDVL_GetNewVolumeId - Generate a new volume ID.AFS_VL_RepEntP MECode AFSName HostID volIDVL_ReplaceEntry - Replace entire contents of VLDB entry.AFS_VL_UpdEntP MECode AFSName HostID volIDVL_UpdateEntry - Update contents of VLDB entry.AFS_VL_SetLckPECode AFSName HostID volIDVL_SetLock - Lock VLDB entry.AFS_VL_RelLckPECode AFSName HostID volIDVL_ReleaseLock - Unlock VLDB entry.