File Access Events

File access events include both realm authorization and violation records. These events share a similar structure with all events, but have a different event code. The Evaluation Result (Evaluation Result) field can contain either ACFS_AUDIT_REALM_VIOLATION or ACFS_AUDIT_REALM_AUTH.

The possible event code (Event) for file access events include the following:

• ACFS_AUDIT_APPENDFILE_OP

• ACFS_AUDIT_CHGRP_OP

• ACFS_AUDIT_CHMOD_OP

• ACFS_AUDIT_CHOWN_OP

• ACFS_AUDIT_CREATEFILE_OP

• ACFS_AUDIT_DELETEFILE_OP

• ACFS_AUDIT_EXTEND_OP

• ACFS_AUDIT_GET_EXTATTR_OP

• ACFS_AUDIT_LINKFILE_OP

• ACFS_AUDIT_MKDIR_OP

• ACFS_AUDIT_MMAPREAD_OP

• ACFS_AUDIT_MMAPWRITE_OP

• ACFS_AUDIT_MUTABLE_OP

• ACFS_AUDIT_OPENFILE_OP

• ACFS_AUDIT_OVERWRITE_OP

• ACFS_AUDIT_READ_OP

• ACFS_AUDIT_READDIR_OP

• ACFS_AUDIT_RENAME_OP

• ACFS_AUDIT_RMDIR_OP

• ACFS_AUDIT_SET_EXTATTR_OP

• ACFS_AUDIT_SYMLINK_OP

• ACFS_AUDIT_TRUNCATE_OP

• ACFS_AUDIT_WRITE_OP