File access events include both realm authorization and violation records. These events share a similar structure with all events, but have a different event code. The Evaluation Result (Evaluation
Result
) field can contain either ACFS_AUDIT_REALM_VIOLATION
or ACFS_AUDIT_REALM_AUTH
.
The possible event code (Event
) for file access events include the following:
ACFS_AUDIT_APPENDFILE_OP
ACFS_AUDIT_CHGRP_OP
ACFS_AUDIT_CHMOD_OP
ACFS_AUDIT_CHOWN_OP
ACFS_AUDIT_CREATEFILE_OP
ACFS_AUDIT_DELETEFILE_OP
ACFS_AUDIT_EXTEND_OP
ACFS_AUDIT_GET_EXTATTR_OP
ACFS_AUDIT_LINKFILE_OP
ACFS_AUDIT_MKDIR_OP
ACFS_AUDIT_MMAPREAD_OP
ACFS_AUDIT_MMAPWRITE_OP
ACFS_AUDIT_MUTABLE_OP
ACFS_AUDIT_OPENFILE_OP
ACFS_AUDIT_OVERWRITE_OP
ACFS_AUDIT_READ_OP
ACFS_AUDIT_READDIR_OP
ACFS_AUDIT_RENAME_OP
ACFS_AUDIT_RMDIR_OP
ACFS_AUDIT_SET_EXTATTR_OP
ACFS_AUDIT_SYMLINK_OP
ACFS_AUDIT_TRUNCATE_OP
ACFS_AUDIT_WRITE_OP