File Access Events

File access events include both realm authorization and violation records. These events share a similar structure with all events, but have a different event code. The Evaluation Result (Evaluation Result) field can contain either ACFS_AUDIT_REALM_VIOLATION or ACFS_AUDIT_REALM_AUTH.

The possible event code (Event) for file access events include the following:

  • ACFS_AUDIT_APPENDFILE_OP

  • ACFS_AUDIT_CHGRP_OP

  • ACFS_AUDIT_CHMOD_OP

  • ACFS_AUDIT_CHOWN_OP

  • ACFS_AUDIT_CREATEFILE_OP

  • ACFS_AUDIT_DELETEFILE_OP

  • ACFS_AUDIT_EXTEND_OP

  • ACFS_AUDIT_GET_EXTATTR_OP

  • ACFS_AUDIT_LINKFILE_OP

  • ACFS_AUDIT_MKDIR_OP

  • ACFS_AUDIT_MMAPREAD_OP

  • ACFS_AUDIT_MMAPWRITE_OP

  • ACFS_AUDIT_MUTABLE_OP

  • ACFS_AUDIT_OPENFILE_OP

  • ACFS_AUDIT_OVERWRITE_OP

  • ACFS_AUDIT_READ_OP

  • ACFS_AUDIT_READDIR_OP

  • ACFS_AUDIT_RENAME_OP

  • ACFS_AUDIT_RMDIR_OP

  • ACFS_AUDIT_SET_EXTATTR_OP

  • ACFS_AUDIT_SYMLINK_OP

  • ACFS_AUDIT_TRUNCATE_OP

  • ACFS_AUDIT_WRITE_OP