Checking Whether Auditing is Enabled for a Directory, File, MapR-DB Table, or MapR Stream

When you enable the auditing of a particular directory, file, table, or stream, you set the audit bit to "on" that object. You can tell whether auditing is enabled for a directory, file, or table by checking the status of the object's audit bit.

For example,the volume, as shown in the first tree diagram below, consists of the root directory, the two directories dir1 and dir2, and two files in directory dir1. Every directory, file, table, and stream in a volume has an “audit bit” associated with it. You can tell whether, say, dir1 has its audit bit on and is therefore enabled for auditing by running the hadoop mfs -ls command. The output of the command might look like this:

drwxrwxrwx Z U U 3 root root 100 2015-05-20 21:09 192473738 /dir1

The second U indicates that auditing is not enabled on the directory.

However, an A in place of that U indicates that auditing is enabled on the directory:

drwxrwxrwx Z U A 3 root root 100 2015-05-20 23:41 192473738 /dir1

In the first diagram, as well as in the next two diagrams, U indicates that the audit bit is turned off for a filesystem object and A indicates that the audit bit is on for that object. After you run maprcli volume audit on the volume, none of the audit bits are on:

/              U
-/dir1          U
 -file1         U
 -file2         U
-/dir2          U

Suppose you enable auditing on the root directory by running this command:

hadoop mfs -setaudit on /

Then, you create the file file3 in dir2 and you create the directory dir3 and the file file4 in it. The tree diagram now looks like this:

/           A
-/dir1          U
 -file1         U
 -file2         U
-/dir2          U
 -file3         U
-/dir3          A
 -file4         A

The audit bit is still U on dir1, the files in dir1, and dir2. The new file file3 in dir2 inherits the audit bit from dir2.

dir3 inherits the audit bit from the root folder, so the audit bit for dir3 is A. Moreover, file4 inherits the audit bit from dir3, so its audit bit is A, as well.

Next, you run this command to enable auditing in dir1:

hadoop mfs -setaudit on /dir1

Then, you create the file file5. The new file inherits the audit bit from its parent folder, so it is enabled for auditing immediately upon being created. However, file1 and file2 still have the audit bit turned off.

/         A
-/dir1          A
 -file1         U
 -file2         U
 -file5         A
-/dir2          U
 -file3         U
-/dir3          A
 -file4         A

Because file1 and file2 existed before you turned on the audit bit for their parent folder, you need to enable auditing for them like this:

hadoop mfs -setaudit on /dir1/file1

hadoop mfs -setaudit on /dir1/file2