Default HFDS Audit Filters

The following JSON includes the recommended default HDFS audit filters. If the audit filters here do not match what you see in the Cloudera Manager HDFS configuration, it is likely that these defaults were not applied when Cloudera Manager was upgraded to the latest release because they would overwrite customizations made in previous releases.

See Default and Recommended Audit Filters for explanations of the filters and how to customize them.

{
  "comment" : [
    "The default HDFS audit event filter accepts all denied access, delete ",
    "and rename events, and discards events that affects files in any of the ",
    "staging directories (Hive, Spark, Impala), events that affect files in /tmp ",
    "directory, events that affect files in Cloudera Hive Canary directory, ",
    "events generated by the internal Cloudera and Hadoop users (cloudera-scm, ",
    "dr.who, hbase, hive, impala, mapred, solr, and spark), and 'ls' actions ",
    "performed by the hdfs user. "
  ],
  "defaultAction" : "accept",
  "rules" : [
    {
      "action" : "accept",
      "fields" : [
        {
          "name" : "allowed",
          "match" : "(?:false)"
        }
      ]
    },
    {
      "action" : "discard",
      "fields" : [
        { "name" : "src", "match" : "(?:.*/\\.hive-staging($|.*)?|.*/\\.staging($|/.*)?|.*/\\.sparkStaging($|/.*)?|.*/_impala_insert_staging($|/.*)?|/user/history/done_intermediate(?:/.*)?|/user/spark/spark2ApplicationHistory($|/.*)|/user/spark/applicationHistory($|/.*)|/user/hue/\\.cloudera_manager_hive_metastore_canary(?:/.*)?|/user/hue/\\.Trash/Current/user/hue/\\.cloudera_manager_hive_metastore_canary(?:/.*)?|/tmp(?:/.*)?)" }
      ]
    },
    {
      "action" : "accept",
      "fields" : [
        {
          "name" : "operation",
          "match" : "delete|rename.*"
        }
      ]
    },
    {
      "action" : "discard",
      "fields" : [
        {
          "name" : "username",
          "match" : "(?:cloudera-scm|dr.who|hbase|hive|impala|mapred|solr|spark)(?:/.+)?"
        }
      ]
    },
    {
      "action" : "discard",
      "fields" : [
        {
          "name" : "username",
          "match" : "(?:hdfs)(?:/.+)?"
        },
        {
          "name" : "operation",
          "match" : "(?:listStatus|listCachePools|listCacheDirectives|getfileinfo)"
        }
      ]
    },
    {
      "action" : "accept",
      "fields" : [
        {
          "name" : "operation",
          "match" : "(?:getfileinfo)"
        }
      ]
    }
  ]
}