Darren J Moffat wrote:
Scott Rotondo wrote:
Joseph Kowalski wrote:
This is just a request for elaboration/education. I find reason #1
compelling ehough to accept your answer, but I really don't understand
reason #2. Why wouldn't the Solaris audit facility be correct here?
The Solaris audit facility will record a command execution as soon as
the program terminates. If some of the ZFS commands of interest cause
asynchronous actions, you don't know if the action really completed or
not.
Or maybe not at all depending on the audit mask of the process. Which
depends on how and when it was started and the contents of
/etc/security/audit_control and the audit_user(4) database from the
nameservice. It also by default doesn't have the arguments logged which
means that you won't know which pool was impacted (yes you can turn that
on and IMO it should be the default but it isn't).
Yes, that's a special case of my reason #3 - (sufficient) auditing may
not be enabled.
Scott
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
