[ I'll leave the rest to Seb ;-) ] > > Right, but I'm not comfortable enough with how auditing actually works > > to authoritatively state that the new sub-commands will be audited or > > not. Renaming objects is explicitly something that the auditing guide > > states must be audited, so I'm a bit uncomfortable answering "No" to the > > question without understanding why that's a good answer. > > > But creating the object is not audited, I don't see why rename-link is > special.
I believe all dladm operations will be audited automatically via pfexec, which will record the command line. > It looks auditing should recording security-relevant events. Does dladm > belongs to this category? Eric Cheng and I have been discussing this with Gary Winiger in the context of WiFi, and the consensus seems to be that the auditing mentioned above is sufficient, along with explicit audit events for any failed or successful authorization checks (e.g., via chkauthattr()). -- meem
