On Mon, May 22, 2006 at 04:47:07PM +0100, Darren J Moffat wrote: > Now if what you really mean is snapshot on file closure I think you > might well be on to something useful. Whats more NTFS has some cool > stuff in this area for consolidating identical files. The hooks that > would need to be put into ZFS to do snapshot on file close could be used > for other things like single instance storage (though isn't that the > opposite of ditto blocks on user data hmn whats the opposite of ditto :-)).
Hmmm, maybe not on close, but on open(2) with O_W*. But anyways, you're not going to capture *only the* event that you will *later* be interested in when that event is indistinguishable from millions of others like it a priori -- you either have to capture all of them and related attributes (a huge mountain of hay) or capture summary event information (a smaller mountain of hay). BSM auditing does the latter. If you *really* wanted the former I'd suggest not so much that every write(2), open(2) for write, or close(2), or ZFS tranzation should lead to a snapshot, but that every transaction be streamed onto backup media. Then you could reconstruct the state of your file systems as it would have been on-disk, at any given time. ZFS doesn't provide this functionality now, and you'd need backup media proportional to the rate of change of your data (potentially a DoS by an attacker who's trying to hide their tracks). Is this desirable functionality? In any case, if your goal is to make recovery from damage from insider attacks quick, that's a worthy goal, and I commend you for noticing [implicitly] that you can't stop insiders from trying. Unfortunately rolling back your filesystems wouldn't be enough as you'd be potentially losing legitimate data. Recovery can be made easier, but you can't guarantee trivial recovery from attack. The best you can do is to make the system auditable, so that you can track down insiders gone bad, and so deter them. Nico -- _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
