Created attachment 156238 [details] add /var/audit dataset to usr.sbin/bsdinstall/scripts/zfsboot config usr.sbin/bsdinstall/scripts/zfsboot currently creates datasets for /var/log but not /var/audit. While anyone using auditing would likely make adjustments, the default could be better. There's no good reason to potentially lose audit logs by keeping them as part of the boot environment instead of on a dedicated dataset. Additionally, treating logs under /var/log different than audit logs under /var/audit is not an intuitive default configuration. Attached patch enables configuring /var/audit by default. Other Implementation References: PCBSD creates /var/audit by default with just compression, which is already enabled at the pool level on FreeBSD since r266108 on HEAD and r267056 on stable/10. https://github.com/pcbsd/pcbsd/commit/b1a3938d275d5c283e0fdd2f5a5c1eafe94ea55f Oracle Solaris 11 does things differently with a symlink of /var/audit to /var/share/audit to accomplish the same goal of keeping audit logs outside of the boot environment: https://docs.oracle.com/cd/E26502_01/html/E21383/glyzj.html
CC allanjude@, as r272274 has been including /var/audit in the boot environment root dataset since that commit. This addresses it for the reasons mentioned in the PR above and this feels like a trivial commit could address it before 10.2-RELEASE.
The fix for this is pending review: https://reviews.freebsd.org/D2861
A commit references this bug: Author: allanjude Date: Tue Jul 14 19:38:27 UTC 2015 New revision: 285553 URL: https://svnweb.freebsd.org/changeset/base/285553 Log: Have bsdinstall's zfsboot script make /var/audit its own dataset, so it is not part of the OS boot environment PR: 199864 Submitted by: Jason Unovitch Approved by: brueffer MFC after: 3 days Relnotes: yes Differential Revision: https://reviews.freebsd.org/D2861 Changes: head/usr.sbin/bsdinstall/scripts/zfsboot
Thanks Allan! Good call on the exec=off,setuid=off; I followed PCBSD precedence but those options are certainly for the best. Hope you didn't mind the gentle prodding to track down a committer since I didn't want this missed for 10.2-RELEASE.
A commit references this bug: Author: allanjude Date: Mon Jul 20 16:17:44 UTC 2015 New revision: 285721 URL: https://svnweb.freebsd.org/changeset/base/285721 Log: MFC: r285482 A variable was misspelled resulting in chmod executing on the installer instead of on the target chroot PR: 191402 MFC: r285553 make /var/audit its own dataset so it is not part of the OS boot environment PR: 199864 MFC: r285554 Set a mountpoint on the root of the pool so user-created datasets have a mountpoint to inherit MFC: r285557 Make bsdinstall's zfsboot script align partitions to 4k/1m when the user requests it PR: 195174 Approved by: re (gjb), brueffer Relnotes: yes Sponsored by: ScaleEngine Inc. Changes: _U stable/10/ stable/10/usr.sbin/bsdinstall/scripts/zfsboot