> How do you then audit a TRUNCATE performed by somebody else (who, for
> "political" reasons, has superuser access)? Such actions aren't limited to
> attacks - but may simply be the result of "I thought it was a good idea at
> the time". :-(
Easily enough, have the logs record the pid, connection startup,
timestamps, statement,etc. That should give everything required to track
down a unique user who performed random actions.