fintanr's weblog

Archives
June 2004 »
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today

the links



Twitter Updates

    follow me on Twitter













    blogs.sun.com
    Weblog
    Login



    All | Books | Gadgets | General | JES | OpenSolaris | Perl | Services | Slamd | Solaris | Travels | Tunes

    Main | Next month (Jun 2004) »
    20040629 Tuesday June 29, 2004

    dtrace new features and schedule

    Adam Leventhal has announced some nice new additions to dtrace, and a rough idea of when you may see these in Solaris Express. Theres lots of nice new features, but my personal favourite for today is the new -c option. And combining it with -x, and -p, and, oh okay, I'll stop. Suffice to say I won't be using truss on s10 again. You can view the dtrace Solaris Express schedule here.


    (2004-06-29 06:52:50.0) Permalink

    Giving a user privileges to run dtrace

    One of the litany of new features that has been added to Solaris 10 (which of course you can download via the Solaris Express program) is a new fine grained privilege model put in place by Casper Dik, (blog).

    Privileges and all of its associated configuration is documented in the Security Services section of the S10 System Administration Guide. Personally I like to use privileges to allow me to use dtrace on my own stuff without having to su to root every time, so heres how you set this up.

    First off, lets say I don't have any privileges to run dtrace, and I try to execute it as myself on one of my own processes. In this case I want to take a look at what one of my other shells is doing

            $ ps -fU fintanr | sed -e "/$$/d" | grep ksh
        UID   PID  PPID   C    STIME TTY         TIME CMD
        fintanr  8995  1310   0 12:19:06 pts/3       0:00 -ksh
        fintanr  8969  1439   0 12:13:26 pts/11      0:00 -ksh
        $  dtrace -n 'pid8995:libc.so.1::entry' 
        dtrace: failed to initialize dtrace: DTrace requires additional privileges

    And so it fails. Now while this is nice and prevents people messing around with dtrace, lets say your a sysadmin and you have provided an Solaris Express box for your local developers to play with, but being a sysadmin, you don't want to give them the root password so that they can run dtrace (and being developers mess up your nicely configured machine by changing every available setting as well). So in this case the username is fintanr, so I run. 
            usermod -K defaultpriv=basic,dtrace_proc,dtrace_user fintanr

    Which will give me access to my own processes in userland. I could also add in dtrace_kernel to these privileges as well. So now I fire up dtrace on the same ksh process that I was looking at above. 
            $ /usr/sbin/dtrace -n 'pid8995:libc.so.1::entry'
        dtrace: description 'pid8995:libc.so.1::entry' matched 2471 probes
        dtrace: buffer size lowered to 2m
        CPU     ID                    FUNCTION:NAME
        0  44225                    lseek64:entry 
        0  43686                       read:entry 
        0  43985              _save_nv_regs:entry 
        0  44119                      _read:entry 
        ..............

    And I can now take a look at whats going on. More info on the dtrace security model is available in the dtrace answerbook.
    (2004-06-29 05:16:37.0) Permalink

    20040624 Thursday June 24, 2004

    bart - basic audit reporting tool

    bart is a new tool thats arrived in Solaris 10, if you haven't downloaded Solaris Express yet, you can get it here. I have a short example here, but the bart answerbook gives a nice introduction to the tool.

    So whats bart, very simply it performs file level checks of the software contents of a system, and allows you to check against a previous snapshot. 

    # bart
Usage:
        bart create [-n] [-R root] [-r rules|-]
        bart create [-n] [-R root] [-I | -I filelist]
        bart compare [-r rules|-] [-i keywords] [-p] control-manifest test-manifest

    Lets say I want to make sure nothing is mucking around with some .gz archives that I've stored, in a directory called scratch. But I'm only interested in permissions, not the contents of the archives (I know, not a really clever idea, but just as an example). I create a bart rules called my_bart_rules which contains the following 

            /home/fintanr/scratch *.gz
        CHECK all
        IGNORE contents

    I then call bart using the -r option 

            bart create -r my_bart_rules > ~/mylocal/bman/scratch_gz.manifest.`date '+%m_%d_%y_%H'`

    Thankfully we don't need to go parsing this file, we can just use bart to check for any changes instead. So lets say the permissions on one file have been changed, so we generate a new manifest and then compare this new manifest against the original. 

            chown a-w ~/scratch/wget*gz
        bart create -r my_bart_rules > /tmp/demo.manifest
        bart compare -r my_bart_rules ~/mylocal/bman/scratch_gz.manifest.06_24_04_14 /tmp/demo.manifest
    and up pops 
    /home/fintanr/scratch/wget-1.7-sol8-sparc-local.gz:
  mode  control:100644  test:100444
  acl  control:user::rw-,group::r--,mask:r--,other:r--  test:user::r--,group::r--,mask:r--,other:r--

    Nice and simple. Whats really nice is that bart will ignore all the annoying files that can't be checksummed (ie FIFO's) automatically as well.
    (2004-06-24 06:30:52.0) Permalink Comments [3]

    20040620 Sunday June 20, 2004

    Music on a Sunday...

    So I'm in work on a Sunday finishing up some things, and as normal listening to music. And todays choices - Sonic Youth's Daydream Nation and the Yeah Yeah Yeahs YYY. Seems like a bit of a New York buzz today. Either way, both highly recommended as a way to get through a Sunday when your working.
    (2004-06-20 05:27:40.0) Permalink

    20040618 Friday June 18, 2004

    Disabling Sendmail

    A common comment that comes up when talking to friends and acquaintances who admin Solaris is that sendmail keeps getting reenabled when they install patches, obviously annoying, particularly when they are not using JASS to control your upgrades (personally I'd recommend just downloading JASS and using it, but its not always possible).

    The standard mechanism that people use is to move /etc/rc2.d/S88sendmail to another name, but when you repatch your box this will be recreated. What you need to do is create the file /etc/default/sendmail and put in an entry of 

    MODE=

    Nice and easy, but like I mentioned, JASS will do this for you. (Did I mention JASS often enough ;) ).
    (2004-06-18 10:35:15.0) Permalink Comments [2]

    Beijing

    So I've arrived back in Ireland after spending 10 days at the Sun office in Beijing. Interesting place, very different to what I expected. So outside of the work stuff we felt that we had to do the standard tourist trip to the great wall, amazing, if tiring. Thankfully Ed has written all the details up here already.
    (2004-06-18 09:09:48.0) Permalink

    20040615 Tuesday June 15, 2004

    ping ....

    Hmmm, so first blog entry and such things. Well lets see, I'm a software engineer working for Sun in Dublin, Ireland. I currently work in Solaris Performance, which is kinda nice, as you get to play with new technology all the time and work with a bunch of very cool people. I've been working for Sun for about five years altogether, four in this stint, and one as a contractor back in '99. I've had the joys of working in Oracle, a random (and, surprise, surprise defunct) startup and a bit of contracting here and there as well.

    Like a bunch of other people in Sun my favourite toy of the year (and probably the rest of my working life) is dtrace. If you haven't tried dtrace yet, download Solaris Express and take a look.


    (2004-06-15 02:45:14.0) Permalink