Jon Haslam's Weblog

I have to make a confession. I am totally and utterly useless when it comes to messing around with hardware in any shape or form. Yesterday I wanted to stick a couple of fully populated SSA storage arrays onto an E3000 to do some playing with the ZFS filesystem (Yeah, I know this is real old kit but it's all I got...). What should have been an hour job max turned into nearly 6 hours! Sure, support for the SSAs has been removed in Solaris 10 but that's easily remedied by bringing across the soc and pln modules from Solaris 9. Sure, one of my GBICs turned out to be deceased. Sure, the E3000 I'm using has got one dent too many but COME ON - 6 hours!! It's all working fine now but these experiences always serve to reinforce the fact that I shouldn't stray too far from a keyboard!

I quite often get random requests for DTrace scripts from various people and recently I got passed a list of 10 or so from a colleague of mine in the security field. I thoroughly believe that DTrace is the answer to most of your questions, even in the strange world of security.

As an example, the following script will tell you when a setid executable is executed by a user not in a given group (it shows which file has been executed and by whom):

#!/usr/sbin/dtrace -s

#pragma D option quiet

inline int PRIV_SETUGID = 0x04;

execsetid:entry
{
        self->file = stringof(args[0]->v_path);
}

execsetid:return
/ (self->file != NULL) && (args[1] & PRIV_SETUGID) &&
        (curpsinfo->pr_gid != $1 || curpsinfo->pr_egid != $1) /
{
        printf("setuid/setgid file %s executed by uid %d\n", self->file,
                curpsinfo->pr_uid);
        self->file = 0;
}

# ./group.d 14
setuid/setgid file /usr/bin/su executed by uid 0
setuid/setgid file /usr/sbin/../lib/fs/ufs/quota executed by uid 30079
setuid/setgid file /usr/bin/mail executed by uid 30079

You gotta love the flexibility! You can do just about anything you want to do. Now, I'm off to fight with some Java that I'm brewing.