Now that I am in California I dropped by Bill Moore's office to take a look at the new Sun Ultra 40.

I wasn't completely silent, but silent enough for me to put in my home office. As soon as I get back to Sweden I will probably buy one so I get decent home system to work on.

Bill mentioned that I'd have to jump though some hoops to get the last 4 disk slots working, as the system doesn't come with the back plane and the cabling, but having lots of friends at the support side of things I should be able to find the right part number. That'll allow me to make it into a 4 TB server!

Finally!

This is my next desktop! I've been waiting a looooong time for the Sun Ultra 40 to be released. It'll make a nice 2 CPU workstation (each CPU can have two cores per CPU) producing only 5.1 Bels of noise.

It holds 4 internal disks, but I've seen in the engineering specs that there is room for 4 more disks. I just have to buy an extra SATA IO card.

When I get to the Menlo Park campus next week, I'll track down someone who as one so I can hear for myself how quiet it is.

How do you know if there are audit records in a kernel crash dump? If your system panics and you want to make sure you have all the audit records in the audit trail you have to analyze the crash dump and see if there are any records left in the queue in the kernel.

There is no Solaris command that will show you this, but you can figure out this by using mdb.

You get the zone_key_t for audit data, and use it to get the per zone data for the audit kernel context in the global zone, and look for the cnt line.

# mdb -k unix.0 vmcore.0
Loading modules: [ unix krtld genunix specfs ufs ip sctp usba fctl
lofs audiosup nfs random crypto ptm ]
> au_zone_key::print zone_key_t
0x4
> zone0::zsd 0x4 | ::print 'struct au_kcontext'
{
    auk_valid = 0x5a5a5a5a
    auk_zid = 0
    auk_hostaddr_valid = 1 (B_TRUE)
    auk_sequence = 0
    auk_auditstate = 0x1
    auk_output_active = 0
    auk_current_vp = 0
    auk_policy = 0x2001
    auk_queue = {
        head = 0xffffffff80a3eee0
        tail = 0xffffffff80a3ed18
        cnt = 0x2
        hiwater = 0x64
        lowater = 0xa
        bufsz = 0x2000
        buflen = 0x2000
        delay = 0x14
        wt_block = 0
        rd_block = 0
        lock = {
            _opaque = [ 0 ]
        }
        write_cv = {
            _opaque = 0

        }
        read_cv = {
            _opaque = 0
        }
    }
    auk_buffer = 0xffffffff80999080
    auk_dbuffer = 0xffffffff80999000
    auk_statistics = {
        as_version = 0x2
        as_numevent = 0x200
        as_generated = 0xd
        as_nonattrib = 0x1
        as_kernel = 0xa
        as_audit = 0x2
        as_auditctl = 0
        as_enqueue = 0xd
        as_written = 0xb
        as_wblocked = 0
        as_rblocked = 0xd
        as_dropped = 0
        as_totalsize = 0x644
        as_memused = 0
    }
    auk_info = {
        ai_auid = 0xfffffffe
        ai_mask = {
            am_success = 0x1000
            am_failure = 0x1000
        }
        ai_termid = {
            at_port = 0
            at_type = 0x4
            at_addr = [ 0x8087a8c0, 0, 0, 0 ]
        }
        ai_asid = 0
    }
    auk_eagain_mutex = {
        _opaque = [ 0 ]
    }
    auk_eagain_cv = {
        _opaque = 0
    }
    auk_fstat_lock = {
        _opaque = [ 0 ]
    }
    auk_file_stat = {
        af_filesz = 0
        af_currsz = 0
    }
    auk_taskq = 0xffffffff808c77a8
    auk_svc_lock = {
        _opaque = [ 0 ]
    }
    auk_svc_busy = 0
    auk_ets = [ 0, 0x100000, 0x100000, 0, 0x10, 0x10, 0x20, 0x40100000, 0x200000
, 0x10, 0x8, 0x8, 0x20000, 0, 0x4, 0x200000, 0x4, 0x4, 0x20000, 0, 0, 0x10, 0x1,
 0x40100000, 0x200000, 0x100000, 0x200000, 0x200000, 0, 0, 0x8, 0, ... ]
}

As this is rather messy, we can calculate the offset of the auk_queue member in the au_kcontext struct, and then calculate the offset of the cnt in the audit_queue struct.

> ::offsetof 'struct au_kcontext' auk_queue
offsetof (struct au_kcontext, auk_queue) = 0x28
> ::offsetof 'struct audit_queue' cnt
offsetof (struct audit_queue, cnt) = 0x10

Now we just add the offsets and can directly get the cnt.

> zone0::zsd 0x4
ffffffff80b09b00
> ffffffff80b09b00+0x38::print ssize_t
0x2

So there are two enqueued audit records in the crash dump which you need to fetch to have a complete audit trail.

I'll show how to do this in a follow up blog.

[Technorati Tags: OpenSolaris Solaris Security]