News is popping up that will interest those interested in the Sun/Oracle deal.

I’ve made peace with Jonathan Schwartz but those who haven’t will no doubt love to bash on his pay. The first data I’ve seen in a while comes fresh from the AP: Sun CEO’s pay package cut by a third in ’09. According to the article, his 2008FY compensation was $11.1 Million, and it looks like 2009FY will come in at only $7 Million, information which came from the Sun Proxy filing with the SEC on Wednesday. One thing I have always wondered is what his personal driver costs… apparently he is company provided and costs over $45,000 per year (figured by the $55,000 spend on both driver and 401K match).

So, hey, even guys who make millions of dollars per year try to max out their 401K…. what does that tell ya?

Based on the same proxy filings, El Reg reports yet more on the compensation front. They report that Scott McNealy owns approx 2.3% of Sun. They estimate that if he excercises 3.1M in options by the end of Dec his cut will be $164.5M. Going on, El Reg reports that Jonathan has almost 1.5M options and 592K shares… so he comes away with $19.8M.

The Reg also counts up the total number of layoffs in the past 12 months at 8,000 (I assume that includes the 3,000 currently being chopped).

We got some nice news from Oracle this week by way of a FAQ: Oracle and Sun Overview and FAQ (Dated October 27, 2009). My questions regarding X86 and Solaris were included:

 What are Oracle’s plans for Solaris?

Oracle plans to spend more money developing Solaris than Sun does now. The
industry leading capabilities of the Solaris operating system make it the leader
in performance, scalability, reliability, and security – all of which are core
requirements for our customers. Oracle plans to enhance our investment in
Solaris to push core technologies to the next level as quickly as possible. Today
there are more applications available on Solaris than any other operating system
in the world. In addition, the combination of Oracle and Sun engineering
teams in database and operating system open up a new set of opportunities
to create exciting innovations for customers with respect to performance,
operational efficiency, security, and cost of ownership.

 What are Oracle's plans for x86?

The extremely broad and volume use of x86 makes it an important
building block for servers as well as other parts of the combined Oracle
and Sun portfolio. We plan to continue to engineer server and appliance
products based on x86. In addition, x86 is of course a key element of both
Sun and Oracle's software portfolio, with Solaris and Oracle Enterprise
Linux as well as all of the software of both companies robustly sold and
supported in the x86 marketplace.

So this fits perfectly in line with what we’ve heard to date, namely that Solaris rules and X86 is a critical offering as part of other offerings.

Finally, the Financial Times is reporting that Russian Anti-Trust is making life rough and FT perhaps foolishly plays up the headline by asking “is the deal about to unravel?” Read it for yourself but I’m not jumping to any conclusions.

Will this never end? Despite Oracle’s pledged $9.50 per share, JAVA has dropped to $8.27 today, suggesting a lack of confidence. And I think most of us in the various communities have come to terms with the prospect of Oracle and are ready for things to get moving. There is a lot to suggest that Oracle is already calling the shots at Sun to various degrees, as we saw at Oracle OpenWorld recently. Besides that, at this point Sun is damaged beyond hope of repair… if this deal doesn’t close soon we’re all going to be in a world of hurt.

Lets get this deal done! Give the execs their money so they can retire and stop f***ing the company, and lets go kill IBM.

Little hobby electronics company SparkFun Electronics just got a cease-and-decist from SPARC International because “SparkFun” may be confused by consumers as being associated with the SPARC trademarks.

Come on guys…. lets be level headed. I think its a clever branding and they are in no way confused with SPARC processors or any of the companies that are members of SI.

Recently we talked about Solaris Auditing (BSM) in the Real World. Like BSM, Extended Accounting is a fantastic feature of Solaris that is utterly useless without tools. Solaris goes so far as giving you the capability but not so far as to hand you the rest of the solution on a silver platter. On one hand this means that the technology isn’t pigeon holed due to the capabilities of a single tool, but at the same time it creates a barrier to entry that causes many people to simply ignore it all together. So, yet again, let me provide a simple tool to fill some of that void.

In a previous post, Solaris Extended Accounting, I described Extended Accounting and provided two scripts to get you started, one was a PERL script to dump Extended Accounting (“exacct”) data files and the other was called “prettyproc” which output Proccess Accounting files in a more human friendly way. This post should be viewed as Part 2 of that post.

When & How to use Extended Accounting

The most basic explanation of Extended Accounting is this: a facility that records certain events upon completion for later analysis. Those certain events depend on which of the four accounting types we’re using. For processes, the cumulative data maintained by Solaris microstate accounting is written into a single record as process termination. For tasks, which are groups of processes within a single project, the same applies but recorded on each task termination rather than process. For (Crossbow) net, aggregate network utilization is written out on regular intervals (15 seconds). We’ll ignore IPQoS “flow” Accounting entirely for the time being.

So the first thing we should say is that Extended Accounting is not a monitoring facility. If you want to know how much CPU or Memory is being used at some given time you should rely upon Kstats or /proc statistics on a polling schedule.

What Extended Accounting is good for is reporting. Consider ‘net’ accounting; every 15 seconds a record is created for each data link (dladm show-link). You could easily create a report at some interval (hour, day, week, month?) for both total bytes/packets sent/recieved on each link or great a graph or perhaps most likely calculate 95th percentile on the links. Now, in this case of ‘net’ accounting you could also use an external system to poll the data remotely via SNMP or locally via kstats, but this might serve as a better “definiative” local record.

Proc accounting is fuzzy ground though. The best way I can explain process accounting is to imagine that every time you executed a command Solaris was secretly running “time(1M)” and then storing the output on your behalf.

benr@quadra Downloads$ time tar xfj flash_player_10_solaris_x86.tar.bz2 

real    0m0.763s
user    0m0.705s
sys     0m0.070s

This is, essentially, whats happening! Solaris maintains a lot of detail on what processes are doing (known as “microstate accounting”). Normally, when a process terminates that data is simply discarded, however if Process Extended Accounting is enabled its dumped out as a record! From this record we can see interesting stats such as when the process started, when it finished (real time), how long it spent cpu time in kernel-land (sys time), how long it spent cpu time in user-land (user time), how many context switches it made, how much swapping it did, what its average RSS memory usage was, etc, etc, etc.

But as wonderful as this is, I have to make it crystal clear that this data isn’t written out untill a process terminates! If MySQL runs for 4 months, it outputs a single record when it was finally shut down, and that record is the accumulation of that full 4 months of running!

Here is the exception. Proc and Task records can be “full” or “partial”. When a process/task terminates and creates a record, that’s a “full record”. However, using “wracct” we can force a process or task to create a “partial record”, which is essentially a way of saying “Just tell me what you’ve got so far!” The rub is that, in the proc case, that data is cumulative, so if you wanted to report on what a process has done in the last 24 hours you need to write a partial record every 24 hours and the find the difference between the partial record yesterday and partial record today. Talk about fun.

Now, besides all that, who actually bills users or reports usage based on total CPU time? Total context switches? This isn’t the 1970′s nor is this likely to be a Super Computer reporting computational time. In short, the data probably isn’t terribly useful as a basis for billing in this day and age without some creative thought.

So then lets think… what can we determine from the data. Based on CPU usage we could determine what the top 5 CPU consuming processes were. Based on average RSS usage we could determine what the top memory consumers were. So on and so forth. Interesting perhaps… but worth it?

Go back to what I said about running “time” on every command. This data could be of used for capacity planning or, with some intelligence, behavior monitoring. Are your users complaining about commands taking too long to run, but when you ask how long they give you a bogus number or simply shrug? Extended Accounting can tell you. Are batch jobs running at night but want a record of when they started and how resource hungry they were? Here is a way that doesn’t involve writing wrappers!

In short, Extended Accounting is a pretty lousy billing system on todays mulit-core systems, but it can provide useful historical statistics to questions that might be otherwise difficult to answer.

Practical Tools

The first tool I’ll provide you with is a PERL replacement for the Solaris included /usr/demo/libexacct/exdump.c: exdebug.pl. This tool offers the following advantages:

1. exdump.c hasn’t been updated for the new Crossbow provided ‘net’ accounting data; exdebug.pl is module agnostic and works with them all.
2. The output is just much cleaner and intuitive for exploring what ExAcct can do for you.
3. Its implemented in PERL making it easier to get in there and build something, rather than dealing with the libexacct learning curve in C. If nothing else you can quickly prototype and then re-implement in C.

Here is an example from an ‘net’ record:

benr@quadra exacct$ acctadm net
            Net accounting: active
       Net accounting file: /var/adm/exacct/net
     Tracked net resources: extended
   Untracked net resources: none
benr@quadra exacct$ pfexec ./exdebug.pl /var/adm/exacct/net | more
Creator:  SunOS
Hostname: quadra

---------------- OBJECT 0 -----------------------
Object is: EO_GROUP   -   Catalog: EXT_GROUP EXC_DEFAULT EXD_GROUP_NET_LINK_DESC
                Id: EXD_NET_DESC_NAME   Value: testzone0
                Id: EXD_NET_DESC_EHOST  Value:
                Id: EXD_NET_DESC_EDEST  Value:
                Id: EXD_NET_DESC_VLAN_TPID      Value: 0
                Id: EXD_NET_DESC_VLAN_TCI       Value: 0
                Id: EXD_NET_DESC_SAP    Value: 0
                Id: EXD_NET_DESC_PRIORITY       Value: 0
                Id: EXD_NET_DESC_BWLIMIT        Value: 0
                Id: EXD_NET_DESC_DEVNAME        Value: testzone0
                Id: EXD_NET_DESC_V4SADDR        Value: 0
                Id: EXD_NET_DESC_V4DADDR        Value: 0
                Id: EXD_NET_DESC_SPORT  Value: 0
                Id: EXD_NET_DESC_DPORT  Value: 0
                Id: EXD_NET_DESC_PROTOCOL       Value: 0
                Id: EXD_NET_DESC_DSFIELD        Value: 0
...
---------------- OBJECT 67 -----------------------
Object is: EO_GROUP   -   Catalog: EXT_GROUP EXC_DEFAULT EXD_GROUP_NET_LINK_STATS
                Id: EXD_NET_STATS_NAME  Value: e1000g1
                Id: EXD_NET_STATS_CURTIME       Value: 1256033841
                Id: EXD_NET_STATS_IBYTES        Value: 2411692067
                Id: EXD_NET_STATS_OBYTES        Value: 202604900
                Id: EXD_NET_STATS_IPKTS         Value: 2005669
                Id: EXD_NET_STATS_OPKTS         Value: 1265178
                Id: EXD_NET_STATS_IERRPKTS      Value: 0
                Id: EXD_NET_STATS_OERRPKTS      Value: 0
---------------- OBJECT 68 -----------------------
Object is: EO_GROUP   -   Catalog: EXT_GROUP EXC_DEFAULT EXD_GROUP_NET_FLOW_STATS
                Id: EXD_NET_STATS_NAME  Value: inbound_ssh
                Id: EXD_NET_STATS_CURTIME       Value: 1256033841
                Id: EXD_NET_STATS_IBYTES        Value: 93958770
                Id: EXD_NET_STATS_OBYTES        Value: 106077944
                Id: EXD_NET_STATS_IPKTS         Value: 238395
                Id: EXD_NET_STATS_OPKTS         Value: 321977
                Id: EXD_NET_STATS_IERRPKTS      Value: 0
                Id: EXD_NET_STATS_OERRPKTS      Value: 0
---------------- OBJECT 69 -----------------------
Object is: EO_GROUP   -   Catalog: EXT_GROUP EXC_DEFAULT EXD_GROUP_NET_LINK_STATS
                Id: EXD_NET_STATS_NAME  Value: testzone0
                Id: EXD_NET_STATS_CURTIME       Value: 1256033861
                Id: EXD_NET_STATS_IBYTES        Value: 4528169
                Id: EXD_NET_STATS_OBYTES        Value: 0
                Id: EXD_NET_STATS_IPKTS         Value: 64405
                Id: EXD_NET_STATS_OPKTS         Value: 0
                Id: EXD_NET_STATS_IERRPKTS      Value: 0
                Id: EXD_NET_STATS_OERRPKTS      Value: 0

In the above example you’ll see the variety of objects offered by the net accounting module, including link descriptions, link statistics (‘testzone0′ is a VNIC and ‘e1000g1′ is a physical interface), and flow statistics (inbound_ssh is a flowadm defined flow).

The second tool is exacctly, a human friendly Proc Extended Accounting dumper. It is also implemented in PERL and in fact was derived from the exdebug app above.

benr@quadra exacct$ acctadm proc
         Process accounting: active
    Process accounting file: /var/adm/exacct/proc
  Tracked process resources: extended
Untracked process resources: host
benr@quadra exacct$ pfexec ./exacctly /var/adm/exacct/proc | more
Creator:  SunOS
Hostname: quadra

      ZONE    UID    GID    PID                  CMD |   Real   User        Sys |               Start Date |    RSS AVG      RSS MAX     SysCalls      Swaps
 ----------------------------------------------------+--------------------------+--------------------------+--------------------------------------------------
    global      0      0   1922              acctadm |   0.07   0.00       0.01 | Tue Oct 20 03:10:01 2009 |        524 K      12904 K        450          0 | FULL
    global      0      0   1920                   sh |   0.07   0.00       0.00 | Tue Oct 20 03:10:01 2009 |       2036 K      12904 K        103          0 | FULL
    global     25     25   1924             sendmail |   0.10   0.01       0.01 | Tue Oct 20 03:10:01 2009 |       1912 K      12904 K        543          0 | FULL
    global      0      0   1927             sendmail |   0.01   0.00       0.01 | Tue Oct 20 03:10:01 2009 |       2288 K      13172 K        267          0 | FULL
    global      0      0   1923                 mail |   0.10   0.00       0.00 | Tue Oct 20 03:10:01 2009 |        504 K      12904 K        169          0 | FULL
    global      0      0   1921                   sh |   0.11   0.00       0.00 | Tue Oct 20 03:10:01 2009 |        920 K      12904 K        102          0 | FULL

The output is really wide, but everyone should have a big ol’ screen these days. Notice the depth of information here. For each terminated process we see the zone it was in, user and group, PID and command name itself (ExAcct doesn’t record arguments), then we see real/sys/user time in seconds (ExAcct actually has nanosecond granularity, so these are rounded numbers), the start time and other goodness. The last column reports whether the record is full or partial.

This tool is, in and of itself, useful for many administrators to start using Extended Accounting that might otherwise have ignored it. Even more so, I hope it sparks your interest and imagination as to the possibilities! Just think of all the ways to amaze your boss and fellow admins!

Data File Rotation

Like any log, don’t be lazy and forget to rotate those files or you’ll have a mess on your hands. Rotating your extended accounting data files will make them easier to dissect and consume less disk. Here are some examples lines you can drop into /etc/logadm.conf, Solaris’s default log rotation tool:

/var/adm/exacct/proc -N -p 1d -C 7 -b '/usr/sbin/acctadm -x process' -a '/usr/sbin/acctadm -e extended -f /var/adm/exacct/proc process'
/var/adm/exacct/net -N -p 1d -C 7 -b '/usr/sbin/acctadm -x net' -a '/usr/sbin/acctadm -e extended -f /var/adm/exacct/net net'
/var/adm/exacct/task -N -p 1d -C 7 -b '/usr/sbin/acctadm -x task' -a '/usr/sbin/acctadm -e extended -f /var/adm/exacct/task task'

These examples will rotate each day (-p 1d) and keep 7 logs (-C 7) before destroying. The important bit is that you can’t just mv the file, you need to stop accounting, rotate, then resume it.

Remember to ensure that logadm isn’t commented out in the root crontab.

Parting Thoughts & Cautions

Before I wrap up, I want to note something about Process records. Here is one as seen with exdebug:

---------------- OBJECT 0 -----------------------
Object is: EO_GROUP   -   Catalog: EXT_GROUP EXC_DEFAULT EXD_GROUP_PROC
                Id: EXD_PROC_PID        Value: 1922
                Id: EXD_PROC_UID        Value: 0
                Id: EXD_PROC_GID        Value: 0
                Id: EXD_PROC_PROJID     Value: 1
                Id: EXD_PROC_TASKID     Value: 39949
                Id: EXD_PROC_CPU_USER_SEC       Value: 0
                Id: EXD_PROC_CPU_USER_NSEC      Value: 2047013
                Id: EXD_PROC_CPU_SYS_SEC        Value: 0
                Id: EXD_PROC_CPU_SYS_NSEC       Value: 6237135
                Id: EXD_PROC_START_SEC  Value: 1256033401
                Id: EXD_PROC_START_NSEC         Value: 311640743
                Id: EXD_PROC_FINISH_SEC         Value: 1256033401
                Id: EXD_PROC_FINISH_NSEC        Value: 380283918
                Id: EXD_PROC_COMMAND    Value: acctadm
                Id: EXD_PROC_TTY_MAJOR  Value: 4294967295
                Id: EXD_PROC_TTY_MINOR  Value: 4294967295
                Id: EXD_PROC_FAULTS_MAJOR       Value: 0
                Id: EXD_PROC_FAULTS_MINOR       Value: 0
                Id: EXD_PROC_MESSAGES_SND       Value: 0
                Id: EXD_PROC_MESSAGES_RCV       Value: 0
                Id: EXD_PROC_BLOCKS_IN  Value: 0
                Id: EXD_PROC_BLOCKS_OUT         Value: 0
                Id: EXD_PROC_CHARS_RDWR         Value: 20100
                Id: EXD_PROC_CONTEXT_VOL        Value: 102
                Id: EXD_PROC_CONTEXT_INV        Value: 0
                Id: EXD_PROC_SIGNALS    Value: 0
                Id: EXD_PROC_SWAPS      Value: 0
                Id: EXD_PROC_SYSCALLS   Value: 450
                Id: EXD_PROC_ACCT_FLAGS         Value: 2
                Id: EXD_PROC_ANCPID     Value: 1920
                Id: EXD_PROC_WAIT_STATUS        Value: 0
                Id: EXD_PROC_ZONENAME   Value: global
                Id: EXD_PROC_MEM_RSS_AVG_K      Value: 524
                Id: EXD_PROC_MEM_RSS_MAX_K      Value: 12904

Okey, lots of data, lots of goodness. Notice EXD_PROC_BLOCKS_IN, OUT, and CHARS_RDWR? They are useless. I can’t go into why here, but don’t get excited about them or bother doing anything, the values are crap. If your a veteran Kstat diver you’ll recognize similar values in the Kstat cpu_stat class… same story.

Hopefully this post as helped provide you with a more practical understanding of Extended Accounting and provided you with some resources to get in there and use the data. There is a wealth of possibilities if you just avail yourself of them.

Quite some time ago I wrote about this subject: I See You!: Solaris Auditing (BSM). As much information is out there regarding Solaris Auditing the post was well received and pretty popular but I’ve never been happy with where I left it. Many people feel that auditing is “difficult”. Why? Because its hard to enable? No, thats simple, just run bsmconv and your done, edit 2 simple configs in /etc/security to tweak it… whats hard about that?

I’ll tell you why auditing is a pain in the butt… because for all the dozens (or hundreds) of tutorials almost none of them teach you how to actually use the auditing data. So you’ve got these really great audit trails but now what? This blog entry is about filling that void, similar to the post I did about actually using BART: Solaris Automated File Integrity Checking: bartlog.

BSM Basics

As I said in my former post, enabling BSM is simple. There is a convenience wrapper in /etc/security which will turn on the auditd SMF service and add the following to /etc/system:

set c2audit:audit_load = 1

You reboot and auditing is going. So what about tweaking what it collects?

The following is my recommendation for /etc/security/audit_startup, these policies change the way auditing collects data:

/usr/sbin/auditconfig -setpolicy +cnt
#/usr/sbin/auditconfig -setpolicy +perzone
/usr/sbin/auditconfig -setpolicy +zonename
/usr/sbin/auditconfig -setpolicy +argv
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf

The “+cnt” policy says that even if auditing can’t record data (usually because /var/audit is out of space) keep running. In a super high secure environment you would remove this so that if auditing wasn’t able to function the box would halt. Next, the “+zonename” policy adds the zonename to each audit entry, if you use Solaris Containers you want this policy. The “+argv” policy is very important, if you do not use this policy you’ll see commands executing but not the arguments, and typically when your auditing for security you aren’t just interested in the command but how its being executed. Additionally, you could add the “+arge” policy which would include the environment with each command, but that seems like major overkill to me.

Now, just a moment on the “+perzone” argument. By default (meaning, without +perzone) auditd in the globalzone will record everything on the box regardless of which zone it occurs in, this is why its so important to use the “+zonename” policy. So if zone “oracle1″ runs a command, an audit record is made to the audit trails in the global zone. There are at least two potential problems with this: 1) The users inside the zone can’t access the audit trails, and 2) The users inside the zone might not want to be audited. So by setting “+perzone” in the globalzone, each zone will audit itself and only itself. That means that the globalzone only records audit events that occur in the globalzone. It also means that each zone can choose to enable auditing within their own zone by enabling the auditd service and tweeking the configs in /etc/security.

Moving on… the other important config is /etc/security/audit_control, which determines what events are audited by default. I recommend the following:

dir:/var/audit
flags:lo,ex
minfree:10
naflags:lo
#plugin: name=audit_syslog.so; p_flags=all

So “flags” define which classes we’re going to record by default. This can be changed per user in the audit_user file (maybe you really don’t trust a particular user?). “lo” is login/logouts including su activity. “ex” is executions. So these two flags together record people coming and going and running commands. I recommend this as the default and suggest that you strongly avoid auditing more unless you know what your doing. The “naflags” are like “flags” but apply to events that are “not attributable” to a user (such as a failed login for a user that doesn’t exist). If you need to know more about flags and configs and syslog, refer to my previous post.

Audit Trail Maintenance

Now that auditing is running, you’ll see audit trails in (by default) /var/audit. The format is “date.date.hostname”, which signifies that the audit trail is “terminated”, or complete. The current audit trail will be “date.not-terminated.hostname”.

There are 2 important tasks relating to maintaining these audit trails. First, we need to rotate them to keep them from growing too large. Secondly, we need to move them from the unsecure system (otherwise why would you audit it?) to a safe place.

Rotating audit trails is simple, run the “audit -n” command to terminate/close the existing audit trail and continue auditing to a new file. So the simplest way to invoke daily audit trail rotation is by adding the following line to the root crontab:

## Rotate the Audit Logs Nightly at Midnight.
0 0 * * * /usr/sbin/audit -n

So now your terminating audits every day, but you now need to get the audit trails off the local system. Some old documentation suggests mounting /var/audit as NFS… I’m not a fan of that idea. Instead, I’d recommend creating a script which runs the “audit -n” command above and then uses sftp or scp or something to move the audit trails to a centralized archive location. You might even want to compress them prior to sending, but the idea is simple enough.

One other method of storage would be to rotate the audit trail, immediately convert it to XML/HTML/text or whatever and then moving that…. but in my experience the raw audit files are much smaller than any report you produce, so compressing and storing them raw is probly the best policy.

Please note that the frequency at which you rotate and archive your audit trails depends on the sensitivity of the system. If a hacker is smart he’ll notice that BSM is enabled and proceed to both disable it and destroy the audit trails. Therefore, in a highly sensitive environment you might archive as frequency as every 5 minutes! How often you archive is up to you and your environment. Every hour? Every day? Every week? It all depends, but I encourage you to spend a couple minutes thinking about it.

Okey, so now your rotating nightly and thinking about how to centrally archive the audit files, now what?

Reporting Part 1: The Boring Basics

Here’s what you’ve always been told… use the auditreduce command to process the audit trails and then pipe the output to “praudit” to output it. Boring. Let me clarify this a bit.

praudit can read audit trails and produce ASCII text output or XML. You do not require auditreduce to use praudit. The most common method of using praudit is with the “-ls” arguments which creates an ASCII output containing one audit record per line. Its ugly and huge but it gets the job done. At that point you might use some script to parse the text file but I discourage doing this (we’ll see why shortly). Output to ASCII only for debugging, nothing else.

Audit files get big, so the auditreduce command is sort of like “grep” for audit trails. It will read the raw audit trail and, based on the arguments, create a new raw audit trails containing only what you want. For instance, if I only want see login/logout records, I could do the following:

# auditreduce -c lo /var/audit/someaudittrail > new-lo-audittrail

So, in this way, we might produce several smaller raw audit trails based on the big master one. But there are lots of great options that can be handy. For instance, each audit record contains a “SID”, Session ID. A session would start with login and end with logout and everything in between. So if we found a command execution that we find disturbing we would probly want to see everything done during that same session, so we could use auditreduce -s 12312312 /var/audit/someaudittrail | praudit -ls to see the entire session. Very handy indeed.

I highly recommend you take the time to look through the various search options offered by auditreduce(1M).

Okey, so all this you have probly heard before, so lets move on to some things you probly haven’t seen.

Reporting Part 2: XSLT

XML makes storing data easier for programs, but its only minorly useful for humans. The way we transform an XML document into something more palatable is by creating an XSL stylesheet. By using an XSL Tranform (XSLT) engine, such as xsltproc we can transform XML into HTML or plaintext or XML-FO which is then used to convert to print formats like PDF.

Okey, why the XML review? praudit -x will output audit trails as an XML document. Look at the header of that document:

root@quadra ~$ praudit -x /var/audit/20091015192239.20091015200550.quadra | head
<?xml version='1.0' encoding='UTF-8' ?>
<?xml-stylesheet type='text/xsl' href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?>

<!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' 'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'>

<audit>
<file iso8601="2009-10-15 12:22:39.506 -07:00">/var/audit/20091015081437.20091015192239.quadra</file>
<record version="2" event="execve(2)" host="quadra" iso8601="2009-10-15 12:22:39.502 -07:00">
<path>/usr/sbin/audit</path>
<attribute mode="100555" uid="root" gid="bin" fsid="128" nodeid="875" device="0"/>

Do you notice the “xml-stylesheet” tag? Solaris ships with a proper XML DTD (Schema) but also an XML stylesheet for translation to HTML! Here is how you do it:

root@quadra ~$ praudit -x /var/audit/20091015192239.20091015200550.quadra > myAudit.xml
root@quadra ~$ xsltproc file:///usr/share/lib/xml/style/adt_record.xsl.1 myAudit.xml > myAudit.html
root@quadra ~$ head myAudit.html
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset="UTF"-8">
<title>Audit Trail Data</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">
<center>
<font face="Arial" size="+1"><b>Audit Trail Data</b></font><br  />
</center>
<hr  />

Using this method we could script a cronjob to produce a daily report in human readable format. Furthermore, Firefox and most other browsers can do XSLT transformations natively, so if you are using a browser on a Solaris system (so that the XSL and DTD are local) you can simply open the XML in your browser and see it in pretty HTML format!

There are 2 important take-aways on this. Firstly, creating useful HTML reports from audit data is really easy. Don’t bother parsing out the praudit -s ASCII output. Secondly, and more importantly, you can spend a little time learning XSLT to create your own custom reports!

For example, I really want to see the audit report in a single table, instead of in bulleted lists. So I did just that. It took me about 30 minutes or reading and tinkering to get the basics down but it was much easier than I expected. Just copy the Solaris provided XSL and start tweaking it. Please, feel free to download and try out my modified XSL: benr_record.xsl. Please note that it is intended for “lo” reduced XML files and is far from perfect, this is for learning purposes only!

Here are examples:
• Example of Solaris supplied XSLT HTML Transformation
• Example Cuddletech Modified XSLT HTML Transformation

Hack it up and do some fun things. Put the data in the most useful form for you organization, add your logo to the output, etc. If you are feeling really hardcore you can download XSLT Design tools such as Altova StyleVision, but personally I found that it was easier for me to learn XSLT itself than to use the design tools.

Reporting Part 3: XML & PERL

XSLT is great, but there are limits to what it can do. If you want to create really comprehensive reports you’ll need to actually parse the XML itself. The advantage of doing so is that you can loop the data multiple times to add roll-up statistics, such as a summary of sessions, number of executions, average executions per session, etc. You might be able to replicate this by using the auditreduce command but thats way more processor intensive and wasteful.

While you could use any language, being a SysAdmin, I feel most at home with PERL. Thankfully the XML::Simple module is included with Solaris, so going this route means you don’t need to install anything new or potentially unsupported.

So with the power of BSM and PERL’s XML::Simple at my fingertips, I decided to create a tool that could print audit trails in a really pretty and friendly way, and bsm_report is the result. Just look at how beautiful this is:

root@quadra bsm$ ./bsm_report.pl
 The Incredable Human Friendly BSM Audit Dumper                        benr@cuddletech.com
USAGE: ./bsm_report.pl [-d] ( [-c ] -a  ) | (-x /path/to/reduced.xml)
root@quadra bsm$
root@quadra bsm$ ./bsm_report.pl -a /var/audit/20091016225822.20091016225943.quadra
Reducing /var/audit/20091016225822.20091016225943.quadra ....
Processing /tmp/.audit-tmp.xml ....

                C U D D L E T E C H   A U D I T    D U M P E R

Audit Begins: 2009-10-16 15:58:22.316 -07:00
Audit Ends:   2009-10-16 15:59:43.587 -07:00 

login - ssh (failure) by benr as benr REMOTELY from lappy in zone global  (3623559241)
login - ssh (success) by benr as benr REMOTELY from lappy in zone global  (3415402787)
execve(2) (success) by benr as benr REMOTELY from lappy in zone global  (3415402787) : /bin/cat -s /etc/motd
execve(2) (success) by benr as benr REMOTELY from lappy in zone global  (3415402787) : /bin/mail -E
execve(2) (success) by benr as benr REMOTELY from lappy in zone global  (3415402787) : cat /etc/shadow
execve(2) (success) by benr as benr REMOTELY from lappy in zone global  (3415402787) : cat /etc/passwd
su (failure) by benr as root REMOTELY from lappy in zone global  (3415402787)
su (failure) by benr as root REMOTELY from lappy in zone global  (3415402787)
su (success) by benr as root REMOTELY from lappy in zone global  (3415402787)
execve(2) (success) by benr as root REMOTELY from lappy in zone global  (3415402787) : cat /etc/shadow
su logout (success) by benr as root REMOTELY from lappy in zone global  (3415402787)
logout (success) by benr as benr REMOTELY from lappy in zone global  (3415402787)
root@quadra bsm$

I have a couple more improvements to make to it and then you’ll see it get its own page on cuddletech. I hope you can see the advantage of this. While I think bsm_report will be useful for a lot of people, more importantly it provides a useful example from which you can build your own tools.

Perhaps the best way to interact with audit trails is within a real database. Using this same method in PERL you could easily create a tool to pump the audit trail data into MySQL, PostgreSQL, Oracle, or, my favorite, SQLite. Imagine a centralized database for audit data and a PERL script on each node which, from cron, runs every so often to rotate the audit trails, convert to XML, and then read all that data into a centralized database. Nifty goodness.

Reporting Part 4: Existing Software

I noted earlier that BSM seems “hard” because of its DYI nature. While I’m sure hundreds or thousands of Solaris environments have great auditing infrastructures, almost all of those are custom and folks aren’t sharing their tools, probly because they don’t think anyone would care. I’m trying to change that. But I do not want to suggest that no other tools exist. There are 3 that I’m aware of:

BSMgui is a simple Java program which can read raw audit files and display them based on audit class. Startup the program, “open” an audit file, then click all the audit classes you want and execute a search. Nifty. Its old but by no means out of date!

the BSM Analyzer is a PHP application which gives you a web-driven way to search and report on audit trails. Its old too, but still valuable. If you (like myself) are interested in web searchable audit files this is the solution for you, or at least a great example of how to implement one!

Finally, SNARE “from InterSect Alliance, is a proprietary Log Monitoring solution that builds on the open source Snare agents to provide a central audit event collection, analysis, reporting and archival system.” SNARE includes a Solaris Agent which integrates with BSM. I tried it on my Nevada box and had some minor issues but nothing serious. If you need a comprehensive end-to-end multi-platform auditing solution, have a look at it.

I’m certain there are more tools out there, namely in the form of plugins to suites like Tivoli, BMC Patrol, etc, but I won’t explore those here.

Conclusion

Solaris Auditing is extremely powerful, but audit logs are pointless unless you can generate useful reports and store the data in an accessible and intelligible way. I hope you have a new appreciation for the variety of ways in which you can create meaningful and useful reports.

If you’ve created your own in-house tools for BSM Auditing, please consider sharing them. Maybe not all that sexxy, but there is a real need from users to have these types of tools.

Furthermore, if you have found this post helpful please let me know. If its popular enough I may convert it into a small book with much more depth.

Happy Auditing!

Tonight was a significant evening for Sun & Oracle. The opening keynote of Oracle OpenWorld 2009 was provided by Scott McNealy with an appearance by Larry Ellison. There is a lot to unpack here, so I’m going to break it down into sections.

The Acquisition

This is the first event I’ve attended as “press”. As such I got all the press perks, namely access to announcement details in the press room and early access to the keynote for prime seats, in my case, right behind all the Sun Microsystems reserved seating. Talking with others there to cover the event was interesting in and of itself. Clearly everyone was looking for new information regarding the merger. None was expected but it was hoped for and we all listened attentively.

Here you can see (from left to right) Dr. James Gosling (creator of Java), Scott McNealy (Sun Chairman), and John Fowler (Sun EVP Systems). These were the speakers from the Sun side of the house, only Larry came up to represent Oracle.

Scott obviously thought the acquisition was a good thing and spent a lot of time about the history of Sun as an innovation driver (building his legacy). James came up to say that he thought it was a good thing for Java and the only hiccups along the way were with regard to Oracle learning now to interact with a community as large as that around Java. John showed off some of the new goodness from Sun and pointed to Oracle continued interest in Solaris, SPARC, and X86.

Larry wanted to hammer home the commitment they are making to Sun. He talked about the recent ads that Oracle’s been putting out and how they are fighting against IBM who’s trying to capitalize on the confusion. He re-iterated that Oracle will increase the money going into SPARC, Solaris, Java, and added to the list MySQL. He’s very clear that nothing is getting chopped, he needs to whole company. With regard to MySQL he pointed out to Sleepycat (BerkelyDB) and InnoDB as things that Oracle owns and has invested in and been able to make some money with and intends to do the same with MySQL. He maintains that MySQL in no way competes with Oracle.

The more Larry talks the more comfortable it seems everyone is getting with this deal. Early estimates were that almost 50% of the company would be let go and there would be major changes in the companies product lineup. More and more those estimates are dropping below 30% and suggest that nothing will be cut, but rather pruned neatly into a more structured form. Best line of the nite was from larry, “We’re in it to win.”

The Benchmarks

Larry drove the point about synergies between Oracle and Sun home in 2 ways. The first was talking about the previously released Sun/Oracle ExaData v2 product (pictured above). The second was to show that with Sun’s technology today, pre-acquisition, is the best platform available for Oracle even against IBM’s monster POWER 595 system which consumes 76 standard racks. Sun’s solution that beat it consumes only 9 racks, is fault tolerant, based on SPARC (Niagara), got 25% more throughput, gets 16 times better response times, and obviously uses a hell of a lot less power to boot.

I had a conversation with the PAE guys there and got a lot of great details on the configuration and how they made it work. Here are some highlights…

So the Sun system that beat out the 595 was based on T5440 (UltraSPARC T2) systems connected to the new F5100 Flash Array. In order to make all this work in a fault tolerant way COMSTAR was used and throughout the process required absolutely no modification! Apparently the biggest “problem” they ran into some some minor tweeking in the mpt and sd drivers because they weren’t designed to hand the extreme number of IOPS coming from the flash arrays. More shockingly, when they got the TPC-C number that beat IBM the CPU’s were 50% idle! And, if you can believe it, during the whole time Sun was working on this benchmark of all the flash modules involved, only a single one failed! Just one!

The Product

So the product announcement we’d been waiting for happened here: the Sun Storage F5100 Flash Array and its little brother the Sun Flash Accelerator F20 PCIe Card.

The F5100 was illuded to a couple months ago by Andy Bechtolsheim; a 1U storage array filled to the brim with Sun SO-DIMM form factor Flash Modules. It can be ordered with as little as 20 modules for 480GB raw or as large as 80 modules for almost 2TB raw capacity. Sequential Write performance on the 80 module unit is rated at 9.7 GB/sec. It physically connects via SAS.

The F20 PCIe Flash Card is just a smaller version. Up to 98GB of Flash rated at 501 MB/s Seq Write. All the goodness of high performance flash storage but you just drop it into a PCIe slot and go. A fantastic solution for databases in need of fast logging capabilities, just plug it into a PCIe slot and define it as your new log device.

Jonathan

Guess who wasn’t present. Jonathan is nowhere to be found. In fact, I haven’t seen him since JavaOne. Since this deal has occured Jonathan has been pushed to the back seat while Scott has insisted on driving. The question is why?

I’m very curious how history will record things with all the details filled in. Did Jonathan sell us down the river? Or, perhaps, Scott’s been driving things far longer than we realize and Jonathan has been something of a pawn in the latter days of the company. Its clear that it was Jonathan’s management of the company that delivered us to the point acquisition was required, but we can’t forget that he did do a number of good things, even if they didn’t actually benefit the company in return.

I’m not going to make a judgment call just yet… but I’m starting to almost feel like Jonathan got screwed here more than we realize. Never the less, he’ll have his millions of dollars to console him while the rest of us are left holding a fist full of memories and broken dreams.

Watch the Keynote!

Make some time, OnDemand Replays available… you’ll enjoy it.

Oracle OpenWorld is starting right now (Sunday) in San Francisco. Shockingly I applied for a press/blogger pass and got one! So i’m heading there tonight for the big opening keynote starring Larry Ellison and Scott McNealy. But if you can’t make it, watch it! Oracle OpenWorld is streaming live!.

Stay tuned for updates tonight following the keynote.