How to audit solaris commands like rm,mv,cron,zip… as realtime

HI

we faced one issue in production solaris machine like someone/some program is deleting one directory sometimes. I decided to explore more on this and finally found Dtrace , that comes with solaris bundle

 

Dtrace:

DTrace is a comprehensive dynamic tracing framework created by Sun Microsystems for troubleshooting kerneland application problems on production systems in real time. Originally developed for Solaris, it has since been released under the free Common Development and Distribution License (CDDL) and has been ported to several other Unix-like systems.

 

DTrace can be used to get a global overview of a running system, such as the amount of memory, CPU time, filesystem and network resources used by the active processes. It can also provide much more fine-grained information, such as a log of the arguments with which a specific function is being called, or a list of the processes accessing a specific file.

 

Here i am showing some simple script to trace the commands and send output to file. After that we can logrotate that based on size bcoz this will dump huge lines of putput

 

create a file with below script and start that script with nohup, that’s it

 

 

dtrace -qn ‘syscall::unlink*:entry { printf(“%d, %s, %Y, %s\n”, uid, execname, walltimestamp, copyinstr(arg0));}syscall::fsat:entry  /arg0 == 5 / { printf(“%d, %s, %Y ,%s\n”, uid, execname, walltime

stamp, copyinstr(arg2));}’ | tee -a /var/tmp/spora.log