Understood...thanks! I thought an audit -s would do it. Guess not. I still don't understand why the MEMCNTL audits are filling up the logs like they are. The idenical flags on a Solaris 8 box doesn't behave this way. Everytime I issue a simple 'ls' command in /var/audit the log gets bombarded with more of this:
header,178,2,memcntl(2),,hmptn3,2008-01-16 15:34:07.204 +00:00 argument,1,0xfeae0000,base argument,2,0x1618,len argument,3,0x4,cmd argument,4,0x3,arg argument,5,0x0,attr argument,6,0x0,mask subject,root,root,root,root,root,940,807,0 0 hmptn3 return,success,0 zone,global header,178,2,memcntl(2),,hmptn3,2008-01-16 15:34:07.205 +00:00 argument,1,0xfeac0000,base argument,2,0xd08,len argument,3,0x4,cmd argument,4,0x3,arg argument,5,0x0,attr argument,6,0x0,mask subject,root,root,root,root,root,940,807,0 0 hmptn3 return,success,0 zone,global and it continues like this forever. A truss on the audit daemon gives this: 1010/1: mmap(0xFEF30000, 7326, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_TEXT, 7, 0) = 0xFEF30000 1010/1: mmap(0xFEF42000, 1289, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_INITDATA, 7, 8192) = 0xFEF42000 1010/1: munmap(0xFEF32000, 65536) = 0 1010/1: memcntl(0xFEF30000, 3136, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0 1010/1: close(7) = 0 but it was no help to me. This message posted from opensolaris.org
