Morning,
I just recently went through a patch cycle and updated to Solaris 11.3 SRU 31 on all my systems. One of my customers noted that when looking at the last log post update reboot to the new BE, there are no entries between the creation of the BE and the reboot to it. I'm wondering if anyone else has noticed this and if there is a way to get that missing information back? I would think this was important from a security standpoint for forensic uses of access to a system during the time between the pkg update and the reboot.
Here's an example:
XXXXX sshd system01. Sun Jul 29 11:47 - 11:47 (00:00)
XXXXX sshd system01. Sun Jul 29 11:45 - 11:47 (00:01)
XXXXX sshd system01. Sun Jul 29 11:44 - 11:45 (00:01)
XXXXX sshd system01. Sun Jul 29 11:42 - 11:45 (00:02)
reboot system boot Sun Jul 29 11:41 <----------- ## This is where the reboot of the system was run to implement the new BE and SRU
reboot system down Fri Jul 27 10:30 <----------- ## This is where the pkg update was run in preparation for the reboot to the new BE
XXXXX sshd system01. Fri Jul 27 10:30 - down (2+01:11)
XXXXX sshd system01. Fri Jul 27 10:28 - 10:30 (00:01)
XXXXX sshd system01. Fri Jul 27 10:27 - 10:28 (00:00)
XXXXX sshd system01. Fri Jul 27 10:25 - 10:27 (00:01)
So, we have no data between the creation of the new BE in the pkg update and the reboot.
System information:
SRU before update = Solaris 11.3 SRU 16
SRU after update = Solaris 11.3 SRU 31
This particular system is a zone running on an LDOM on a T5-4 server, however, this happens at all levels - Control Domain, Service domain, Guest LDOMs, zones. The zone is just easier to see, because of more frequent logins recorded.
Thanks,
Martha