Solaris Basic Audit Reporting Tool (BART)
Sometimes you need to know, what has changed on a system since you installed it. For example when your sysadmins tell you after a system crash "No, I haven't changed anything on the system!"
The BART (Basic Audit Reporting Tool) which is a small but cool tool in Solaris can answer this question by comparing different states of you system. It a really simple tool and it's really easy to use.
BART provides the ability to determine file-level changes at a granular level within the Solaris 10 operating system. This is achieved via the creation of 2 manifest files (a control-manifest and test-manifest), each manifest catalogs the attributes of each file and then a comparison is run between the files and the subsequent discrepancies displayed. The option of a rules files is also supplied allowing the administrator to define which files, folders and attributes are to be catalogued and compared.
Configuring BART requires:
- Install the Solaris BART package
- Create a bart rules file
- Generate a control-manifest file
- Generate a test-manifest file
- Compare the control-manifest and test-manifest files
Installing BART on Solaris
BART is installed via the installation of the
SUNWbart package and is found on the standard Solaris installation media.
# pkgadd -i SUNWbart
Once the bart package has been installed it is also worth creating a directory in order to store your bart files.
# mkdir /bart-files
Creating the rules file
The rules file will define which attributes and files are catalogued and compared against.
# cat >/bart-files/bart.rules <<_EOT_ IGNORE all CHECK contents mtime /etc _EOT_
The above example is based on specifying the contents and time attributes for files within the /etc directory.
Generate a control-manifest file
Using the previously created
bart.rules file, generate a control manaifest file, using the following command:
# bart create -R /bart-files/bart.rules > /bart-files/etc.control.manifest
The manifest stores all information about the files. Here is an example of the /etc/nsswitch.conf file stored in the control manifest file.
# grep "nsswitch.nisplus" /bart-files/etc.control.manifest /nsswitch.nisplus F 2525 100644 user::rw-, group::r--, mask:r--, other:r-- 473976 b5 0 3 9e8fd689a5221d1cd059e5077da71b8
Make some changes
Simple create to modify files under /etc so that we can compare BART output later. For example:
# touch /etc/test.bart-file # chmod 777 /etc/nsswitch.files # echo '#bart test' >> /etc/nsswitch.nisplus
Create a test manifest file
Since we've made changes above, let's create a new manifest of the changed files
# bart create -R /bart-files/bart.rules > /bart-files/etc.manifest-`date '+%Y%m%d'`
Compare the control and test manifest files
Now we can compare the baseline manifest with the actual test manifest file
# cd /bart-files # bart compare etc.control.manifest etc.manifest.20090120 /nsswitch.files: mode control :100644 test :100777 acl control : user::rw-, group::r--, mask:r--, other:r-- test : user::rwx, group::rwx, mask:rwx, other:rwx /nsswitch.nisplus : size control:2525 test :2538 mtime control :473976 b5 test :47 a44862 contents control :79 e8fd689a5221d1cd059e5077da71b8 test :3 f79176ec352441db11ec8a3d02ef67c /test.bart-file: add
The above command prints all differences between the two manifests showing the difference between the two states of the system.