Solaris Basic Audit Reporting Tool (BART)

Sometimes you need to know, what has changed on a system since you installed it. For example when your sysadmins tell you after a system crash "No, I haven’t changed anything on the system!"

The BART (Basic Audit Reporting Tool) which is a small but cool tool in Solaris can answer this question by comparing different states of you system. It a really simple tool and it’s really easy to use.

BART provides the ability to determine file-level changes at a granular level within the Solaris 10 operating system. This is achieved via the creation of 2 manifest files (a control-manifest and test-manifest), each manifest catalogs the attributes of each file and then a comparison is run between the files and the subsequent discrepancies displayed. The option of a rules files is also supplied allowing the administrator to define which files, folders and attributes are to be catalogued and compared.

BART Configuration

Configuring BART requires:

  1. Install the Solaris BART package
  2. Create a bart rules file
  3. Generate a control-manifest file
  4. Generate a test-manifest file
  5. Compare the control-manifest and test-manifest files

Installing BART on Solaris

BART is installed via the installation of the SUNWbart package and is found on the standard Solaris installation media.

# pkgadd -i SUNWbart

Once the bart package has been installed it is also worth creating a directory in order to store your bart files.

# mkdir /bart-files

Creating the rules file

The rules file will define which attributes and files are catalogued and compared against.

# cat >/bart-files/bart.rules <<_EOT_
IGNORE all
CHECK contents mtime
/etc
_EOT_

The above example is based on specifying the contents and time attributes for files within the /etc directory.

Generate a control-manifest file

Using the previously created bart.rules file, generate a control manaifest file, using the following command:

# bart create -R /bart-files/bart.rules > /bart-files/etc.control.manifest

The manifest stores all information about the files. Here is an example of the /etc/nsswitch.conf file stored in the control manifest file.

# grep "nsswitch.nisplus" /bart-files/etc.control.manifest
/nsswitch.nisplus F 2525 100644 user::rw-, group::r--, mask:r--, other:r-- 473976 b5 0 3 9e8fd689a5221d1cd059e5077da71b8

Make some changes

Simple create to modify files under /etc so that we can compare BART output later. For example:

# touch /etc/test.bart-file
# chmod 777 /etc/nsswitch.files
# echo '#bart test' >> /etc/nsswitch.nisplus

Create a test manifest file

Since we've made changes above, let's create a new manifest of the changed files

# bart create -R /bart-files/bart.rules > /bart-files/etc.manifest-`date '+%Y%m%d'`

Compare the control and test manifest files

Now we can compare the baseline manifest with the actual test manifest file

# cd /bart-files
# bart compare etc.control.manifest etc.manifest.20090120
/nsswitch.files:
   mode   control :100644   test :100777
   acl   control : user::rw-, group::r--, mask:r--, other:r--   test :
user::rwx, group::rwx, mask:rwx, other:rwx
/nsswitch.nisplus :
   size   control:2525   test :2538
   mtime   control :473976 b5   test :47 a44862
   contents    control :79 e8fd689a5221d1cd059e5077da71b8   test :3
 f79176ec352441db11ec8a3d02ef67c
/test.bart-file:
   add

The above command prints all differences between the two manifests showing the difference between the two states of the system.