System Administration Guide: Security Services

Chapter 5 Using the Basic Audit Reporting Tool (Tasks)

This chapter describes how to create a manifest of the files on a system and how to use that manifest to check the integrity of the system. The Basic Audit Reporting Tool (BART) enables you to comprehensively validate systems by performing file-level checks of a system over time.

The following is a list of the information in this chapter:

Basic Audit Reporting Tool (Overview)

BART is a file tracking tool that operates entirely at the file system level. Using BART gives you the ability to quickly, easily, and reliably gather information about the components of the software stack that is installed on deployed systems. Using BART can greatly reduce the costs of administering a network of systems by simplifying time-consuming administrative tasks.

BART enables you to determine what file-level changes have occurred on a system, relative to a known baseline. You use BART to create a baseline or control manifest from a fully installed and configured system. You can then compare this baseline with a snapshot of the system at a later time, generating a report that lists file-level changes that have occurred on the system since it was installed.

The bart command is a standard UNIX command. You can redirect the output of the bart command to a file for later processing.

BART Features

BART has been designed with an emphasis on a simple syntax that is both powerful and flexible. The tool enables you to generate manifests of a given system over time. Then, when the system's files need to be validated, you can generate a report by comparing the old and new manifests. Another way to use BART is to generate manifests of several similar systems and run system-to-system comparisons. The main difference between BART and existing auditing tools is that BART is flexible, both in terms of what information is tracked and what information is reported.

Additional benefits and uses of BART include the following:

BART Components

BART has two main components and one optional component:

BART Manifest

You use the bart create command to take a file-level snapshot of a system at a particular time. The output is a catalog of files and file attributes called a manifest. The manifest lists information about all the files or specific files on a system. It contains information about attributes of files, which can include some uniquely identifying information, such as an MD5 checksum. For more information about the MD5 checksum, see the md5(3EXT) man page. A manifest can be stored and transferred between client and server systems.


Note –

BART does not cross file system boundaries, with the exception of file systems of the same type. This constraint makes the output of the bart create command more predictable. For example, without arguments, the bart create command catalogs all file systems under the root (/) directory. However, no NFS or TMPFS file systems or mounted CD-ROMs would be cataloged. When creating a manifest, do not attempt to audit file systems on a network. Note that using BART to monitor networked file systems can consume large resources to generate manifests that will have little value.


For more information about BART manifests, see BART Manifest File Format.

BART Report

The report tool has three inputs: the two manifests to be compared and an optional user-provided rules file that indicates which discrepancies are to be flagged.

You use the bart compare command to compare two manifests, a control manifest and a test manifest. These manifests must be prepared with the same file systems, options, and rules file that you use with the bart create command.

The output of the bart compare command is a report that lists per-file discrepancies between the two manifests. A discrepancy is a change to any attribute for a given file that is cataloged for both manifests. Additions or deletions of file entries between the two manifests are also considered discrepancies.

There are two levels of control when reporting discrepancies:

These levels of control are intentional, since generating a manifest is more costly than reporting discrepancies between two manifests. Once you have created manifests, you have the ability to compare manifests from different perspectives by running the bart compare command with different rules files.

For more information about BART reports, see BART Reporting.

BART Rules File

The rules file is a text file that you can optionally use as input to the bart command. This file uses inclusion and exclusion rules. A rules file is used to create custom manifests and reports. A rules file enables you to express in a concise syntax which sets of files you want to catalog, as well as which attributes to monitor for any given set of files. When you compare manifests, the rules file aids in flagging discrepancies between the manifests. Using a rules file is an effective way to gather specific information about files on a system.

You create a rules file by using a text editor. With a rules file, you can perform the following tasks:


Note –

You can create several rules files for different purposes. However, if you create a manifest by using a rules file, you must use the same rules file when you compare the manifests. If you do not use the same rules file when comparing manifests that were created with a rules file, the output of the bart compare command will list many invalid discrepancies.

A rules file can also contain syntax errors and other ambiguous information as a result of user error. If a rules file does contain misinformation, these errors will also be reported.


Using a rules file to monitor specific files and file attributes on a system requires planning. Before you create a rules file, decide which files and file attributes on the system you want to monitor. Depending on what you are trying to accomplish, you might use a rules file to create manifests, compare manifests, or for purposes.

For more information about the BART rules file, see BART Rules File Format and the bart_rules(4) man page.

Using BART (Task Map)

Task 

Description 

For Instructions 

Create a manifest. 

Obtain a manifest that lists information about every file that is installed on a system. 

How to Create a Manifest

Create a custom manifest. 

Obtain a manifest that lists information about specific files that are installed on a system in one of the following ways: 

  • By specifying a subtree

  • By specifying a file name

  • By using a rules file

 

 

 

 

How to Customize a Manifest

 

 

Compare manifests for the same system over time. Or, compare manifests for different systems with a control system manifest. 

Obtain a report that compares changes to a system over time. Or, obtain a report that compares one or several systems to control system. 

How to Compare Manifests for the Same System Over Time

How to Compare Manifests From a Different System With the Manifest of a Control System

(Optional) Customize a BART report. 

Obtain a custom BART report in one of the following ways: 

  • By specifying attributes.

  • By using a rules file.

 

 

 

How to Customize a BART Report by Specifying File Attributes

How to Customize a BART Report by Using a Rules File

Using BART (Tasks)

You can run the bart command as a regular user, superuser, or a user who has assumed the Primary Administrator role. If you run the bart command as a regular user, you will only be able to catalog and monitor files that you have permission to access, for example, information about files in your home directory. The advantage of becoming superuser when you run the bart command is that the manifests you create will contain information about hidden and private files that you might want to monitor. If you need to catalog and monitor information about files that have restricted permissions, for example, the /etc/passwd or /etc/shadow file, run the bart command as superuser or assume an equivalent role. For more information about using role-based access control, see Configuring RBAC (Task Map).

BART Security Considerations

Running the bart command as superuser makes the output readable by anyone. This output might contain file names that are intended to be private. If you become superuser when you run the bart command, take appropriate measures to protect the output. For example, use options that generate output files with restrictive permissions.


Note –

The procedures and examples in this chapter show the bart command run by superuser. Unless otherwise specified, running the bart command as superuser is optional.


ProcedureHow to Create a Manifest

You can create a manifest of a system immediately after an initial Solaris software installation. This type of manifest will provide you with a baseline for comparing changes to the same system over time. Or, you can use this manifest to compare with the manifests for different systems. For example, if you take a snapshot of each system on your network, and then compare each test manifest with the control manifest, you can quickly determine what you need to do to synchronize the test system with the baseline configuration.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. After installing the Solaris software, create a control manifest and redirect the output to a file.


    # bart create options > control-manifest
    
    -R

    Specifies the root directory for the manifest. All paths specified by the rules will be interpreted relative to this directory. All paths reported in the manifest will be relative to this directory.

    -I

    Accepts a list of individual files to be cataloged, either on the command line or read from standard input.

    -r

    Is the name of the rules file for this manifest. Note that , when used with the -r option, will be read the rules file from standard input.

    -n

    Turns off content signatures for all regular files in the file list. This option can be used to improve performance. Or, you can use this option if the contents of the file list are expected to change, as in the case of system log files.

  3. Examine the contents of the manifest.

  4. Save the manifest for future use.

    Choose a meaningful name for the manifest. For example, use the system name and date that the manifest was created.


Example 5–1 Creating a Manifest That Lists Information About Every File on a System

If you run the bart create command without any options, information about every file that is installed on the system will be cataloged. Use this type of manifest as a baseline when you are installing many systems from a central image. Or, use this type of manifest to run comparisons when you want to ensure that the installations are identical.

For example:


# bart create
! Version 1.0
! Thursday, December 04, 2003 (16:17:39)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 1024 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3fd9ea47 0 0
/.java D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3f8dc04d 0 10
/.java/.userPrefs D 512 40700 user::rwx,group::---,mask:---
other:--- 3f8dc06b 010
/.java/.userPrefs/.user.lock.root F 0 100600 user::rw-
group::---,mask:---,other:--- 3f8dc06b 0 10 -
/.java/.userPrefs/.userRootModFile.root F 0 100600 user::rw-,
group::---,mask:---,other:--- 3f8dc0a1 0 10 -
.
.
.
/var/sadm/pkg/SUNWdtmad/install/depend F 932 100644 user::rw-,
group::r--,mask:r--,other:r-- 3c23a19e 0 0 -
/var/sadm/pkg/SUNWdtmad/pkginfo F 594 100644 user::rw-
group::r--,mask:r--,other:r-- 3f81e416 0 0 -
/var/sadm/pkg/SUNWdtmad/save D 512 40755 user::rwx,group::r-x
mask:r-x,other:r-x 3f81e416 0 0
/var/sadm/pkg/SUNWdtmaz D 512 40755 user::rwx,group::r-x
mask:r-x,other:r-x 3f81e41b 0 0
/var/sadm/pkg/TSIpgxw/save D 512 40755 user::rwx
group::r-x,mask:r-x,other:r-x 3f81e892 0 0
.
.
.

Each manifest consists of a header and entries. Each manifest file entry is a single line, depending on the file type. For example, for each manifest entry in the preceding output, type F specifies a file and type D specifies a directory. Also listed is information about size, content, user ID, group ID, and permissions. File entries in the output are sorted by the encoded versions of the file names to correctly handle special characters. All entries are sorted in ascending order by file name. All nonstandard file names, such as those that contain embedded newline or tab characters, have the nonstandard characters quoted before being sorted.

Lines that begin with ! supply metadata about the manifest. The manifest version line indicates the manifest specification version. The date line shows the date on which the manifest was created, in date form. See the date(1) man page. Some lines are ignored by the manifest comparison tool. Ignored lines include blank lines, lines that consist only of white space, and comments that begin with #.


ProcedureHow to Customize a Manifest

You can customize a manifest in one of the following ways:

  1. Determine which files you want to catalog and monitor.

  2. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  3. After installing the Solaris software, create a custom manifest by using one of the following options:

    • By specifying a subtree:


      # bart create -R root-directory
      
    • By specifying a file name or file names:


      # bart create -I filename...
      

      For example:


      # bart create -I /etc/system /etc/passwd /etc/shadow
      
    • By using a rules file:


      # bart create -r rules-file
      
  4. Examine the contents of the manifest.

  5. Save the manifest for future use.


Example 5–2 Creating a Manifest by Specifying a Subtree

This example shows how to create a manifest that contains information about the files in the /etc/ssh subtree only.


# bart create -R /etc/ssh
! Version 1.0
! Saturday, November 29, 2003 (14:05:36)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3f81eab9 0 3
/ssh_config F 861 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81e504 0 3 422453ca0e2348cd9981820935600395
/ssh_host_dsa_key F 668 100600 user::rw-,group::---,mask:---,
other:--- 3f81eab9 0 0 5cc28cdc97e833069fd41ef89e4d9834
/ssh_host_dsa_key.pub F 602 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81eab9 0 0 16118c736995a4e4754f5ab4f28cf917
/ssh_host_rsa_key F 883 100600 user::rw-,group::---,mask:---,
other:--- 3f81eaa2 0 0 6ff17aa968ecb20321c448c89a8840a9
/ssh_host_rsa_key.pub F 222 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81eaa2 0 0 9ea27617efc76058cb97aa2caa6dd65a
.
.
.


Example 5–3 Customizing a Manifest by Specifying a File Name

This example shows how to create a manifest that lists only information about the /etc/passwd and /etc/shadow files on a system.


# bart create -I /etc/passwd /etc/shadow
! Version 1.0
! Monday, December 15, 2003 (16:28:55)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/etc/passwd F 542 100444 user::r--,group::r--,mask:r--,
other:r-- 3fcfd45b 0 3 d6
84554f85d1de06219d80543174ad1a
/etc/shadow F 294 100400 user::r--,group::---,mask:---,
other:--- 3f8dc5a0 0 3 fd
c3931c1ae5ee40341f3567b7cf15e2

By comparison, the following is the standard output of the ls -al command for the /etc/passwd and the /etc/shadow files on the same system.


# ls -al /etc/passwd
-r--r--r--   1 root     sys          542 Dec  4 17:42 /etc/passwd

# ls -al /etc/shadow
-r--------   1 root     sys          294 Oct 15 16:09 /etc/shadow


Example 5–4 Customizing a Manifest by Using a Rules File

This example shows how to create a manifest by using a rules file to catalog only those files in the /etc directory. The same rules file includes directives to be used by the bart compare command for monitoring changes to the acl attribute of the /etc/system file.


ProcedureHow to Compare Manifests for the Same System Over Time

Use this procedure when you want to monitor file-level changes to the same system over time. This type of manifest can assist you in locating corrupted or unusual files, detecting security breaches, or in troubleshooting performance issues on a system.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. After installing the Solaris software, create a control manifest of the files that you want to monitor on the system.


    # bart create -R /etc > control-manifest
    
  3. Create a test manifest that is prepared identically to the control manifest whenever you want monitor changes to the system.


    # bart create -R /etc > test-manifest
    
  4. Compare the control manifest with the test manifest.


    # bart compare options control-manifest  test-manifest > bart-report
    
    -r

    Is the name of the rules file for this comparison. Using the -r option with the means that the directives will be read from standard input.

    -i

    Allows the user to set global IGNORE directives from the command line.

    -p

    Is the programmatic mode that generates standard non-localized output for programmatic parsing.

    control-manifest

    Is the output from the bart create command for the control system.

    test-manifest

    Is the output from the bart create command of the test system.

  5. Examine the BART report for oddities.


Example 5–5 Comparing Manifests for the Same System Over Time

This example shows how to monitor changes that have occurred in the /etc directory between two points in time. This type of comparison enables you to quickly determine whether important files on the system have been compromised.

The preceding output indicates permissions on the vfstab file have changed since the control manifest was created. This report can be used to investigate whether ownership, date, content, or any other file attributes have changed. Having this type of information readily available can assist you in tracking down who might have tampered with the file and when the change might have occurred.


ProcedureHow to Compare Manifests From a Different System With the Manifest of a Control System

You can run system to system comparisons, thereby enabling you to quickly determine whether there are any file-level differences between a baseline system and the other systems. For example, if you have installed a particular version of the Solaris software on a baseline system, and you want to know whether other systems have identical packages installed, you can create manifests for those systems and then compare the test manifests with the control manifest. This type of comparison will list any discrepancies in the file contents for each test system that you compare with the control system.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. After installing the Solaris software, create a control manifest.


    # bart create options > control-manifest
    
  3. Save the control manifest.

  4. On the test system, use the same bart options to create a manifest, and redirect the output to a file.


    # bart create options > test1-manifest
    

    Choose a distinct and meaningful name for the test manifest.

  5. Save the test manifest to a central location on the system until you are ready to compare manifests.

  6. When you want to compare manifests, copy the control manifest to the location of the test manifest. Or, copy the test manifest to the control system.

    For example:

    # cp control-manifest /net/test-server/bart/manifests

    If the test system is not an NFS-mounted system, use FTP or some other reliable means to copy the control manifest to the test system.

  7. Compare the control manifest with the test manifest and redirect the output to a file.


    # bart compare control-manifest test1-manifest > test1.report
    
  8. Examine the BART report for oddities.

  9. Repeat Step 4 through Step 9 for each test manifest that you want to compare with the control manifest.

    Use the same bart options for each test system.


Example 5–6 Comparing Manifests From Different Systems With the Manifest of a Control System

This example describes how to monitor changes to the contents of the /usr/bin directory by comparing a control manifest with a test manifest from a different system.

The previous output indicates that the group ID of the su file in the /usr/bin directory is not the same as that of the control system. This information can be helpful in determining whether a different version of the software was installed on the test system or if possibly someone has tampered with the file.


ProcedureHow to Customize a BART Report by Specifying File Attributes

This procedure is optional and explains how to customize a BART report by specifying file attributes from the command line. If you create a baseline manifest that lists information about all the files or specific on your system, you can run the bart compare command, specifying different attributes, whenever you need to monitor changes to a particular directory, subdirectory, file or files. You can run different types of comparisons for the same manifests by specifying different file attributes from the command line.

  1. Determine which file attributes you want to monitor.

  2. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  3. After installing the Solaris software, create a control manifest.

  4. Create a test manifest when you want to monitor changes.

    Prepare the test manifest identically to the control manifest.

  5. Compare the manifests.

    For example:


    # bart compare -i dirmtime,lnmtime,mtime control-manifest.121503 \
    test-manifest.010504 > bart.report.010504
    

    Note that a comma separates each attribute you specify in the command-line syntax.

  6. Examine the BART report for oddities.

ProcedureHow to Customize a BART Report by Using a Rules File

This procedure is also optional and explains how to customize a BART report by using a rules file as input to the bart compare command. By using a rules file, you can customize a BART report, which allows you the flexibility of specifying multiple attributes for more than one file or subtree. You can run different comparisons for the same manifests by using different rules files.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine which files and file attributes you want to monitor.

  3. Use a text editor to create a rules file with the appropriate directives.

  4. After installing the Solaris software, create a control manifest by using the rules file you created.


    # bart create -r rules-file > control-manifest
    
  5. Create a test manifest that is prepared identically to the control manifest.


    # bart create -r rules-file > test-manifest
    
  6. Compare the control manifest with the test manifest by using the same rules file.


    # bart compare -r rules-file control-manifest test-manifest > bart.report
    
  7. Examine the BART report for oddities.


Example 5–7 Customizing a BART Report by Using a Rules File

The following rules file includes directives for both the bart create and the bart compare commands. The rules file directs the bart create command to list information about the contents of the /usr/bin directory. In addition, the rules file directs the bart compare command to track only size and content changes in the same directory.


# Check size and content changes in the /usr/bin directory.
# This rules file only checks size and content changes.
# See rules file example.

IGNORE all
CHECK size contents
/usr/bin

In the preceding output, the bart compare command reported a discrepancy in the /usr/bin directory. This output indicates that /usr/bin/ypcat file was deleted, and the /usr/bin/gunzip file was added.


BART Manifest, Rules File, and Reporting (Reference)

This section includes the following reference information:

BART Manifest File Format

Each manifest file entry is a single line, depending on the file type. Each entry begins with fname, which is the name of the file. To prevent parsing problems that are caused by special characters embedded in file names, the file names are encoded. For more information, see BART Rules File Format.

Subsequent fields represent the following file attributes:

type

Type of file with the following possible values:

  • B for a block device node

  • C for a character device node

  • D for a directory

  • F for a file

  • L for a symbolic link

  • P for a pipe

  • S for a socket

size

File size in bytes.

mode

Octal number that represents the permissions of the file.

acl

ACL attributes for the file. For a file with ACL attributes, this contains the output from acltotext().

uid

Numerical user ID of the owner of this entry.

gid

Numerical group ID of the owner of this entry.

dirmtime

Last modification time, in seconds, since 00:00:00 UTC, January 1, 1970, for directories.

lnmtime

Last modification time, in seconds, since 00:00:00 UTC, January 1, 1970, for links.

mtime

Last modification time, in seconds, since 00:00:00 UTC January 1, 1970, for files.

contents

Checksum value of the file. This attribute is only specified for regular files. If you turn off context checking, or if checksums cannot be computed, the value of this field is .

dest

Destination of a symbolic link.

devnode

Value of the device node. This attribute is for character device files and block device files only.

For more information about BART manifests, see the bart_manifest(4) man page.

BART Rules File Format

The input files to the bart command are text files. These files consist of lines that specify which files are to be included in the manifest and which file attributes are to be included the report. The same input file can be used across both pieces of BART functionality. Lines that begin with #, blank lines, and lines that contain white space are ignored by the tool.

The input files have three types of directives:


Example 5–8 Rules File Format


<Global CHECK/IGNORE Directives>
<subtree1> [pattern1..]
<IGNORE/CHECK Directives for subtree1>

<subtree2> [pattern2..]
<subtree3> [pattern3..]
<subtree4> [pattern4..]
<IGNORE/CHECK Directives for subtree2, subtree3, subtree4>


Note –

All directives are read in order, with later directives possibly overriding earlier directives.


There is one subtree directive per line. The directive must begin with an absolute pathname, followed by zero or more pattern matching statements.

Rules File Attributes

The bart command uses CHECK and IGNORE statements to define which attributes to track or ignore. Each attribute has an associated keyword.

The attribute keywords are as follows:

The all keyword refers to all file attributes.

Quoting Syntax

The rules file specification language that BART uses is the standard UNIX quoting syntax for representing nonstandard file names. Embedded tab, space, newline, or special characters are encoded in their octal forms to enable the tool to read file names. This nonuniform quoting syntax prevents certain file names, such as those containing an embedded carriage return, from being processed correctly in a command pipeline. The rules specification language allows the expression of complex file name filtering criteria that would be difficult and inefficient to describe by using shell syntax alone.

For more information about the BART rules file or the quoting syntax used by BART, see the bart_rules(4) man page.

BART Reporting

In default mode, the bart compare command, as shown in the following example, will check all the files installed on the system, with the exception of modified directory timestamps (dirmtime):


CHECK all
IGNORE	dirmtime

If you supply a rules file, then the global directives of CHECK all and IGNORE dirmtime, in that order, are automatically prepended to the rules file.

BART Output

The following exit values are returned:

0

Success

1

Nonfatal error when processing files, such as permission problems

>1

Fatal error, such as an invalid command-line option

The reporting mechanism provides two types of output: verbose and programmatic:

For a list of attributes that are supported by the bart command, see Rules File Attributes.

For more information about BART, see the bart(1M) man page.