System Administration Guide: Security Services

ProcedureHow to Compare Manifests for the Same System Over Time

Use this procedure when you want to monitor file-level changes to the same system over time. This type of manifest can assist you in locating corrupted or unusual files, detecting security breaches, or in troubleshooting performance issues on a system.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. After installing the Solaris software, create a control manifest of the files that you want to monitor on the system.

    # bart create -R /etc > control-manifest
  3. Create a test manifest that is prepared identically to the control manifest whenever you want monitor changes to the system.

    # bart create -R /etc > test-manifest
  4. Compare the control manifest with the test manifest.

    # bart compare options control-manifest  test-manifest > bart-report

    Is the name of the rules file for this comparison. Using the -r option with the means that the directives will be read from standard input.


    Allows the user to set global IGNORE directives from the command line.


    Is the programmatic mode that generates standard non-localized output for programmatic parsing.


    Is the output from the bart create command for the control system.


    Is the output from the bart create command of the test system.

  5. Examine the BART report for oddities.

Example 5–5 Comparing Manifests for the Same System Over Time

This example shows how to monitor changes that have occurred in the /etc directory between two points in time. This type of comparison enables you to quickly determine whether important files on the system have been compromised.

The preceding output indicates permissions on the vfstab file have changed since the control manifest was created. This report can be used to investigate whether ownership, date, content, or any other file attributes have changed. Having this type of information readily available can assist you in tracking down who might have tampered with the file and when the change might have occurred.