JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

Basic Audit Reporting Tool (Overview)

BART Features

BART Components

BART Manifest

BART Report

BART Rules File

Using BART (Tasks)

BART Security Considerations

Using BART (Task Map)

How to Create a Manifest

How to Customize a Manifest

How to Compare Manifests for the Same System Over Time

How to Compare Manifests From Different Systems

How to Customize a BART Report by Specifying File Attributes

How to Customize a BART Report by Using a Rules File

BART Manifests, Rules Files, and Reports (Reference)

BART Manifest File Format

BART Rules File Format

Rules File Attributes

Quoting Syntax

BART Reporting

BART Output

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Using BART (Tasks)

You can run the bart command as a regular user, superuser, or a user who has assumed a role. If you run the bart command as a regular user, you are only able to catalog and monitor files that you have permission to access, such as files in your home directory. The advantage of becoming superuser when you run the bart command is that the manifests you create contain information about hidden and private files that you might want to monitor. If you need to catalog and monitor information about files that have restricted permissions, for example, the /etc/passwd or /etc/shadow file, run the bart command as superuser. For more information about using role-based access control, see Role-Based Access Control (Overview).

BART Security Considerations

Running the bart command as superuser makes the output readable by anyone. This output might contain file names that are intended to be private. If you become superuser when you run the bart command, take appropriate measures to protect the output. For example, use options that generate output files with restrictive permissions.


Note - The procedures and examples in this chapter show the bart command run by superuser. Unless otherwise specified, running the bart command as superuser is optional.


Using BART (Task Map)

Task
Description
For Instructions
Create a BART manifest.
Generates a list of information about every file that is installed on a system.
Create a custom BART manifest.
Generates a list of information about specific files that are installed on a system.
Compare BART manifests.
Generates a report that compares changes to a system over time.

Or, generates a report that compares one or several systems to control system.

(Optional) Customize a BART report.
Generates a custom BART report in one of the following ways:
  • By specifying attributes.

  • By using a rules file.

How to Create a Manifest

You can create a manifest of a system immediately after an initial Oracle Solaris software installation. This type of manifest provides you with a baseline for comparing changes to the same system over time. Or, you can use this manifest to compare with the manifests for different systems. For example, if you take a snapshot of each system on your network, and then compare each test manifest with the control manifest, you can quickly determine what you need to do to synchronize the test system with the baseline configuration.

Before You Begin

To create a system manifest, you must be in the root role.

  1. After installing the Oracle Solaris software, create a control manifest and redirect the output to a file.
    # bart create options > control-manifest
    -R

    Specifies the root directory for the manifest. All paths specified by the rules are interpreted relative to this directory. All paths reported in the manifest are relative to this directory.

    -I

    Accepts a list of individual files to be cataloged, either on the command line or read from standard input.

    -r

    Is the name of the rules file for this manifest. Note that , when used with the -r option, reads the rules file from standard input.

    -n

    Turns off content signatures for all regular files in the file list. This option can be used to improve performance. Or, you can use this option if the contents of the file list are expected to change, as in the case of system log files.

  2. Examine the contents of the manifest.
  3. Save the manifest for future use.

    Choose a meaningful name for the manifest. For example, use the system name and date that the manifest was created.

Example 6-1 Creating a Manifest That Lists Information About Every File on a System

If you run the bart create command without any options, information about every file that is installed on the system is cataloged. Use this type of manifest as a baseline when you are installing many systems from a central image. Or, use this type of manifest to run comparisons when you want to ensure that the installations are identical.

For example:

# bart create
! Version 1.1
! HASH SHA256
! Wednesday, September 07, 2011 (22:22:27)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 1024 40755 user::rwx,group::r-x,mask:r-x,other:r-x
3ebc418eb5be3729ffe7e54053be2d33ee884205502c81ae9689cd8cca5b0090 0 0
.
.
.
/zone D 512 40755 user::rwx group::r-x,mask:r-x,other:r-x 3f81e892
154de3e7bdfd0d57a074c9fae0896a9e2e04bebfe5e872d273b063319e57f334 0 0
.
.
.

Each manifest consists of a header and entries. Each manifest file entry is a single line, depending on the file type. For example, for each manifest entry in the preceding output, type F specifies a file and type D specifies a directory. Also listed is information about size, content, user ID, group ID, and permissions. File entries in the output are sorted by the encoded versions of the file names to correctly handle special characters. All entries are sorted in ascending order by file name. All nonstandard file names, such as those that contain embedded newline or tab characters, have the nonstandard characters quoted before being sorted.

Lines that begin with ! supply metadata about the manifest. The manifest version line indicates the manifest specification version. The hash line indicates the hash mechanism that was used. The date line shows the date on which the manifest was created, in date form. See the date(1) man page. Some lines are ignored by the manifest comparison tool. Ignored lines include blank lines, lines that consist only of white space, and comments that begin with #.

How to Customize a Manifest

You can customize a manifest in one of the following ways:

Before You Begin

You must be in the root role.

  1. Determine which files you want to catalog and monitor.
  2. After installing the Oracle Solaris software, create a custom manifest by using one of the following options:
    • By specifying a subtree:

      # bart create -R root-directory
    • By specifying a file name or file names:

      # bart create -I filename...

      For example:

      # bart create -I /etc/system /etc/passwd /etc/shadow
    • By using a rules file:

      # bart create -r rules-file
  3. Examine the contents of the manifest.
  4. Save the manifest for future use.

How to Compare Manifests for the Same System Over Time

Use this procedure when you want to monitor file-level changes to the same system over time. This type of manifest can assist you in locating corrupted or unusual files, detecting security breaches, or in troubleshooting performance issues on a system.

Before You Begin

To create and compare manifests that include public objects, you must be in the root role.

  1. After installing the Oracle Solaris software, create a control manifest of the files that you want to monitor on the system.
    # bart create -R /etc > control-manifest
  2. Create a test manifest that is prepared identically to the control manifest whenever you want monitor changes to the system.
    # bart create -R /etc > test-manifest
  3. Compare the control manifest with the test manifest.
    # bart compare options control-manifest test-manifest > bart-report
    -r

    Is the name of the rules file for this comparison. Using the -r option with the means that the directives read from standard input.

    -i

    Allows the user to set global IGNORE directives from the command line.

    -p

    Is the programmatic mode that generates standard non-localized output for programmatic parsing.

    control-manifest

    Is the output from the bart create command for the control system.

    test-manifest

    Is the output from the bart create command of the test system.

  4. Examine the BART report for oddities.

Example 6-2 Comparing Manifests for the Same System Over Time

This example shows how to monitor changes that have occurred in the /etc directory between two points in time. This type of comparison enables you to quickly determine whether important files on the system have been compromised.

The preceding output indicates that the modification time on the audit_class file has changed since the control manifest was created. This report can be used to investigate whether ownership, date, content, or any other file attributes have changed. Having this type of information readily available can assist you in tracking down who might have tampered with the file and when the change might have occurred.

How to Compare Manifests From Different Systems

You can run system to system comparisons, thereby enabling you to quickly determine whether there are any file-level differences between a baseline system and the other systems. For example, if you have installed a particular version of the Oracle Solaris software on a baseline system, and you want to know whether other systems have identical packages installed, you can create manifests for those systems and then compare the test manifests with the control manifest. This type of comparison lists any discrepancies in the file contents for each test system that you compare with the control system.

Before You Begin

To compare system manifests, you must be in the root role.

  1. After installing the Oracle Solaris software, create a control manifest.
    # bart create options > control-manifest
  2. Save the control manifest.
  3. On the test system, use the same bart options to create a manifest, and redirect the output to a file.
    # bart create options > test1-manifest

    Choose a distinct and meaningful name for the test manifest.

  4. Save the test manifest to a central location on the system until you are ready to compare manifests.
  5. When you want to compare manifests, copy the control manifest to the location of the test manifest. Or, copy the test manifest to the control system.

    For example:

    # cp control-manifest /net/test-server/bart/manifests

    If the test system is not an NFS-mounted system, use FTP or some other reliable means to copy the control manifest to the test system.

  6. Compare the control manifest with the test manifest and redirect the output to a file.
    # bart compare control-manifest test1-manifest > test1.report
  7. Examine the BART report for oddities.
  8. Repeat Step 4 through Step 9 for each test manifest that you want to compare with the control manifest.

    Use the same bart options for each test system.

Example 6-3 Comparing Manifests From Different Systems With the Manifest of a Control System

This example describes how to monitor changes to the contents of the /usr/bin directory by comparing a control manifest with a test manifest from a different system.

The previous output indicates that the group ID of the su file in the /usr/bin directory is not the same as that of the control system. This information can be helpful in determining whether a different version of the software was installed on the test system or if possibly someone has tampered with the file.

How to Customize a BART Report by Specifying File Attributes

This procedure is optional and explains how to customize a BART report by specifying file attributes from the command line. If you create a baseline manifest that lists information about all the files or specific on your system, you can run the bart compare command, specifying different attributes, whenever you need to monitor changes to a particular directory, subdirectory, file or files. You can run different types of comparisons for the same manifests by specifying different file attributes from the command line.

Before You Begin

You must be in the root role.

  1. Determine which file attributes you want to monitor.
  2. After installing the Oracle Solaris software, create a control manifest.
  3. Create a test manifest when you want to monitor changes.

    Prepare the test manifest identically to the control manifest.

  4. Compare the manifests.

    For example:

    # bart compare -i dirmtime,lnmtime,mtime control-manifest.121503 \
    test-manifest.010504 > bart.report.010504

    Note that a comma separates each attribute you specify in the command-line syntax.

  5. Examine the BART report for oddities.

How to Customize a BART Report by Using a Rules File

This procedure is also optional and explains how to customize a BART report by using a rules file as input to the bart compare command. By using a rules file, you can customize a BART report, which allows you the flexibility of specifying multiple attributes for more than one file or subtree. You can run different comparisons for the same manifests by using different rules files.

Before You Begin

You must be in the root role.

  1. Determine which files and file attributes you want to monitor.
  2. Use a text editor to create a rules file with the appropriate directives.
  3. After installing the Oracle Solaris software, create a control manifest by using the rules file you created.
    # bart create -r rules-file > control-manifest
  4. Create a test manifest that is prepared identically to the control manifest.
    # bart create -r rules-file > test-manifest
  5. Compare the control manifest with the test manifest by using the same rules file.
    # bart compare -r rules-file control-manifest test-manifest > bart.report
  6. Examine the BART report for oddities.

Example 6-4 Customizing a BART Report by Using a Rules File

The following rules file includes directives for both the bart create and the bart compare commands. The rules file directs the bart create command to list information about the contents of the /usr/bin directory. In addition, the rules file directs the bart compare command to track only size and content changes in the same directory.

# Check size and content changes in the /usr/bin directory.
# This rules file only checks size and content changes.
# See rules file example.

IGNORE all
CHECK size contents
/usr/bin

In the preceding output, the bart compare command reported a discrepancy in the /usr/bin directory. This output indicates that /usr/bin/ypcat file was deleted, and the /usr/bin/gunzip file was added.