BART Manifests, Rules Files, and Reports (Reference)

This section describes the format of files that BART uses and creates.

BART Manifest File Format

Each manifest file entry is a single line, depending on the file type. Each entry begins with fname, which is the name of the file. To prevent parsing problems that are caused by special characters embedded in file names, the file names are encoded. For more information, see BART Rules File Format.

Subsequent fields represent the following file attributes:

type

Type of file with the following possible values:

B for a block device node
C for a character device node
D for a directory
F for a file
L for a symbolic link
P for a pipe
S for a socket

size

File size in bytes.

mode

Octal number that represents the permissions of the file.

acl

ACL attributes for the file. For a file with ACL attributes, this contains the output from acltotext().

uid

Numerical user ID of the owner of this entry.

gid

Numerical group ID of the owner of this entry.

dirmtime

Last modification time, in seconds, since 00:00:00 UTC, January 1, 1970, for directories.

lnmtime

Last modification time, in seconds, since 00:00:00 UTC, January 1, 1970, for links.

mtime

Last modification time, in seconds, since 00:00:00 UTC January 1, 1970, for files.

contents

Checksum value of the file. This attribute is only specified for regular files. If you turn off context checking, or if checksums cannot be computed, the value of this field is -.

dest

Destination of a symbolic link.

devnode

Value of the device node. This attribute is for character device files and block device files only.

For more information, see the bart_manifest(4) man page.

BART Rules File Format

Rules files are text files that consist of lines that specify which files are to be included in the manifest and which file attributes are to be included in the manifest or the report. Lines that begin with #, blank lines, and lines that contain white space are ignored by the tool.

The input files have three types of directives:

Subtree directive, with optional pattern matching modifiers
CHECK directive
IGNORE directive

Example 6-5 Rules File Format

<Global CHECK/IGNORE Directives>
<subtree1> [pattern1..]
<IGNORE/CHECK Directives for subtree1>

<subtree2> [pattern2..]
<subtree3> [pattern3..]
<subtree4> [pattern4..]
<IGNORE/CHECK Directives for subtree2, subtree3, subtree4>

Note - All directives are read in order. Later directives can override earlier directives.

A subtree directive must begin with an absolute pathname, followed by zero or more pattern matching statements.

Rules File Attributes

The CHECK and IGNORE statements define which file attributes to track or ignore. The metadata that begins each manifest lists the attribute keywords per file type. For an example, see Example 6-1.

The all keyword indicates all file attributes.

Quoting Syntax

The rules file specification language that BART uses is the standard UNIX quoting syntax for representing nonstandard file names. Embedded tab, space, newline, or special characters are encoded in their octal forms to enable the tool to read file names. This nonuniform quoting syntax prevents certain file names, such as those containing an embedded carriage return, from being processed correctly in a command pipeline. The rules specification language allows the expression of complex file name filtering criteria that would be difficult and inefficient to describe by using shell syntax alone.

For more information, see the bart_rules(4) man page.

BART Reporting

In default mode, a BART report checks all the files installed on the system, with the exception of modified directory timestamps (dirmtime):

CHECK all
IGNORE    dirmtime

If you supply a rules file, then the global directives of CHECK all and IGNORE dirmtime, in that order, are automatically prepended to the rules file.

BART Output

The following exit values are returned:

0: Success
1: Nonfatal error when processing files, such as permission problems
>1: Fatal error, such as an invalid command-line option

The reporting mechanism provides two types of output: verbose and programmatic:

Verbose output is the default output and is localized and presented on multiple lines. Verbose output is internationalized and is human-readable. When the bart compare command compares two system manifests, a list of file differences is generated.

The structure of the output is as follows:
```
filename attribute control:control-val test:test-val
```
filename

Name of the file that differs between the control manifest and the test manifest.

attribute

Name of the file attribute that differs between the manifests that are compared. The control-val precedes the test-val. When discrepancies for multiple attributes occur in the same file, each difference is noted on a separate line.

Following is an example of attribute differences for the /etc/passwd file. The output indicates that the size, mtime, and contents attributes have changed.
```
/etc/passwd:
size    control:74    test:81
mtime control:3c165879    test:3c165979
contents    control:daca28ae0de97afd7a6b91fde8d57afa
test:84b2b32c4165887355317207b48a6ec7
```
Programmatic output is generated with the -p option to the bart compare command. This output is suitable for programmatic manipulation.

The structure of the output is as follows:
```
filename attribute control-val test-val [attribute control-val test-val]*
```
filename

Same as the filename attribute in the default format

attribute control-val test-val

A description of the file attributes that differ between the control and test manifests for each file

For a list of attributes that are supported by the bart command, see Rules File Attributes.

For more information, see the bart(1M) man page.

Skip Navigation Links
Exit Print View
	Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library