How to Compare Manifests for the Same System Over Time

By comparing manifests over time, you can locate corrupted or unusual files, detect security breaches, and troubleshoot performance issues on a system.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

1. Create a control manifest of the files to monitor on the system.

   # bart create -R /etc > control-manifest

2. (Optional)Save the manifest in a protected directory for future use.

   For an example, see Step 3 in How to Create a Control Manifest.

3. At a later time, prepare an identical manifest to the control manifest.

   # bart create -R /etc > test-manifest

4. ()Protect the second manifest.

   # mv test-manifest /var/adm/log/bartlogs

5. Compare the two manifests.

   Use the same command-line options and rules file to compare the manifests that you used to create them.

   # bart compare options control-manifest  test-manifest > bart-report

6. Examine the BART report for oddities.

This example shows how to track the changes in the /etc directory over time. This type of comparison enables you to locate important files on the system that have been compromised.

• Create a control manifest.

  # cd /var/adm/logs/manifests
  # bart create -R /etc > system1.control.090713
  ! Version 1.1
  ! HASH SHA256
  ! Saturday, September 07, 2013 (11:11:17)
  # Format:
  #fname D size mode acl dirmtime uid gid
  #fname P size mode acl mtime uid gid
  #fname S size mode acl mtime uid gid
  #fname F size mode acl mtime uid gid contents
  #fname L size mode acl lnmtime uid gid dest
  #fname B size mode acl mtime uid gid devnode
  #fname C size mode acl mtime uid gid devnode
  /.cpr_config F 2236 100644 owner@:read_data/write_data/append_data/read_xattr/wr
  ite_xattr/read_attributes/write_attributes/read_acl/write_acl/write_owner/synchr
  onize:allow,group@:read_data/read_xattr/read_attributes/read_acl/synchronize:all
  ow,everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
  4e271c59 0 0 3ebc418eb5be3729ffe7e54053be2d33ee884205502c81ae9689cd8cca5b0090
  /.login F 1429 100644 owner@:read_data/write_data/append_data/read_xattr/write_x
  attr/read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize
  :allow,group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow,ev
  eryone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
  4bf9d6d7 0 3 ff6251a473a53de68ce8b4036d0f569838cff107caf1dd9fd04701c48f09242e
  .
  .
  .

• Later, create a test manifest by using the same command-line options.

  # bart create -R /etc > system1.test.101013
  Version 1.1
  ! HASH SHA256
  ! Monday, October 10, 2013 (10:10:17)
  # Format:
  #fname D size mode acl dirmtime uid gid
  #fname P size mode acl mtime uid gid
  #fname S size mode acl mtime uid gid
  #fname F size mode acl mtime uid gid contents
  #fname L size mode acl lnmtime uid gid dest
  #fname B size mode acl mtime uid gid devnode
  #fname C size mode acl mtime uid gid devnode
  /.cpr_config F 2236 100644 owner@:read_data/write_data/append_data/read_xattr/wr
  ite_xattr/read_attributes/write_attributes/read_acl/write_acl/write_owner/synchr
  onize:allow,group@:read_data/read_xattr/read_attributes/read_acl/synchronize:all
  ow,everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
  4e271c59 0 0 3ebc418eb5be3729ffe7e54053be2d33ee884205502c81ae9689cd8cca5b0090
  .
  .
  .

• Compare the manifests.

  # bart compare system1.control.090713 system1.test.101013
  /security/audit_class
  mtime  4f272f59

The output indicates that the modification time on the audit_class file has changed since the control manifest was created. If this change is unexpected, you can investigate further.