1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Verifying File Integrity by Using BART
  3. Using BART
  4. How to Customize a BART Report by Using a Rules File

How to Customize a BART Report by Using a Rules File

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

By using a rules file, you can customize a BART manifest for particular files and file attributes of interest. By using different rules files on default BART manifests, you can run different comparisons for the same manifests.

  1. Determine which files and file attributes to monitor.
  2. Create a rules file with the appropriate directives.
  3. Create a control manifest with the rules file that you created.
    # bart create -r myrules1-file > control-manifest
  4. Save the manifest in a protected directory for future use.

    For an example, see Step 3 in How to Create a Control Manifest.

  5. Create an identical manifest on a different system, at a later time, or both.
    # bart create -r myrules1-file > test-manifest
  6. Compare the manifests by using the same rules file.
    # bart compare -r myrules1-file control-manifest test-manifest > bart.report
  7. Examine the BART report for oddities.

Example 4-4 Using a Rules File to Customize BART Manifests and the Comparison Report

The following rules file directs the bart create command to list all attributes of the files in the /usr/bin directory. In addition, the rules file directs the bart compare command to report only size and content changes in the same directory. 

# Check size and content changes in the /usr/bin directory.
# This rules file only checks size and content changes.
# See rules file example.

IGNORE all
CHECK size contents
/usr/bin

  • Create a control manifest with the rules file that you created.

    # bart create -r usrbinrules.txt > usr_bin.control-manifest.121013

  • Prepare an identical manifest whenever you want to monitor changes to the /usr/bin directory. 

    # bart create -r usrbinrules.txt > usr_bin.test-manifest.121113

  • Compare the manifests by using the same rules file.

    # bart compare -r usrbinrules.txt usr_bin.control-manifest.121013 \
usr_bin.test-manifest.121113

  • Examine the output of the bart compare command. 

    /usr/bin/gunzip:  add
/usr/bin/ypcat:
delete

The preceding output indicates that the /usr/bin/ypcat file was deleted, and the /usr/bin/gunzip file was added.