Checking the integrity of Solaris binaries

One new feature in Solaris 10 that doesn’t get much press is the basic auditing and reporting tool (bart). Bart allows you to generate integrity checks for one or more files on a server. This allows you to compare two groups of file integrity checks (groups of file integrity checks are referred to as manifests in the bart documentation) to see what changed on a server. Bart is super easy to use, and comes with just two options, “create” and “compare.” The “create” option can be used to create a new manifest, and the “compare” option can be used to compare the contents of two manifests. The following example show how to use the “create” option to generate a file integrity check of every file that resides in a global zone’s* root file system:

$ bart create -R / > bart.manifest.08-14-2006.1

$ bart create -R / > bart.manifest.08-14-2006.2

One two manifests are created, the bart “compare” option can be run to compare the manifests:

$ bart compare bart.manifest.08-14-2006.1 bart.manifest.08-14-2006.2

/var/adm/messages:
  size  control:8866  test:8957
  mtime  control:44e100a3  test:44e1019e
  contents  control:b349f015631c87065842009d87a1a456    
  test:be07b4863f18165fcd154b9f0fce2a64

/var/cron/log:
  size  control:76152  test:76396
  mtime  control:44e10070  test:44e1019d
  contents  control:7cd2f996f0cec248cd5eae4f3e6cce7e  
  test: 29bf6ecbd171ebe1879e641d5b5739f2

/var/log/pool/poold:
  size  control:651159  test:652111
  mtime  control:44e10160  test:44e10232
  contents  control:9339cb8fac19bb9231e35866cd1a2942  test:89880fbd73332cfc770454fdd034cba1

/var/svc/log/network-ssh:default.log:
  size  control:226076  test:226181
  mtime  control:44e10070  test:44e1019d
  contents  control:5a856f39ede7c7528f9405f573eedd5b  
  test:778ebe08677923862b03aec5d41e3c51

As you can see from the output above, several logfiles changed between two consecutive runs. While not a complete file integrity solution, bart is a super useful utility, and should be used after each system installation and patch application.

* The bart manual page states that you shouldn’t run bart on the root file system in a non-global zone.

Leave a Comment