Checking the integrity of Solaris binaries

One new feature in Solaris 10 that doesn’t get much press is the basic auditing and reporting tool (bart). Bart allows you to generate integrity checks for one or more files on a server. This allows you to compare two groups of file integrity checks (groups of file integrity checks are referred to as manifests in the bart documentation) to see what changed on a server. Bart is super easy to use, and comes with just two options, “create” and “compare.” The “create” option can be used to create a new manifest, and the “compare” option can be used to compare the contents of two manifests. The following example show how to use the “create” option to generate a file integrity check of every file that resides in a global zone’s* root file system:

$ bart create -R / > bart.manifest.08-14-2006.1

$ bart create -R / > bart.manifest.08-14-2006.2

One two manifests are created, the bart “compare” option can be run to compare the manifests:

$ bart compare bart.manifest.08-14-2006.1


size control:8866 test:8957
mtime control:44e100a3 test:44e1019e
contents control:b349f015631c87065842009d87a1a456

size control:76152 test:76396
mtime control:44e10070 test:44e1019d
contents control:7cd2f996f0cec248cd5eae4f3e6cce7e
test: 29bf6ecbd171ebe1879e641d5b5739f2

size control:651159 test:652111
mtime control:44e10160 test:44e10232
contents control:9339cb8fac19bb9231e35866cd1a2942 test:89880fbd73332cfc770454fdd034cba1

size control:226076 test:226181
mtime control:44e10070 test:44e1019d
contents control:5a856f39ede7c7528f9405f573eedd5b

As you can see from the output above, several logfiles changed between two consecutive runs. While not a complete file integrity solution, bart is a super useful utility, and should be used after each system installation and patch application.

The bart manual page states that you shouldn’t run bart on the root file system in a non-global zone.

This article was posted by Matty on 2006-08-15 17:48:00 -0400 EDT