One new feature in Solaris 10 that doesn’t get much press is the basic auditing and reporting tool (bart). Bart allows you to generate integrity checks for one or more files on a server. This allows you to compare two groups of file integrity checks (groups of file integrity checks are referred to as manifests in the bart documentation) to see what changed on a server. Bart is super easy to use, and comes with just two options, “create” and “compare.” The “create” option can be used to create a new manifest, and the “compare” option can be used to compare the contents of two manifests. The following example show how to use the “create” option to generate a file integrity check of every file that resides in a global zone’s* root file system:
bart create -R / > bart.manifest.08-14-2006.1
bart create -R / > bart.manifest.08-14-2006.2
One two manifests are created, the bart “compare” option can be run to compare the manifests:
bart compare bart.manifest.08-14-2006.1
bart.manifest.08-14-2006.2 /var/adm/messages: size control:8866 test:8957 mtime control:44e100a3 test:44e1019e contents control:b349f015631c87065842009d87a1a456 test:be07b4863f18165fcd154b9f0fce2a64 /var/cron/log: size control:76152 test:76396 mtime control:44e10070 test:44e1019d contents control:7cd2f996f0cec248cd5eae4f3e6cce7e test: 29bf6ecbd171ebe1879e641d5b5739f2 /var/log/pool/poold: size control:651159 test:652111 mtime control:44e10160 test:44e10232 contents control:9339cb8fac19bb9231e35866cd1a2942 test:89880fbd73332cfc770454fdd034cba1 /var/svc/log/network-ssh:default.log: size control:226076 test:226181 mtime control:44e10070 test:44e1019d contents control:5a856f39ede7c7528f9405f573eedd5b test:778ebe08677923862b03aec5d41e3c51
As you can see from the output above, several logfiles changed between two consecutive runs. While not a complete file integrity solution, bart is a super useful utility, and should be used after each system installation and patch application.
The bart manual page states that you shouldn’t run bart on the root file system in a non-global zone.