|
Thursday June 24, 2004
bart - basic audit reporting tool
bart is a new tool thats arrived in Solaris 10, if you haven't downloaded Solaris Express yet, you can get it here.
I have a short example here, but the bart answerbook gives a nice introduction to the tool.
So whats bart, very simply it performs file level checks of the software contents of a system, and allows you to check against a previous snapshot.
# bart
Usage:
bart create [-n] [-R root] [-r rules|-]
bart create [-n] [-R root] [-I | -I filelist]
bart compare [-r rules|-] [-i keywords] [-p] control-manifest test-manifest
Lets say I want to make sure nothing is mucking around with some .gz archives that I've stored, in a directory called scratch. But I'm only interested in permissions, not the contents of the archives (I know, not a really clever idea, but just as an example). I create a bart rules called my_bart_rules which contains the following
/home/fintanr/scratch *.gz
CHECK all
IGNORE contents
I then call bart using the -r option
bart create -r my_bart_rules > ~/mylocal/bman/scratch_gz.manifest.`date '+%m_%d_%y_%H'`
Thankfully we don't need to go parsing this file, we can just use bart to check for any changes instead. So lets say the permissions on one file have been changed, so we generate a new manifest and then compare this new manifest against the original.
chown a-w ~/scratch/wget*gz
bart create -r my_bart_rules > /tmp/demo.manifest
bart compare -r my_bart_rules ~/mylocal/bman/scratch_gz.manifest.06_24_04_14 /tmp/demo.manifest
and up pops
/home/fintanr/scratch/wget-1.7-sol8-sparc-local.gz:
mode control:100644 test:100444
acl control:user::rw-,group::r--,mask:r--,other:r-- test:user::r--,group::r--,mask:r--,other:r--
Nice and simple. Whats really nice is that bart will ignore all the annoying files that can't be checksummed (ie FIFO's) automatically as well.
(2004-06-24 06:30:52.0)
Permalink
|
