So what happens if by hook or by crook someone breaks into your Solaris system and installs a trojan horse? Modifies the password file? Deletes a few old logfiles?

Or what if you run a heavily change-controlled system environment, and you need to know whether anything has been changed outside of the scope of your operational processes?

There's a solution built-in to Solaris 10: bart - Basic Audit & Reporting Tool, a truly boringly-named tool which does something both useful and interesting:

BART provides a quick and easy way to collect information on filesystem objects and their attributes so that, at a later time, you can determine whether there have been any changes. BART can help you detect accidental or malicious changes to files within an operating system due to either a security incident or change management incident.

BART is able to collect such information as an object's UID, GID, permissions, access control lists, modification time, size, and type. In addition, for files, BART generates an MD5 fingerprint from the contents of the file. For a full list of the attributes that can be collected, see the bart_rules(4) manual page.

There's a lovely white paper "blue print" explaining all this, available for download (nb: PDF document ; apparently HTML was neither pretty enough nor impressive enough) along with the rest of the Sun Security BluePrints some of which we'll be spolighting individually over the next few weeks.

- Alec

tags: bart security signatures slotd sun

Permalink | Comments [0]