System Administration Guide: Security Services
Previous Next

BART Manifest, Rules File, and Reporting (Reference)

This section includes the following reference information:

BART Manifest File Format

Each manifest file entry is a single line, depending on the file type. Each entry begins with fname, which is the name of the file. To prevent parsing problems that are caused by special characters embedded in file names, the file names are encoded. For more information, see BART Rules File Format.

Subsequent fields represent the following file attributes:

type

Type of file with the following possible values:

  • B for a block device node

  • C for a character device node

  • D for a directory

  • F for a file

  • L for a symbolic link

  • P for a pipe

  • S for a socket

size

File size in bytes.

mode

Octal number that represents the permissions of the file.

acl

ACL attributes for the file. For a file with ACL attributes, this contains the output from acltotext().

uid

Numerical user ID of the owner of this entry.

gid

Numerical group ID of the owner of this entry.

dirmtime

Last modification time, in seconds, since 00:00:00 UTC, January 1, 1970, for directories.

lnmtime

Last modification time, in seconds, since 00:00:00 UTC, January 1, 1970, for links.

mtime

Last modification time, in seconds, since 00:00:00 UTC January 1, 1970, for files.

contents

Checksum value of the file. This attribute is only specified for regular files. If you turn off context checking, or if checksums cannot be computed, the value of this field is .

dest

Destination of a symbolic link.

devnode

Value of the device node. This attribute is for character device files and block device files only.

For more information about BART manifests, see the bart_manifest(4) man page.

BART Rules File Format

The input files to the bart command are text files. These files consist of lines that specify which files are to be included in the manifest and which file attributes are to be included the report. The same input file can be used across both pieces of BART functionality. Lines that begin with #, blank lines, and lines that contain white space are ignored by the tool.

The input files have three types of directives:

  • Subtree directive, with optional pattern matching modifiers

  • CHECK directive

  • IGNORE directive

Example 6-8 Rules File Format
<Global CHECK/IGNORE Directives>
<subtree1> [pattern1..]
<IGNORE/CHECK Directives for subtree1>

<subtree2> [pattern2..]
<subtree3> [pattern3..]
<subtree4> [pattern4..]
<IGNORE/CHECK Directives for subtree2, subtree3, subtree4>

Note - All directives are read in order, with later directives possibly overriding earlier directives.


There is one subtree directive per line. The directive must begin with an absolute pathname, followed by zero or more pattern matching statements.

Rules File Attributes

The bart command uses CHECK and IGNORE statements to define which attributes to track or ignore. Each attribute has an associated keyword.

The attribute keywords are as follows:

  • acl

  • all

  • contents

  • dest

  • devnode

  • dirmtime

  • gid

  • lnmtime

  • mode

  • mtime

  • size

  • type

  • uid

The all keyword refers to all file attributes.

Quoting Syntax

The rules file specification language that BART uses is the standard UNIX quoting syntax for representing nonstandard file names. Embedded tab, space, newline, or special characters are encoded in their octal forms to enable the tool to read file names. This nonuniform quoting syntax prevents certain file names, such as those containing an embedded carriage return, from being processed correctly in a command pipeline. The rules specification language allows the expression of complex file name filtering criteria that would be difficult and inefficient to describe by using shell syntax alone.

For more information about the BART rules file or the quoting syntax used by BART, see the bart_rules(4) man page.

BART Reporting

In default mode, the bart compare command, as shown in the following example, will check all the files installed on the system, with the exception of modified directory timestamps (dirmtime):

CHECK all
IGNORE    dirmtime

If you supply a rules file, then the global directives of CHECK all and IGNORE dirmtime, in that order, are automatically prepended to the rules file.

BART Output

The following exit values are returned:

0

Success

1

Nonfatal error when processing files, such as permission problems

>1

Fatal error, such as an invalid command-line option

The reporting mechanism provides two types of output: verbose and programmatic:

  • Verbose output is the default output and is localized and presented on multiple lines. Verbose output is internationalized and is human-readable. When the bart compare command compares two system manifests, a list of file differences is generated.

    For example:

    filename attribute control:xxxx test:yyyy
    filename

    Name of the file that differs between the control manifest and the test manifest.

    attribute

    Name of the file attribute that differs between the manifests that are compared. xxxx is the attribute value from the control manifest, and yyyy is the attribute value from the test manifest. When discrepancies for multiple attributes occur in the same file, each difference is noted on a separate line.

    Following is an example of the default output for the bart compare command. The attribute differences are for the /etc/passwd file. The output indicates that the size, mtime, and contents attributes have changed.

    /etc/passwd:
    size    control:74    test:81
    mtime control:3c165879    test:3c165979
    contents    control:daca28ae0de97afd7a6b91fde8d57afa
    test:84b2b32c4165887355317207b48a6ec7
  • Programmatic output is generated if you use the -p option when you run the bart compare command. This output is generated in a form that is suitable for programmatic manipulation. Programmatic output can be easily parsed by other programs and is designed to be used as input for other tools.

    For example:

    filename attribute control-val test-val [attribute control-val test-val]*
    filename

    Same as the filename attribute in the default format

    attribute control-val test-val

    A description of the file attributes that differ between the control and test manifests for each file

For a list of attributes that are supported by the bart command, see Rules File Attributes.

For more information about BART, see the bart(1M) man page.

Previous Next