Document Information
Preface
Part I Security Overview
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
Basic Audit Reporting Tool (Overview)
Using BART (Task Map)
BART Manifest, Rules File, and Reporting (Reference)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
11. Privileges (Tasks)
12. Privileges (Reference)
Part IV Solaris Cryptographic Services
13. Solaris Cryptographic Framework (Overview)
14. Solaris Cryptographic Framework (Tasks)
15. Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
17. Using PAM
18. Using SASL
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
Part VI Kerberos Service
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Solaris Auditing
28. Solaris Auditing (Overview)
29. Planning for Solaris Auditing
30. Managing Solaris Auditing (Tasks)
31. Solaris Auditing (Reference)
Glossary
Index
|
Using BART (Tasks)
You can run the bart command as a regular user, superuser, or a user
who has assumed the Primary Administrator role. If you run the
bart command as a regular user, you will only be able to
catalog and monitor files that you have permission to access, for example, information about
files in your home directory. The advantage of becoming superuser when you
run the bart command is that the manifests you create will contain information
about hidden and private files that you might want to monitor. If you
need to catalog and monitor information about files that have restricted permissions, for
example, the /etc/passwd or /etc/shadow file, run the bart command as superuser or
assume an equivalent role. For more information about using role-based access control, see
Configuring RBAC (Task Map).
BART Security Considerations
Running the bart command as superuser makes the output readable by anyone. This
output might contain file names that are intended to be private. If you
become superuser when you run the bart command, take appropriate measures to protect
the output. For example, use options that generate output files with restrictive permissions.
Note - The procedures and examples in this chapter show the bart command run by
superuser. Unless otherwise specified, running the bart command as superuser is optional.
How to Create a ManifestYou can create a manifest of a system immediately after an initial
Solaris software installation. This type of manifest will provide you with a baseline for
comparing changes to the same system over time. Or, you can use
this manifest to compare with the manifests for different systems. For example, if
you take a snapshot of each system on your network, and then compare
each test manifest with the control manifest, you can quickly determine what you
need to do to synchronize the test system with the baseline configuration.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- After installing the Solaris software, create a control manifest and redirect the output
to a file.
# bart create options > control-manifest - -R
Specifies the root directory for the manifest. All paths specified by the rules will be interpreted relative to this directory. All paths reported in the manifest will be relative to this directory.
- -I
Accepts a list of individual files to be cataloged, either on the command line or read from standard input.
- -r
Is the name of the rules file for this manifest. Note that –, when used with the -r option, will be read the rules file from standard input.
- -n
Turns off content signatures for all regular files in the file list. This option can be used to improve performance. Or, you can use this option if the contents of the file list are expected to change, as in the case of system log files.
- Examine the contents of the manifest.
- Save the manifest for future use.
Choose a meaningful name for the manifest. For example, use the system name
and date that the manifest was created. Example 6-1 Creating a Manifest That Lists Information About Every File on a SystemIf you run the bart create command without any options, information about every file
that is installed on the system will be cataloged. Use this type of
manifest as a baseline when you are installing many systems from a central
image. Or, use this type of manifest to run comparisons when you want
to ensure that the installations are identical. For example: # bart create
! Version 1.0
! Thursday, December 04, 2003 (16:17:39)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 1024 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3fd9ea47 0 0
/.java D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3f8dc04d 0 10
/.java/.userPrefs D 512 40700 user::rwx,group::---,mask:---
other:--- 3f8dc06b 010
/.java/.userPrefs/.user.lock.root F 0 100600 user::rw-
group::---,mask:---,other:--- 3f8dc06b 0 10 -
/.java/.userPrefs/.userRootModFile.root F 0 100600 user::rw-,
group::---,mask:---,other:--- 3f8dc0a1 0 10 -
/.smc.properties F 1389 100644 user::rw-,group::r--,mask:r--
other:r-- 3f8dca0c0 10
.
.
.
/var/sadm/pkg/SUNWdtmad/install/depend F 932 100644 user::rw-,
group::r--,mask:r--,other:r-- 3c23a19e 0 0 -
/var/sadm/pkg/SUNWdtmad/pkginfo F 594 100644 user::rw-
group::r--,mask:r--,other:r-- 3f81e416 0 0 -
/var/sadm/pkg/SUNWdtmad/save D 512 40755 user::rwx,group::r-x
mask:r-x,other:r-x 3f81e416 0 0
/var/sadm/pkg/SUNWdtmaz D 512 40755 user::rwx,group::r-x
mask:r-x,other:r-x 3f81e41b 0 0
/var/sadm/pkg/TSIpgxw/save D 512 40755 user::rwx
group::r-x,mask:r-x,other:r-x 3f81e892 0 0
.
.
. Each manifest consists of a header and entries. Each manifest file entry is
a single line, depending on the file type. For example, for each
manifest entry in the preceding output, type F specifies a file and type D
specifies a directory. Also listed is information about size, content, user ID, group
ID, and permissions. File entries in the output are sorted by the encoded
versions of the file names to correctly handle special characters. All entries are
sorted in ascending order by file name. All nonstandard file names, such as
those that contain embedded newline or tab characters, have the nonstandard characters quoted
before being sorted. Lines that begin with ! supply metadata about the manifest. The manifest version
line indicates the manifest specification version. The date line shows the date on
which the manifest was created, in date form. See the date(1) man page. Some
lines are ignored by the manifest comparison tool. Ignored lines include blank lines,
lines that consist only of white space, and comments that begin with #.
How to Customize a ManifestYou can customize a manifest in one of the following ways:
By specifying a subtree Creating a manifest for an individual subtree on a system is an efficient way to monitor changes to specific files, rather than the entire contents of a large directory. You can create a baseline manifest of a specific subtree on your system, then periodically create test manifests of the same subtree. Use the bart compare command to compare the control manifest with the test manifest. By using this option, you are able to efficiently monitor important file systems to determine whether any files have been compromised by an intruder.
By specifying a file name Since creating a manifest that catalogs the entire system is more time-consuming, takes up more space, and is more costly, you might choose to use this option of the bart command when you want to only list information about a specific file or files on a system.
By using a rules file You use a rules file to create custom manifests that list information about specific files and specific subtrees on a given system. You can also use a rules file to monitor specific file attributes. Using a rules file to create and compare manifests gives you the flexibility to specify multiple attributes for more than one file or subtree. Whereas, from the command line, you can only specify a global attribute definition that applies to all files for each manifest you create or report you generate.
- Determine which files you want to catalog and monitor.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- After installing the Solaris software, create a custom manifest by using one of
the following options:
By specifying a subtree: # bart create -R root-directory
By specifying a file name or file names: # bart create -I filename... For example: # bart create -I /etc/system /etc/passwd /etc/shadow
By using a rules file: # bart create -r rules-file
- Examine the contents of the manifest.
- Save the manifest for future use.
Example 6-2 Creating a Manifest by Specifying a SubtreeThis example shows how to create a manifest that contains information about the
files in the /etc/ssh subtree only. # bart create -R /etc/ssh
! Version 1.0
! Saturday, November 29, 2003 (14:05:36)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3f81eab9 0 3
/ssh_config F 861 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81e504 0 3 422453ca0e2348cd9981820935600395
/ssh_host_dsa_key F 668 100600 user::rw-,group::---,mask:---,
other:--- 3f81eab9 0 0 5cc28cdc97e833069fd41ef89e4d9834
/ssh_host_dsa_key.pub F 602 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81eab9 0 0 16118c736995a4e4754f5ab4f28cf917
/ssh_host_rsa_key F 883 100600 user::rw-,group::---,mask:---,
other:--- 3f81eaa2 0 0 6ff17aa968ecb20321c448c89a8840a9
/ssh_host_rsa_key.pub F 222 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81eaa2 0 0 9ea27617efc76058cb97aa2caa6dd65a
.
.
. Example 6-3 Customizing a Manifest by Specifying a File NameThis example shows how to create a manifest that lists only information about
the /etc/passwd and /etc/shadow files on a system. # bart create -I /etc/passwd /etc/shadow
! Version 1.0
! Monday, December 15, 2003 (16:28:55)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/etc/passwd F 542 100444 user::r--,group::r--,mask:r--,
other:r-- 3fcfd45b 0 3 d6
84554f85d1de06219d80543174ad1a
/etc/shadow F 294 100400 user::r--,group::---,mask:---,
other:--- 3f8dc5a0 0 3 fd
c3931c1ae5ee40341f3567b7cf15e2 By comparison, the following is the standard output of the ls -al command
for the /etc/passwd and the /etc/shadow files on the same system. # ls -al /etc/passwd
-r--r--r-- 1 root sys 542 Dec 4 17:42 /etc/passwd # ls -al /etc/shadow
-r-------- 1 root sys 294 Oct 15 16:09 /etc/shadow Example 6-4 Customizing a Manifest by Using a Rules FileThis example shows how to create a manifest by using a rules
file to catalog only those files in the /etc directory. The same rules file
includes directives to be used by the bart compare command for monitoring changes to
the acl attribute of the /etc/system file.
Use a text editor to create a rules file that catalogs only those files in the /etc directory. # List information about all the files in the /etc directory.
CHECK all
/etc
# Check only acl changes in the /etc/system file
IGNORE all
CHECK acl
/etc/system For more information about creating a rules file, see BART Rules File.
Create a control manifest by using the rules file you created. # bart create -r etc.rules-file > etc.system.control-manifest
! Version 1.0
! Thursday, December 11, 2003 (21:51:32)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/etc/system F 1883 100644 user::rw-,group::r--,mask:r--,
other:r-- 3f81db61 0 3
Create a test manifest whenever you want to monitor changes to the system. Prepare the test manifest identically to the control manifest by using the same bart options and the same rules file.
Compare manifests by using the same rules file.
How to Compare Manifests for the Same System Over TimeUse this procedure when you want to monitor file-level changes to the same
system over time. This type of manifest can assist you in locating
corrupted or unusual files, detecting security breaches, or in troubleshooting performance issues on a
system.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- After installing the Solaris software, create a control manifest of the files that
you want to monitor on the system.
# bart create -R /etc > control-manifest
- Create a test manifest that is prepared identically to the control manifest whenever
you want monitor changes to the system.
# bart create -R /etc > test-manifest
- Compare the control manifest with the test manifest.
# bart compare options control-manifest test-manifest > bart-report - -r
Is the name of the rules file for this comparison. Using the -r option with the – means that the directives will be read from standard input.
- -i
Allows the user to set global IGNORE directives from the command line.
- -p
Is the programmatic mode that generates standard non-localized output for programmatic parsing.
- control-manifest
Is the output from the bart create command for the control system.
- test-manifest
Is the output from the bart create command of the test system.
- Examine the BART report for oddities.
Example 6-5 Comparing Manifests for the Same System Over TimeThis example shows how to monitor changes that have occurred in the
/etc directory between two points in time. This type of comparison enables you
to quickly determine whether important files on the system have been compromised.
Create a control manifest. # bart create -R /etc > system1.control.121203
! Version 1.0
! Friday, December 12, 2003 (08:34:51)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 4096 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3fd9dfb4 0 3
/.cpr_config F 2236 100644 user::rw-,group::r--,mask:r--,other:r--
3fd9991f 0 0
67cfa2c830b4ce3e112f38c5e33c56a2
/.group.lock F 0 100600 user::rw-,group::---,mask:---,other:--- 3f81f14d
0 1 d41
d8cd98f00b204e9800998ecf8427e
/.java D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3f81dcb5 0 2
/.java/.systemPrefs D 512 40755 user::rwx,group::r-x,mask:r-x,
other:r-x 3f81dcb7
.
.
.
Create a test manifest when you want to monitor changes to the /etc directory. # bart create -R /etc > system1.test.121503
Version 1.0
! Monday, December 15, 2003 (08:35:28)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 4096 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3fd9dfb4 0 3
/.cpr_config F 2236 100644 user::rw-,group::r--,mask:r--,other:r--
3fd9991f 0 0
67cfa2c830b4ce3e112f38c5e33c56a2
/.group.lock F 0 100600 user::rw-,group::---,mask:---,other:---
3f81f14d 0 1 d41d8cd98f00b204e9800998ecf8427e
/.java D 512 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3f81dcb5 0 2
/.java/.systemPrefs D 512 40755 user::rwx,group::r-x,mask:r-x,
other:r-x 3f81dcb70 2
/.java/.systemPrefs/.system.lock F 0 100644 user::rw-,group::r--
,mask:r--,other:
r-- 3f81dcb5 0 2 d41d8cd98f00b204e9800998ecf8427e
/.java/.systemPrefs/.systemRootModFile F 0 100644 user::rw-,
group::r--,mask:r--,
other:r-- 3f81dd0b 0 2 d41d8cd98f00b204e9800998ecf8427e
.
.
.
Compare the control manifest with the test manifest. # bart compare system1.control.121203 system1.test.121503
/vfstab:
mode control:100644 test:100777
acl control:user::rw-,group::r--,mask:r--,other:r-- test:user::rwx,
group::rwx,mask:rwx,other:rwx
The preceding output indicates permissions on the vfstab file have changed since the
control manifest was created. This report can be used to investigate whether ownership,
date, content, or any other file attributes have changed. Having this type of
information readily available can assist you in tracking down who might have tampered
with the file and when the change might have occurred.
How to Compare Manifests From a Different System With the Manifest of a Control SystemYou can run system to system comparisons, thereby enabling you to quickly determine
whether there are any file-level differences between a baseline system and the other
systems. For example, if you have installed a particular version of the Solaris
software on a baseline system, and you want to know whether other systems
have identical packages installed, you can create manifests for those systems and then
compare the test manifests with the control manifest. This type of comparison will
list any discrepancies in the file contents for each test system that you
compare with the control system.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- After installing the Solaris software, create a control manifest.
# bart create options > control-manifest
- Save the control manifest.
- On the test system, use the same bart options to create a manifest,
and redirect the output to a file.
# bart create options > test1-manifest Choose a distinct and meaningful name for the test manifest.
- Save the test manifest to a central location on the system until you
are ready to compare manifests.
- When you want to compare manifests, copy the control manifest to the location
of the test manifest. Or, copy the test manifest to the control system.
For example: # cp control-manifest /net/test-server/bart/manifests If the test system is not an NFS-mounted system, use FTP or some other
reliable means to copy the control manifest to the test system.
- Compare the control manifest with the test manifest and redirect the output to
a file.
# bart compare control-manifest test1-manifest > test1.report
- Examine the BART report for oddities.
- Repeat Step 4 through Step 9 for each test manifest that you
want to compare with the control manifest.
Use the same bart options for each test system. Example 6-6 Comparing Manifests From Different Systems With the Manifest of a Control SystemThis example describes how to monitor changes to the contents of the
/usr/bin directory by comparing a control manifest with a test manifest from a
different system.
Create a control manifest. # bart create -R /usr/bin > control-manifest.121203
!Version 1.0
! Friday, December 12, 2003 (09:19:00)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 13312 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3fd9e925 0 2
/.s F 14200 104711 user::rwx,group::--x,mask:--x,other:--x
3f8dbfd6 0 1 8ec7e52d8a35ba3b054a6394cbf71cf6
/ControlPanel L 28 120777 - 3f81dc71 0 1 jre/bin/ControlPanel
/HtmlConverter L 25 120777 - 3f81dcdc 0 1 bin/HtmlConverter
/acctcom F 28300 100555 user::r-x,group::r-x,mask:r-x,other:r-x
3f6b5750 0 2 d6e99b19c847ab4ec084d9088c7c7608
/activation-client F 9172 100755 user::rwx,group::r-x,mask:r-x,
other:r-x 3f5cb907 0 1 b3836ad1a656324a6e1bd01edcba28f0
/adb F 9712 100555 user::r-x,group::r-x,mask:r-x,other:r-x
3f6b5736 0 2 5e026413175f65fb239ee628a8870eda
/addbib F 11080 100555 user::r-x,group::r-x,mask:r-x,other:r-x
3f6b5803 0 2 a350836c36049febf185f78350f27510
.
.
.
Create a test manifest for each system that you want to compare with the control system. # bart create -R /usr/bin > system2-manifest.121503
! Version 1.0
! Friday, December 15, 2003 (13:30:58)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
/ D 13312 40755 user::rwx,group::r-x,mask:r-x,other:r-x 3fd9ea9c 0 2
/.s F 14200 104711 user::rwx,group::--x,mask:--x,other:--x
3f8dbfd6 0 1 8ec7e52d8a35ba3b054a6394cbf71cf6
/ControlPanel L 28 120777 - 3f81dc71 0 1 jre/bin/ControlPanel
/HtmlConverter L 25 120777 - 3f81dcdc 0 1 bin/HtmlConverter
/acctcom F 28300 100555 user::r-x,group::r-x,mask:r-x,other:
r-x 3f6b5750 0 2 d6e99b19c847ab4ec084d9088c7c7608
.
.
.
When you want to compare manifests, copy the manifests to the same location. # cp control-manifest /net/system2.central/bart/manifests
Compare the control manifest with the test manifest. # bart compare control-manifest system2.test > system2.report
/su:
gid control:3 test:1
/ypcat:
mtime control:3fd72511 test:3fd9eb23
The previous output indicates that the group ID of the su file in
the /usr/bin directory is not the same as that of the control system.
This information can be helpful in determining whether a different version of the
software was installed on the test system or if possibly someone has tampered
with the file.
How to Customize a BART Report by Specifying File AttributesThis procedure is optional and explains how to customize a BART report by
specifying file attributes from the command line. If you create a baseline manifest
that lists information about all the files or specific on your system, you
can run the bart compare command, specifying different attributes, whenever you need to monitor
changes to a particular directory, subdirectory, file or files. You can run different
types of comparisons for the same manifests by specifying different file attributes from
the command line.
- Determine which file attributes you want to monitor.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- After installing the Solaris software, create a control manifest.
- Create a test manifest when you want to monitor changes.
Prepare the test manifest identically to the control manifest.
- Compare the manifests.
For example: # bart compare -i dirmtime,lnmtime,mtime control-manifest.121503 \
test-manifest.010504 > bart.report.010504 Note that a comma separates each attribute you specify in the command-line syntax.
- Examine the BART report for oddities.
How to Customize a BART Report by Using a Rules FileThis procedure is also optional and explains how to customize a BART report
by using a rules file as input to the bart compare command. By using
a rules file, you can customize a BART report, which allows you
the flexibility of specifying multiple attributes for more than one file or subtree. You
can run different comparisons for the same manifests by using different rules files.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Determine which files and file attributes you want to monitor.
- Use a text editor to create a rules file with the appropriate directives.
- After installing the Solaris software, create a control manifest by using the rules
file you created.
# bart create -r rules-file > control-manifest
- Create a test manifest that is prepared identically to the control manifest.
# bart create -r rules-file > test-manifest
- Compare the control manifest with the test manifest by using the same rules
file.
# bart compare -r rules-file control-manifest test-manifest > bart.report
- Examine the BART report for oddities.
Example 6-7 Customizing a BART Report by Using a Rules FileThe following rules file includes directives for both the bart create and the
bart compare commands. The rules file directs the bart create command to list information about the
contents of the /usr/bin directory. In addition, the rules file directs the bart compare
command to track only size and content changes in the same directory. # Check size and content changes in the /usr/bin directory.
# This rules file only checks size and content changes.
# See rules file example.
IGNORE all
CHECK size contents
/usr/bin
Create a control manifest by using the rules file you created. # bart create -r bartrules.txt > usr_bin.control-manifest.121003
Create a test manifest whenever you want to monitor changes to the /usr/bin directory. # bart create -r bartrules.txt > usr_bin.test-manifest.121103
Compare the manifests by using the same rules file. # bart compare -r bartrules.txt usr_bin.control-manifest \
usr_bin.test-manifest
Examine the output of the bart compare command. /usr/bin/gunzip: add
/usr/bin/ypcat:
delete
In the preceding output, the bart compare command reported a discrepancy in the /usr/bin
directory. This output indicates that /usr/bin/ypcat file was deleted, and the /usr/bin/gunzip file was
added.
|