Lab : the B.A.R.T.
SA225 : Extra : Working with the basic audit & reporting tool.
=================================================
Note : please send comments to nieuwenj@nieuwenj.com
Last Edited : 15/02/2005
BART is a file tracking tool that operates entirely at the file system level. Using BART gives you the ability to quickly, easily, and reliably gather information about the components of the software stack that is installed on deployed systems.
BART enables you to determine what file-level changes have occurred on a system, relative to a known baseline. You use BART to create a baseline or control manifest from a fully installed and configured system. You can then compare this baseline with a snapshot of the system at a later time, generating a report that lists file-level changes that have occurred on the system since it was installed.
The standard in the market seems to be Tripwire, which offers support for its product. Similar products include open source tools Samhain and Osiris. Bart is a Sun supported simple tool that does the main job in an efficient and flexible way. At this time, it lacks the advanced features of the other products, like Client/Server mechanism, strong security and GUI.
In this extra exercise, we will go through two basic examples.
0. Definitions
MANIFEST : You use the bart create command to take a file-level snapshot of a system at a particular time. The output is a catalog of files and file attributes called a manifest. The manifest lists information about all the files or specific files on a system. It contains information about attributes of files, which can include some uniquely identifying information, such as an MD5 checksum.
Note that BART does not cross file system boundaries, with the exception of file systems of the same type. So if you take a snapshot of the root FS, all but only the UFS filesystems will be part of it.
Info : man bart_manifest
REPORT : You use the bart compare command to compare two manifests, a control manifest and a test manifest. These manifests must be prepared with the same file systems and options. The output of the command is a report that lists per-file discrepancies between the two manifests. A discrepancy is a change to any attribute for a given file that is cataloged for both manifests. Additions or deletions of file entries between the two manifests are also considered discrepancies.
RULES : The rules file is a text file that you can optionally use as input to the bart command. This file uses inclusion and exclusion rules. A rules file is used to create custom manifests and reports. A rules file enables you to express in a concise syntax which sets of files you want to catalog, as well as which attributes to monitor for any given set of files. When you compare manifests, the rules file aids in flagging discrepancies between the manifests. Using a rules file is an effective way to gather specific information about files on a system.
Info : man bart_rules
1. Demoing BART
Let’s create a manifest that will only a subtree of the directory tree : everything under /etc.
#mkdir /bart
#bart create -R /etc > /bart/control.bart
Let’s have a quick look at the resulting (text) file :
———————
! Version 1.0
! Wednesday, December 15, 2004 (15:06:34)
# Format:
#fname D size mode acl dirmtime uid gid
#fname P size mode acl mtime uid gid
#fname S size mode acl mtime uid gid
#fname F size mode acl mtime uid gid contents
#fname L size mode acl lnmtime uid gid dest
#fname B size mode acl mtime uid gid devnode
#fname C size mode acl mtime uid gid devnode
…..
/shadow F 343 100400 user::r–,group::—,mask:—,other:— 41c04391 0 3 6a86414415134b41b611a898d0443dfd
…..
———————
At the beginning, we see that for each type of file ( Directory, Pipe, Socket, File, Link, Block/Character device files ), a number of attributes will be inserted into the manifest by default. This set of attributes can be modified using a rules file that would list another set of attributes.
For the sahdow file, a regular file F, we can see the file size, the mode = permissions, possible ACLs, the last modification time ( mtime ), the owner and group owner as well as a checksum of the contents of the file : an MD5 hash of the shadow file.
We will create a user, build a second manifest and we will then be able to see all the files ( remember, in /etc and /usr/bin ) which are modified whenever a user gets added to the system.
# useradd bob
#
#
# bart create -R /etc > /bart/test1.bart
#
#
# bart compare /bart/control1.bart /bart/test1.bart
/.pwd.lock:
mtime control:41c04391 test:41c04506
/opasswd:
size control:652 test:621
mtime control:41c04310 test:41c04391
contents control:6ae0a864a8805666e2f65a2ec9ef9aa7 test:1ad565741694ea0ef612aec2517ffcfc
/oshadow:
size control:359 test:343
mtime control:41c04310 test:41c04391
contents control:491c6e7474ac6a377e43f9165e7cdb8e test:6a86414415134b41b611a898d0443dfd
/ouser_attr:
mtime control:41c04310 test:41c04391
/passwd:
size control:621 test:652
mtime control:41c04391 test:41c04506
contents control:1ad565741694ea0ef612aec2517ffcfc test:6ae0a864a8805666e2f65a2ec9ef9aa7
/shadow:
size control:343 test:359
mtime control:41c04391 test:41c04506
contents control:6a86414415134b41b611a898d0443dfd test:491c6e7474ac6a377e43f9165e7cdb8e
/user_attr:
mtime control:41c04391 test:41c04506
This allows us to see new files in Solaris 10 : oshadow, opasswd, ouser_attr.
Some more observations :
/oshadow:
size control:359 test:343
mtime control:41c04310 test:41c04391
contents control:491c6e7474ac6a377e43f9165e7cdb8e test:6a86414415134b41b611a898d0443dfd
/shadow F 343 100400 user::r–,group::—,mask:—,other:— 41c04391 0 3 6a86414415134b41b611a898d0443dfd
And we find out that whenever one of these files get modified, it is first copied over to an “o” version of it ( old? ). Also note that only the modification time of user_attr has changed. It would seem that the useradd command ‘touches’ the file…
2. Customizing BART
The second exercise makes use of a rules file.
The idea is to first create a manifest, then execute a script that is doing some strange things on your system, to create another manifest afterwards that will help in finding out what the script actually did.
The rules file used :
—————-
CHECK all
/etc
IGNORE dirmtime mtime mode contents
/usr/bin
IGNORE ALL
CHECK dirmtime contents mode acl
—————-
The first line is a “global” directive that applies to all entries.
The second section starts with an absolute pathname which indicates that some special directives will be applied to all (UFS) files under /etc. I don’t want to check few attributes there.
Third section for files under /usr/bin : I only want to check 4 attributes.
# bart create -r /bart/rules > /bart/control2.bart
# /script
# bart create -r /bart/rules > /bart/test2.bart
# bart compare -r /bart/rules /bart/control2.bart /bart/test2.bart
/etc/.pwd.lock:
mtime control:41c29da4 test:41c2a0da
/etc/opasswd:
size control:714 test:683
mtime control:41c29cca test:41c29da4
contents control:744dac030b1638ba26ef34da80e06253 test:338781bf1511eb112f73ebe967dcc0f3
/etc/oshadow:
size control:391 test:375
mode control:100440 test:100400
acl control:user::r–,user:104:r–,group::—,mask:r–,other:— test:user::r–,group::—,mask:—,other:—
mtime control:41c29cca test:41c29da4
contents control:af0a317fd16e5e64e0eed720fb80268a test:9d563ea13aa3b2630a0216c06b734e48
/etc/ouser_attr:
mtime control:41c29cca test:41c29da4
/etc/passwd:
size control:683 test:714
mtime control:41c29da4 test:41c2a0da
contents control:338781bf1511eb112f73ebe967dcc0f3 test:744dac030b1638ba26ef34da80e06253
/etc/shadow:
size control:375 test:391
mode control:100400 test:100440
acl control:user::r–,group::—,mask:—,other:— test:user::r–,user:bob:r–,group::—,mask:r–,other:—
mtime control:41c29da4 test:41c2a0da
contents control:9d563ea13aa3b2630a0216c06b734e48 test:af0a317fd16e5e64e0eed720fb80268a
/etc/system:
size control:1883 test:1899
mtime control:41c29e20 test:41c2a0da
contents control:c5907c9dc37074cf10a7d07740d639d6 test:bb944e27578c5b0585d58212ea8edbd9
/etc/user_attr:
mtime control:41c29da4 test:41c2a0da
/usr/bin/.hidden:
add
/usr/bin/ksh:
mode control:100555 test:104555
/usr/bin/perl:
lnmtime control:41c29da1 test:41c2a0da
dest control:/usr/perl5/5.8.4/bin/perl test:/usr/perl5/5.8.3/bin/perl
/usr/bin/pfksh:
mode control:100555 test:104555
/usr/bin/rksh:
mode control:100555 test:104555
/usr/bin/zip:
delete
/usr/bin/zip_renamed:
add
Now try to find out what happend…
When you have got an idea, check the solution