Securing Files and Verifying File Integrity in Oracle^® Solaris 11.3

How to Compare Manifests for the Same System Over Time

By comparing manifests over time, you can locate corrupted or unusual files, detect security breaches, and troubleshoot performance issues on a system.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. Create a control manifest of the files to monitor on the system.

   # bart create -R /etc > control-manifest

2. (Optional)Save the manifest in a protected directory for future use.

   For an example, see Step 3 in How to Create a Control Manifest.

3. At a later time, prepare an identical manifest to the control manifest.

   # bart create -R /etc > test-manifest

4. ()Protect the second manifest.

   # mv test-manifest /var/adm/log/bartlogs

5. Compare the two manifests.

   Use the same command-line options and rules file to compare the manifests that you used to create them.

   # bart compare options control-manifest  test-manifest > bart-report

6. Examine the BART report for oddities.

Example 25  Tracking File Changes for the Same System Over Time

This example shows how to track the changes in the /etc directory over time. This type of comparison enables you to locate important files on the system that have been compromised.

• Create a control manifest.

  # cd /var/adm/logs/manifests
  # bart create -R /etc > system1.control.090713
  ! Version 1.1
  ! HASH SHA256
  ! Saturday, September 07, 2013 (11:11:17)
  # Format:
  #fname D size mode acl dirmtime uid gid
  #fname P size mode acl mtime uid gid
  #fname S size mode acl mtime uid gid
  #fname F size mode acl mtime uid gid contents
  #fname L size mode acl lnmtime uid gid dest
  #fname B size mode acl mtime uid gid devnode
  #fname C size mode acl mtime uid gid devnode
  /.cpr_config F 2236 100644 owner@:read_data/write_data/append_data/read_xattr/wr
  ite_xattr/read_attributes/write_attributes/read_acl/write_acl/write_owner/synchr
  onize:allow,group@:read_data/read_xattr/read_attributes/read_acl/synchronize:all
  ow,everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
  4e271c59 0 0 3ebc418eb5be3729ffe7e54053be2d33ee884205502c81ae9689cd8cca5b0090
  /.login F 1429 100644 owner@:read_data/write_data/append_data/read_xattr/write_x
  attr/read_attributes/write_attributes/read_acl/write_acl/write_owner/synchronize
  :allow,group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow,ev
  eryone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
  4bf9d6d7 0 3 ff6251a473a53de68ce8b4036d0f569838cff107caf1dd9fd04701c48f09242e
  .
  .
  .

• Later, create a test manifest by using the same command-line options.

  # bart create -R /etc > system1.test.101013
  Version 1.1
  ! HASH SHA256
  ! Monday, October 10, 2013 (10:10:17)
  # Format:
  #fname D size mode acl dirmtime uid gid
  #fname P size mode acl mtime uid gid
  #fname S size mode acl mtime uid gid
  #fname F size mode acl mtime uid gid contents
  #fname L size mode acl lnmtime uid gid dest
  #fname B size mode acl mtime uid gid devnode
  #fname C size mode acl mtime uid gid devnode
  /.cpr_config F 2236 100644 owner@:read_data/write_data/append_data/read_xattr/wr
  ite_xattr/read_attributes/write_attributes/read_acl/write_acl/write_owner/synchr
  onize:allow,group@:read_data/read_xattr/read_attributes/read_acl/synchronize:all
  ow,everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
  4e271c59 0 0 3ebc418eb5be3729ffe7e54053be2d33ee884205502c81ae9689cd8cca5b0090
  .
  .
  .

• Compare the manifests.

  # bart compare system1.control.090713 system1.test.101013
  /security/audit_class
  mtime  4f272f59

The output indicates that the modification time on the audit_class file has changed since the control manifest was created. If this change is unexpected, you can investigate further.