By alecm on Apr 06, 2007
Or what if you run a heavily change-controlled system environment, and you need to know whether anything has been changed outside of the scope of your operational processes?
There's a solution built-in to Solaris 10: bart - Basic Audit & Reporting Tool, a truly boringly-named tool which does something both useful and interesting:
BART provides a quick and easy way to collect information on filesystem objects and their attributes so that, at a later time, you can determine whether there have been any changes. BART can help you detect accidental or malicious changes to files within an operating system due to either a security incident or change management incident.
BART is able to collect such information as an object's UID, GID, permissions, access control lists, modification time, size, and type. In addition, for files, BART generates an MD5 fingerprint from the contents of the file. For a full list of the attributes that can be collected, see the bart_rules(4) manual page.
There's a lovely
white paper "blue print" explaining
available for download
(nb: PDF document ; apparently HTML was neither pretty enough nor impressive enough) along with the rest of the
Sun Security BluePrints
some of which we'll be spolighting individually over the next few weeks.