Less known Solaris features: BART

Apropos auditing. There is a small but cool tool in Solaris. It solves the problem of “No, i haven´t changed anything on the system”. It´s called BART, the Basic Audit Reporting Tool. It a really simple tool and it´s really easy to use. Usage
Okay, let´s assume after some days of work you finally configured all components of your new system. Okay, create a nice place to store the output of the bart tool. After this you start bart for the first time to create the first manifest of your system.

# mkdir /bart-files<br />
# bart create -R /etc > /bart-files/etc.control.manifest

The manifest stores all informations about the files. This is the example for the /etc/nsswitch.nisplus:

# cat etc.control.manifest | grep "/nsswitch.nisplus"<br />
/nsswitch.nisplus F 2525 100644 user::rw-,group::r--,mask:r--,other:r-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8

Now lets change some files:

# touch /etc/thisisjustatest<br />
# chmod 777 /etc/nsswitch.files<br />
# echo "#just a test" >> /etc/nsswitch.nisplus 

Okay, enough changes. Let´s create a new manifest of the changed /etc. Pipe it to a different file.

# bart create -R /etc > /bart-files/etc.check20080202.manifest

Now we can compare the baseline manifest with the actual manifest.

# cd /bart-files<br />
# bart compare etc.control.manifest etc.check20080202.manifest 

This command prints all differences between the two manifests and thus the difference between the tow states of the system

/nsswitch.files:<br />
  mode  control:100644  test:100777<br />
  acl  control:user::rw-,group::r--,mask:r--,other:r--  test:user::rwx,group::rwx,mask:rwx,other:rwx<br />
/nsswitch.nisplus:<br />
  size  control:2525  test:2538<br />
  mtime  control:473976b5  test:47a44862<br />
  contents  control:79e8fd689a5221d1cd059e5077da71b8  test:3f79176ec352441db11ec8a3d02ef67c<br />
/thisisjustatest:<br />

As i wrote before: A really nice tool. Want to learn more?
For more information about this tool visit Using the Basic Audit Reporting Tool.