Basic Audit Reporting Tool
Apropos auditing. There is a small but cool tool in Solaris. It solves the problem of "No, I haven’t changed anything on the system". It’s called BART, the Basic Audit Reporting Tool. It a really simple tool and it’s really easy to use.
Usage
Okay, let’s assume after some days of work you finally configured all components of your new system. Okay, create a nice place to store the output of the bart tool. After this you start bart for the first time to create the first manifest of your system.
# mkdir /bart-files
# bart create -R /etc > /bart-files/etc.control.manifest
The manifest stores all informations about the files. This is the example for the <code>/etc/nsswitch.nisplus</code>:
# cat etc.control.manifest | grep "/nsswitch.nisplus"
/nsswitch.nisplus F 2525 100644 user::rw-,group::r--,mask:r--,other:r-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
Now lets change some files:
# touch /etc/thisisjustatest
# chmod 777 /etc/nsswitch.files
# echo "#just a test" >> /etc/nsswitch.nisplus
Okay, enough changes. Let’s create a new manifest of the changed /etc. Pipe it to a different file.
# bart create -R /etc > /bart-files/etc.check20080202.manifest
Now we can compare the baseline manifest with the actual manifest.
# cd /bart-files
# bart compare etc.control.manifest etc.check20080202.manifest
This command prints all differences between the two manifests and thus the difference between the tow states of the system
/nsswitch.files:
mode control:100644 test:100777
acl control:user::rw-,group::r--,mask:r--,other:r-- test:user::rwx,group::rwx,mask:rwx,other:rwx
/nsswitch.nisplus:
size control:2525 test:2538
mtime control:473976b5 test:47a44862
contents control:79e8fd689a5221d1cd059e5077da71b8 test:3f79176ec352441db11ec8a3d02ef67c
/thisisjustatest:
add
As I wrote before: A really nice tool.
Want to learn more?
For more information about this tool visit TBD.