Solaris Automated File Integrity Checking: bartlog

Posted on June 25, 2009

The Solaris Basic Audit & Reporting Tool, bart, is a great little alternative to Tripwire or AIDE. While not nearly so robust or full featured, it does what you need it to do with very little impact. The sqlite of intrusion detection systems, if you will. I blogged about BART in 2005 and so far its still only got 1 real comment, which was simply mentioning AIDE as an alternative. No love.

Given that BART is awesome and no one seems to embrace it due to, perhaps, perceptions of complexity that are unfounded, I sought to implement a simple solution to bring BART to the masses. I call it bartlog

Quite simply, bartlog is a BASH wrapper around BART and logger which is run from cron on any schedule you like and reports any changes to syslog. Setup is simple, download bartlog and copy into /usr/sbin or whereever you prefer, then download bart.rules and copy into /etc. Now run bartlog from cron every hour or day or whatever you like.

The script is simple and intended to be tweeked, modified and made as l337 as you like. What it does is creates a BART manifest (record of files and MD5 checksums) for those directory structures specified in the bart.rules file. The first time it runs it just creates a manifest and exits. The second time you run it it creates a new manifest and then compares it against the previously created one. If it doesn’t find any changes it just replaces the old manifest with the new one, this avoids you getting repetitiously alerted. However, if it does find a change it sends the change to syslog, so that its stored with your normal logs viewed either by running dmesg or reading /var/adm/messages. By default I’m using the syslog audit.err priority because by default Solaris sends those messages to /var/adm/messages, however if you are deploying this in a production environment I’d recommend using audit.warn instead and then modifying /etc/syslog.conf to send those warnings to a secure centralized syslog server. If you complete the solution with Splunk you could have a centralized, searchable log of all changes to critical files on which you could report, respond or alert on.

I use a one hour interval on my home workstation. Here’s my syslog following a new user addition:

root@quadra ~$ dmesg
...
Jun 25 11:01:58 quadra root: [ID 702911 audit.error] BART Reports Change: /etc/.pwd.lock mtime 4a218d04 4a43b0bd 
Jun 25 11:01:58 quadra root: [ID 702911 audit.error] BART Reports Change: /etc/opasswd size 968 985 mtime 49fa4236 4a218d2b contents fc27c5b28b3a248b6c6129aa9aed7329 2200107fc7128d5cd38de333bea4500f 
Jun 25 11:01:58 quadra root: [ID 702911 audit.error] BART Reports Change: /etc/ouser_attr mtime 4a04a741 4a218d01 
Jun 25 11:01:58 quadra root: [ID 702911 audit.error] BART Reports Change: /etc/passwd size 985 1022 mtime 4a218d2b 4a43b0ac contents 2200107fc7128d5cd38de333bea4500f 640da69537a35046571b4fda1def10d1 
Jun 25 11:01:58 quadra root: [ID 702911 audit.error] BART Reports Change: /etc/shadow size 708 783 mtime 4a218d04 4a43b0bd contents f83158dffddc124dab2f22a979338695 6ba7d42600da8d4fc9b8a92f4bf0afe7 
Jun 25 11:01:58 quadra root: [ID 702911 audit.error] BART Reports Change: /etc/user_attr mtime 4a218d01 4a43b0ac 

So I hope this fills the hole. Anyone running a Solaris system at home can download these two files, add to cron and be off and running. No hassle, no maintenance. All the love, none of the pain. If your running a system where bart isn’t installed, just install SUNWbart from IPS or the install media.