3
UNIXWIZ ANYTHING DEALING WITH *NIX OR WHAT EVER I WANT TO WRITE ABOUT Subscribe via RSS HOME ABOUT ME STOP SOPA Why everyone should use bart (AKA do the Bart Man) If you are using Solaris 10, and you have not used bart yet, you should stop everything and take a look at it. For those who don't know what bart is, it is the Basic Auditing and Reporting Tool that is in Solaris 10. In a quick synopsis bart will create a report that shows all files/directories on a solaris machine. This report contains the permissions, owners, sizes, modify times and md5 hashes of all files on the system, along with acl's if you are using ZFS. So why is bart so important? First, it can be used as a security tool. When you install a new Solaris 10 system, the first thing you should do after you get it installed and patched and before it is placed on the network is run a bart on the system and save the report to a cd. This will be the "baseline" image of the system. Then every week/month you should run a bart against the machine again and then use the compare option to see what files have changed, added or deleted from the system. Where this comes in really handy is if your think that your machine has been hacked or compromised. You can use the comparison to determine which files may have been modified by the hacker. But there is a nonsecurity use for bart as well that is VERY useful. This use is one that I had not thought of until I needed it the other day. So what is this use? Reseting the permissions on files that were accidentally changed by an inexperienced UNIX person thinking that a "chmod R 777 *" is the best way to fix their problems. The first thing that came to my mind when I saw this happen was oh no, the machine had not even been backed up yet, and a day's worth of work would have been lost. Even if the machine had been backed up, do you realize how long it would take to restore a file system with 40,000+ files, just because the permissions were screwed up. ( Note, the permissions on the various files were very different and even included some setuid, and setgiud files which were wiped out as well.) So how did bart save the day? Luckly I had taken a bart of the machine before the work had begun on the file system. So after the chmod command was issued, I then took a bart of the file system again. I now could run a bart compare against the control and test manifest and see exactly what all had changed. Once I had this output, I could then create a script to change the permissions of the files/directories back to the original values. All told after I finished tweaking my script it took about 20 minutes to reset the permissions on all the files and directories. So here is a quick start to getting your first bart manifest of your system: 1. Create a bart_rules file. If you do not create a rules file, your output will only have Files and not directories listed in it. My simple bart_rules file looks like this: / CHECK ALL /home IGNORE ALL I ignore the /home file system as in my case it was nfs mounted. In reality you would want to include all local file systems. tags AIX Apple Cable Card Comcast Family Flying Funny Home Repairs House IBM Interesting jetBlue LDAP M$ Winders MacBook Pro MacOSX Morgantown Morgantown, WV OpenSolaris Photography PhotoShop PHP Random Stuff Rant Security Shell Scripts SMF Solaris Spam Fighting Sun Sun Ray Syswatch tips TiVo Tivoli Travel Uncategorized Vacation Video VMWare Work X2100 XM Radio ZFS Zones/Containers Categories Categories Select Category Blogroll Justin’s Blog Computer Stuff Chris Quenelle's Weblog Christopher Saul's Weblog Glenn Brunette's Security Weblog Joyent The Clingan Zone The S word blog Other Sites Audiences Everywhere Photo Stuff Fro Knows Photo 8

Bart Usage

Embed Size (px)

DESCRIPTION

Bart

Citation preview

  • UNIXWIZANYTHINGDEALINGWITH*NIXORWHATEVERIWANTTOWRITEABOUT SubscribeviaRSS

    HOME ABOUTME STOPSOPA

    Whyeveryoneshouldusebart(AKAdotheBartMan)

    IfyouareusingSolaris10,andyouhavenotusedbartyet,youshouldstopeverythingandtakealookatit.

    Forthosewhodon'tknowwhatbartis,itistheBasicAuditingandReportingToolthatisinSolaris10.

    Inaquicksynopsisbartwillcreateareportthatshowsallfiles/directoriesonasolarismachine.Thisreportcontainsthepermissions,owners,sizes,modifytimesandmd5hashesofallfilesonthesystem,alongwithacl'sifyouareusingZFS.

    Sowhyisbartsoimportant?First,itcanbeusedasasecuritytool.WhenyouinstallanewSolaris10system,thefirstthingyoushoulddoafteryougetitinstalledandpatchedandbeforeitisplacedonthenetworkisrunabartonthesystemandsavethereporttoacd.Thiswillbethe"baseline"imageofthesystem.Theneveryweek/monthyoushouldrunabartagainstthemachineagainandthenusethecompareoptiontoseewhatfileshavechanged,addedordeletedfromthesystem.Wherethiscomesinreallyhandyisifyourthinkthatyourmachinehasbeenhackedorcompromised.Youcanusethecomparisontodeterminewhichfilesmayhavebeenmodifiedbythehacker.

    ButthereisanonsecurityuseforbartaswellthatisVERYuseful.ThisuseisonethatIhadnotthoughtofuntilIneededittheotherday.Sowhatisthisuse?ResetingthepermissionsonfilesthatwereaccidentallychangedbyaninexperiencedUNIXpersonthinkingthata"chmodR777*"isthebestwaytofixtheirproblems.

    ThefirstthingthatcametomymindwhenIsawthishappenwasohno,themachinehadnotevenbeenbackedupyet,andaday'sworthofworkwouldhavebeenlost.Evenifthemachinehadbeenbackedup,doyourealizehowlongitwouldtaketorestoreafilesystemwith40,000+files,justbecausethepermissionswerescrewedup.(Note,thepermissionsonthevariousfileswereverydifferentandevenincludedsomesetuid,andsetgiudfileswhichwerewipedoutaswell.)

    Sohowdidbartsavetheday?LucklyIhadtakenabartofthemachinebeforetheworkhadbegunonthefilesystem.Soafterthechmodcommandwasissued,Ithentookabartofthefilesystemagain.Inowcouldrunabartcompareagainstthecontrolandtestmanifestandseeexactlywhatallhadchanged.

    OnceIhadthisoutput,Icouldthencreateascripttochangethepermissionsofthefiles/directoriesbacktotheoriginalvalues.AlltoldafterIfinishedtweakingmyscriptittookabout20minutestoresetthepermissionsonallthefilesanddirectories.

    Sohereisaquickstarttogettingyourfirstbartmanifestofyoursystem:

    1.Createabart_rulesfile.Ifyoudonotcreatearulesfile,youroutputwillonlyhaveFilesandnotdirectorieslistedinit.Mysimplebart_rulesfilelookslikethis:

    /CHECKALL/homeIGNOREALL

    Iignorethe/homefilesystemasinmycaseitwasnfsmounted.Inrealityyouwouldwanttoincludealllocalfilesystems.

    tags

    AIXAppleCableCardComcastFamilyFlyingFunnyHomeRepairsHouseIBMInterestingjetBlueLDAPM$WindersMacBookProMacOSXMorgantownMorgantown,WVOpenSolarisPhotography

    PhotoShopPHPRandomStuffRantSecurityShellScriptsSMFSolarisSpamFightingSunSunRaySyswatchtipsTiVoTivoliTravelUncategorizedVacationVideoVMWareWorkX2100XMRadioZFSZones/Containers

    Categories

    Categories

    SelectCategory

    Blogroll

    JustinsBlog

    ComputerStuff

    ChrisQuenelle'sWeblog

    ChristopherSaul'sWeblog

    GlennBrunette'sSecurityWeblog

    Joyent

    TheClinganZone

    TheSwordblog

    OtherSites

    AudiencesEverywhere

    PhotoStuff

    FroKnowsPhoto

    MAY/08

  • 2.Createthebart,Ikeeptherulesfilein/root/bart_rulessoIwouldrunthecommand:

    bartcreateR/r/root/bart_rules>/tmp/bart.output

    Thiswillcreateabartmanifestandoutputitto/tmp/bart.output.Lookingatthefirstcoupleoflinesofitlookslikethis:

    unixwiz@sungeek:/home/unixwiz>head20/tmp/bart.out!Version1.0!Saturday,May17,2008(21:24:27)#Format:#fnameDsizemodeacldirmtimeuidgid#fnamePsizemodeaclmtimeuidgid#fnameSsizemodeaclmtimeuidgid#fnameFsizemodeaclmtimeuidgidcontents#fnameLsizemodeacllnmtimeuidgiddest#fnameBsizemodeaclmtimeuidgiddevnode#fnameCsizemodeaclmtimeuidgiddevnode/D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300/.ICEauthorityF310100600user::rw,group::,mask:,other:44c581c2003eb63faf448e8a2b2c1a7b2019a8bde3/.XauthorityF99100600user::rw,group::,mask:,other:44c560e0005ffe2e5f4b6f73e662001f62f7cae4d3/.bash_historyF649100600user::rw,group::,mask:,other:481d1109009132e0e798d5d05644cafc90c2aa876a/.dtD51240755user::rwx,group::rx,mask:rx,other:rx44c560e000/.dt/appmanagerD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00/.dt/helpD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00/.dt/iconsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00/.dt/sessionlogsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534c00/.dt/sessionlogs/sungeek_DISPLAY=:0F132100644user::rw,group::r,mask:r,other:r44c560e0006d4e62fc972046a7a85fdb36a0ce21fd

    Thefirstpartofthefile,thepartthatbeginswith#fnameisalegendastohoweachtypeoflineisformed.Solookingatthefirstactuallineofthecontents:

    /D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300

    Weseethatthefnmaeis/,itisadirectory,withasizeof1024.Itsmodeis755,thelastmodifiedtimeisthe"481d0e43"anditisownedbyuid0andgid0.

    Lookingatafileinparticularweseethis:

    /httpd/htdocs/index.htmlF10100644user::rw,group::r,mask:r,other:r463d4f4b00b7a9369d4cc9f82ed707bce91ced8af8

    Intheabove,weseethatthefileis10bytes,hasapermissionsof644andisownedbyroot/root.

    NowsupposethatIforsomereasonbyaccidentwasinthe/httpd/htdocsdirectoryanddidachmodR777*.SinceIhadmycontrolmanifest,Iwouldthenrunanotherbartandthenusethecompareoption.WhatIwouldgetissomethinglikethis:

    #bartcompare/tmp/bart.output/tmp/bart.output2/httpd/htdocs/index.html:modecontrol:100644test:100777aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwx

    Herewecanseethatthepermissionshaschangedfrom644to777.Buttheoutputisnotreallyeasytoparsewithascript.Soweneedtousethe"p"optiononthebartcompare:

    #bartcomparep/tmp/bart.output/tmp/bart.output2/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:ruser::rwx,group::rwx,mask:rwx,other:rwx

    Intheabove,sincetheonlythingthatwaschangedwasthemode,thatistheonlythingthatislisted.

    herearesomeotherexamples:

    /var/samba/locks/browse.datmtime482f8544482f8800/var/samba/locks/unexpected.tdbcontents7c3404e9622749702e3df56caf26fe7272983947ada3260a236394a51aef0d31

    Thefirstlineshowsthatthefilebrowse.datmodifytimechanged,butnothingelse.Thesecondlineshowsthattheunexpected.tdbhadit'scontentschange.Thiscanbeenseebythe2differenthashes.

    Hereisanotherexampleoftheindex.htmlfileabove,afterithadbeenedited:

    bash3.00#bartcompare/tmp/bart.out/tmp/bart.out3/httpd/htdocs/index.html:sizecontrol:10test:26modecontrol:100644test:100777aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwxmtimecontrol:463d4f4btest:482f8b89contentscontrol:b7a9369d4cc9f82ed707bce91ced8af8test:1567caf683e3859cb5da7335c35438f7

    Onceagainthisisinthe"human"readableformat,the"machine"readablelookslike:

  • Thecontentonsungeek.netisprovidedASIS,andWITHOUTANYWARRANTY.Allopinionsarepersonalandinnowayreflectanyorganization.Theauthorwillnotbeheldliableforanyproblemsresultingfromtheinformationprovidedhere.Copyright2015unixwizLightwordThemebyAndreiLuca Gototop

    Taggedas:Security,ShellScripts,Solaris,tips,ZFS CommentsOff

    FreakingSweetAcrobatReaderonSolarisx86 PacManJonesinDallas

    bash3.00#bartcomparep/tmp/bart.out/tmp/bart.out3/httpd/htdocs/index.htmlsize1026mode100644100777acluser::rw,group::r,mask:r,other:ruser::rwx,group::rwx,mask:rwx,other:rwxmtime463d4f4b482f8b89contentsb7a9369d4cc9f82ed707bce91ced8af81567caf683e3859cb5da7335c35438f7

    (theaboveisactuallyallononeline.)

    Onceyouhavetheoutputofthebartafterthe"oops"youwillneedtorunthebartcomparewithoptionstoignoresomeitems.SinceIamonlyinterestedinthemode,thesize,mtimeandcontentscanbeignored.Iusedthefollowing:

    bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2

    Thisonlyshowsfilesthathavehadtheirmodechanged:

    bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:ruser::rwx,group::rwx,mask:rwx,other:rwx

    Youshouldredirectthisoutputtoafile,sothatitcanthenbeusedtogenerateascript.WiththeoutputinafileIthendidthis:

    cat/tmp/bart.compare|awk'{print"chmod"$3""$1}'>/tmp/CHANGEPERMS

    SobasiclyIcatthefileandprintthechmodcommandallongwiththe3rdfield(100644)andthenthefirstfield(/httpd/htdocs/index.html)andredirectthistoanewfile.OnceIspotcheckthisfile,youcanthenrunitanditwill"reset"thepermissionsback.

    NoweverythingIhaveshownaboveisbasedonthemachinehavingaUFSfilesystem.IfyourunbartagainstafilesystemthatisZFS,youwillgetamanifestthatlookssomethinglikethis:

    /home/unixwiz/bin/phpF10587732100755owner@::deny,owner@:read_data/write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow,group@:write_data/append_data:deny,group@:read_data/execute:allow,everyone@:write_data/append_data/write_xattr/write_attributes/write_acl/write_owner:deny,everyone@:read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow4743a7fa100149b8cfb15ed069bd6e43d7c2ae11a3e23

    ItshowstheZFSextendedacl's.

    Soifyouhaven'tstartedusingbart,youshouldstartassoonaspossible.

    Postedbyunixwiz

    Sorry,thecommentformisclosedatthistime.

    Comments(0) Trackbacks(0) (subscribetocommentsonthispost)


Trends in Programming Languages Bart J.F. De Smet blogs.bartdesmet.net/bart bartde@microsoft.com

Trends in Programming Languages Bart J.F. De Smet blogs.bartdesmet.net/bart [email protected]

Documents
Package ‘bartMachine’ · bartMachine 3 bartMachine Build a BART Model Description Builds a BART model for regression or classification. Usage bartMachine(X = NULL, y = NULL,

Package ‘bartMachine’ · bartMachine 3 bartMachine Build a BART Model Description Builds a BART model for regression or classification. Usage bartMachine(X = NULL, y = NULL,

Documents
Colorado BART

Colorado BART

Documents
Bart Hollyfield

Bart Hollyfield

Documents
Create your own custom BART BART Transit - … your own custom BART schedule at . For personalized help, call your local BART Transit Information Center number: San Francisco (415)

Create your own custom BART BART Transit - … your own custom BART schedule at . For personalized help, call your local BART Transit Information Center number: San Francisco (415)

Documents
Craft Brewing and Hop Usage€¦ · Craft Brewing and Hop Usage Bart Watson, Ph.D. Chief Economist Brewers Association bart@brewersassociation.org @BrewersStats

Craft Brewing and Hop Usage€¦ · Craft Brewing and Hop Usage Bart Watson, Ph.D. Chief Economist Brewers Association [email protected] @BrewersStats

Documents
BART Brand Book

BART Brand Book

Documents
Bart International 144

Bart International 144

Documents
Euritmija, Silvija Bart

Euritmija, Silvija Bart

Documents
Bart Coffee Kiosks

Bart Coffee Kiosks

Documents
Thesis Bart Final

Thesis Bart Final

Documents
O Evangelho Segundo Bart - Refutando Bart Ehrman

O Evangelho Segundo Bart - Refutando Bart Ehrman

Documents
Ukulele Bart Workshop

Ukulele Bart Workshop

Documents
Bart Jansen

Bart Jansen

Documents
Bart Simpson Quiz

Bart Simpson Quiz

Documents
Bart International 133

Bart International 133

Documents
Create your own custom BART BART EFFECTIVE Fares and · 2013. 10. 10. · Create your own custom BART schedule at . For personalized help, call your local BART Transit Information

Create your own custom BART BART EFFECTIVE Fares and · 2013. 10. 10. · Create your own custom BART schedule at . For personalized help, call your local BART Transit Information

Documents
BART Destinations Guide · 2017-03-23 · BART Destinations Guide Fun Places to Go on BART 2016 FREE BART ... Powell St RIDING BART 3–4 BART System Map ... 4 am–Midnight Saturdays

BART Destinations Guide · 2017-03-23 · BART Destinations Guide Fun Places to Go on BART 2016 FREE BART ... Powell St RIDING BART 3–4 BART System Map ... 4 am–Midnight Saturdays

Documents
Bart Simpson

Bart Simpson

Entertainment & Humor
portfolio english 8-2013 - Minor Scale Music – Bart …Bart(Picqueur( 2/11(Bart Picqueur ( Zele, Belgiium 1972) Biography Bart Picqueur, Belgian composer and conductor of band music

portfolio english 8-2013 - Minor Scale Music – Bart …Bart(Picqueur( 2/11(Bart Picqueur ( Zele, Belgiium 1972) Biography Bart Picqueur, Belgian composer and conductor of band music

Documents
BART CASE Presentation

BART CASE Presentation

Documents
Assessment of Control Technology Options for BART-Eligible ... · Review of BART-Eligible Pulp and Paper ... by the BART rule (with over 25 BART-Eligible ... were exempted from other

Assessment of Control Technology Options for BART-Eligible ... · Review of BART-Eligible Pulp and Paper ... by the BART rule (with over 25 BART-Eligible ... were exempted from other

Documents
Bart Intlernational

Bart Intlernational

Documents
02 bart innovation_challenge_2013_06_18__iiba_italy_chapter_round1_final

02 bart innovation_challenge_2013_06_18__iiba_italy_chapter_round1_final

Technology
BART Destinations Guide · BART Destinations Guide Fun Places to Go on BART ... Powell St RIDING BART 3–4 BART ... 4 am–Midnight Saturdays 6 am–Midnight

BART Destinations Guide · BART Destinations Guide Fun Places to Go on BART ... Powell St RIDING BART 3–4 BART ... 4 am–Midnight Saturdays 6 am–Midnight

Documents
Graphical styles bart

Graphical styles bart

Art & Photos
BART Infographic

BART Infographic

Documents
Bart Cammaerts ICT-usage among transnational social ...eprints.lse.ac.uk/3278/1/ICT-Usage_among... · To Organise, to Mobilise and to Debate Bart Cammaerts1 Context In recent years,

Bart Cammaerts ICT-usage among transnational social ...eprints.lse.ac.uk/3278/1/ICT-Usage_among... · To Organise, to Mobilise and to Debate Bart Cammaerts1 Context In recent years,

Documents
BART Transit Connections

BART Transit Connections

Documents
Bart Verlaat

Bart Verlaat

Documents