Download pdf - Bart Usage

Transcript

  • UNIXWIZANYTHINGDEALINGWITH*NIXORWHATEVERIWANTTOWRITEABOUT SubscribeviaRSS

    HOME ABOUTME STOPSOPA

    Whyeveryoneshouldusebart(AKAdotheBartMan)

    IfyouareusingSolaris10,andyouhavenotusedbartyet,youshouldstopeverythingandtakealookatit.

    Forthosewhodon'tknowwhatbartis,itistheBasicAuditingandReportingToolthatisinSolaris10.

    Inaquicksynopsisbartwillcreateareportthatshowsallfiles/directoriesonasolarismachine.Thisreportcontainsthepermissions,owners,sizes,modifytimesandmd5hashesofallfilesonthesystem,alongwithacl'sifyouareusingZFS.

    Sowhyisbartsoimportant?First,itcanbeusedasasecuritytool.WhenyouinstallanewSolaris10system,thefirstthingyoushoulddoafteryougetitinstalledandpatchedandbeforeitisplacedonthenetworkisrunabartonthesystemandsavethereporttoacd.Thiswillbethe"baseline"imageofthesystem.Theneveryweek/monthyoushouldrunabartagainstthemachineagainandthenusethecompareoptiontoseewhatfileshavechanged,addedordeletedfromthesystem.Wherethiscomesinreallyhandyisifyourthinkthatyourmachinehasbeenhackedorcompromised.Youcanusethecomparisontodeterminewhichfilesmayhavebeenmodifiedbythehacker.

    ButthereisanonsecurityuseforbartaswellthatisVERYuseful.ThisuseisonethatIhadnotthoughtofuntilIneededittheotherday.Sowhatisthisuse?ResetingthepermissionsonfilesthatwereaccidentallychangedbyaninexperiencedUNIXpersonthinkingthata"chmodR777*"isthebestwaytofixtheirproblems.

    ThefirstthingthatcametomymindwhenIsawthishappenwasohno,themachinehadnotevenbeenbackedupyet,andaday'sworthofworkwouldhavebeenlost.Evenifthemachinehadbeenbackedup,doyourealizehowlongitwouldtaketorestoreafilesystemwith40,000+files,justbecausethepermissionswerescrewedup.(Note,thepermissionsonthevariousfileswereverydifferentandevenincludedsomesetuid,andsetgiudfileswhichwerewipedoutaswell.)

    Sohowdidbartsavetheday?LucklyIhadtakenabartofthemachinebeforetheworkhadbegunonthefilesystem.Soafterthechmodcommandwasissued,Ithentookabartofthefilesystemagain.Inowcouldrunabartcompareagainstthecontrolandtestmanifestandseeexactlywhatallhadchanged.

    OnceIhadthisoutput,Icouldthencreateascripttochangethepermissionsofthefiles/directoriesbacktotheoriginalvalues.AlltoldafterIfinishedtweakingmyscriptittookabout20minutestoresetthepermissionsonallthefilesanddirectories.

    Sohereisaquickstarttogettingyourfirstbartmanifestofyoursystem:

    1.Createabart_rulesfile.Ifyoudonotcreatearulesfile,youroutputwillonlyhaveFilesandnotdirectorieslistedinit.Mysimplebart_rulesfilelookslikethis:

    /CHECKALL/homeIGNOREALL

    Iignorethe/homefilesystemasinmycaseitwasnfsmounted.Inrealityyouwouldwanttoincludealllocalfilesystems.

    tags

    AIXAppleCableCardComcastFamilyFlyingFunnyHomeRepairsHouseIBMInterestingjetBlueLDAPM$WindersMacBookProMacOSXMorgantownMorgantown,WVOpenSolarisPhotography

    PhotoShopPHPRandomStuffRantSecurityShellScriptsSMFSolarisSpamFightingSunSunRaySyswatchtipsTiVoTivoliTravelUncategorizedVacationVideoVMWareWorkX2100XMRadioZFSZones/Containers

    Categories

    Categories

    SelectCategory

    Blogroll

    JustinsBlog

    ComputerStuff

    ChrisQuenelle'sWeblog

    ChristopherSaul'sWeblog

    GlennBrunette'sSecurityWeblog

    Joyent

    TheClinganZone

    TheSwordblog

    OtherSites

    AudiencesEverywhere

    PhotoStuff

    FroKnowsPhoto

    MAY/08

  • 2.Createthebart,Ikeeptherulesfilein/root/bart_rulessoIwouldrunthecommand:

    bartcreateR/r/root/bart_rules>/tmp/bart.output

    Thiswillcreateabartmanifestandoutputitto/tmp/bart.output.Lookingatthefirstcoupleoflinesofitlookslikethis:

    unixwiz@sungeek:/home/unixwiz>head20/tmp/bart.out!Version1.0!Saturday,May17,2008(21:24:27)#Format:#fnameDsizemodeacldirmtimeuidgid#fnamePsizemodeaclmtimeuidgid#fnameSsizemodeaclmtimeuidgid#fnameFsizemodeaclmtimeuidgidcontents#fnameLsizemodeacllnmtimeuidgiddest#fnameBsizemodeaclmtimeuidgiddevnode#fnameCsizemodeaclmtimeuidgiddevnode/D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300/.ICEauthorityF310100600user::rw,group::,mask:,other:44c581c2003eb63faf448e8a2b2c1a7b2019a8bde3/.XauthorityF99100600user::rw,group::,mask:,other:44c560e0005ffe2e5f4b6f73e662001f62f7cae4d3/.bash_historyF649100600user::rw,group::,mask:,other:481d1109009132e0e798d5d05644cafc90c2aa876a/.dtD51240755user::rwx,group::rx,mask:rx,other:rx44c560e000/.dt/appmanagerD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00/.dt/helpD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00/.dt/iconsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00/.dt/sessionlogsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534c00/.dt/sessionlogs/sungeek_DISPLAY=:0F132100644user::rw,group::r,mask:r,other:r44c560e0006d4e62fc972046a7a85fdb36a0ce21fd

    Thefirstpartofthefile,thepartthatbeginswith#fnameisalegendastohoweachtypeoflineisformed.Solookingatthefirstactuallineofthecontents:

    /D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300

    Weseethatthefnmaeis/,itisadirectory,withasizeof1024.Itsmodeis755,thelastmodifiedtimeisthe"481d0e43"anditisownedbyuid0andgid0.

    Lookingatafileinparticularweseethis:

    /httpd/htdocs/index.htmlF10100644user::rw,group::r,mask:r,other:r463d4f4b00b7a9369d4cc9f82ed707bce91ced8af8

    Intheabove,weseethatthefileis10bytes,hasapermissionsof644andisownedbyroot/root.

    NowsupposethatIforsomereasonbyaccidentwasinthe/httpd/htdocsdirectoryanddidachmodR777*.SinceIhadmycontrolmanifest,Iwouldthenrunanotherbartandthenusethecompareoption.WhatIwouldgetissomethinglikethis:

    #bartcompare/tmp/bart.output/tmp/bart.output2/httpd/htdocs/index.html:modecontrol:100644test:100777aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwx

    Herewecanseethatthepermissionshaschangedfrom644to777.Buttheoutputisnotreallyeasytoparsewithascript.Soweneedtousethe"p"optiononthebartcompare:

    #bartcomparep/tmp/bart.output/tmp/bart.output2/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:ruser::rwx,group::rwx,mask:rwx,other:rwx

    Intheabove,sincetheonlythingthatwaschangedwasthemode,thatistheonlythingthatislisted.

    herearesomeotherexamples:

    /var/samba/locks/browse.datmtime482f8544482f8800/var/samba/locks/unexpected.tdbcontents7c3404e9622749702e3df56caf26fe7272983947ada3260a236394a51aef0d31

    Thefirstlineshowsthatthefilebrowse.datmodifytimechanged,butnothingelse.Thesecondlineshowsthattheunexpected.tdbhadit'scontentschange.Thiscanbeenseebythe2differenthashes.

    Hereisanotherexampleoftheindex.htmlfileabove,afterithadbeenedited:

    bash3.00#bartcompare/tmp/bart.out/tmp/bart.out3/httpd/htdocs/index.html:sizecontrol:10test:26modecontrol:100644test:100777aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwxmtimecontrol:463d4f4btest:482f8b89contentscontrol:b7a9369d4cc9f82ed707bce91ced8af8test:1567caf683e3859cb5da7335c35438f7

    Onceagainthisisinthe"human"readableformat,the"machine"readablelookslike:

  • Thecontentonsungeek.netisprovidedASIS,andWITHOUTANYWARRANTY.Allopinionsarepersonalandinnowayreflectanyorganization.Theauthorwillnotbeheldliableforanyproblemsresultingfromtheinformationprovidedhere.Copyright2015unixwizLightwordThemebyAndreiLuca Gototop

    Taggedas:Security,ShellScripts,Solaris,tips,ZFS CommentsOff

    FreakingSweetAcrobatReaderonSolarisx86 PacManJonesinDallas

    bash3.00#bartcomparep/tmp/bart.out/tmp/bart.out3/httpd/htdocs/index.htmlsize1026mode100644100777acluser::rw,group::r,mask:r,other:ruser::rwx,group::rwx,mask:rwx,other:rwxmtime463d4f4b482f8b89contentsb7a9369d4cc9f82ed707bce91ced8af81567caf683e3859cb5da7335c35438f7

    (theaboveisactuallyallononeline.)

    Onceyouhavetheoutputofthebartafterthe"oops"youwillneedtorunthebartcomparewithoptionstoignoresomeitems.SinceIamonlyinterestedinthemode,thesize,mtimeandcontentscanbeignored.Iusedthefollowing:

    bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2

    Thisonlyshowsfilesthathavehadtheirmodechanged:

    bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:ruser::rwx,group::rwx,mask:rwx,other:rwx

    Youshouldredirectthisoutputtoafile,sothatitcanthenbeusedtogenerateascript.WiththeoutputinafileIthendidthis:

    cat/tmp/bart.compare|awk'{print"chmod"$3""$1}'>/tmp/CHANGEPERMS

    SobasiclyIcatthefileandprintthechmodcommandallongwiththe3rdfield(100644)andthenthefirstfield(/httpd/htdocs/index.html)andredirectthistoanewfile.OnceIspotcheckthisfile,youcanthenrunitanditwill"reset"thepermissionsback.

    NoweverythingIhaveshownaboveisbasedonthemachinehavingaUFSfilesystem.IfyourunbartagainstafilesystemthatisZFS,youwillgetamanifestthatlookssomethinglikethis:

    /home/unixwiz/bin/phpF10587732100755owner@::deny,owner@:read_data/write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow,group@:write_data/append_data:deny,group@:read_data/execute:allow,everyone@:write_data/append_data/write_xattr/write_attributes/write_acl/write_owner:deny,everyone@:read_data/read_xattr/execute/read_attributes/read_acl/synchronize:allow4743a7fa100149b8cfb15ed069bd6e43d7c2ae11a3e23

    ItshowstheZFSextendedacl's.

    Soifyouhaven'tstartedusingbart,youshouldstartassoonaspossible.

    Postedbyunixwiz

    Sorry,thecommentformisclosedatthistime.

    Comments(0) Trackbacks(0) (subscribetocommentsonthispost)


Recommended

Bart International 144
Bart International 144 Documents
Euritmija, Silvija Bart
Euritmija, Silvija Bart Documents
Bart Intlernational
Bart Intlernational Documents
Bart Staels
Bart Staels Documents
Bart Simpson
Bart Simpson Entertainment & Humor
Bart Woland INFO
Bart Woland INFO Documents
Bart Cammaerts ICT-usage among transnational social ...eprints.lse.ac.uk/3278/1/ICT-Usage_among... · To Organise, to Mobilise and to Debate Bart Cammaerts1 Context In recent years,
Bart Cammaerts ICT-usage among transnational social ...eprints.lse.ac.uk/3278/1/ICT-Usage_among... · To Organise, to Mobilise and to Debate Bart Cammaerts1 Context In recent years, Documents
O Evangelho Segundo Bart - Refutando Bart Ehrman
O Evangelho Segundo Bart - Refutando Bart Ehrman Documents
Bart the Bat
Bart the Bat Documents
Bart Vande Ghinste Microsoft Beluximg2.insight.com/graphics/be/cloud/presentation... · Compute . Time . Average Usage . Unexpected/unplanned peak in demand Sudden spike impacts performance
Bart Vande Ghinste Microsoft Beluximg2.insight.com/graphics/be/cloud/presentation... · Compute . Time . Average Usage . Unexpected/unplanned peak in demand Sudden spike impacts performance Documents
Graphical styles bart
Graphical styles bart Art & Photos
BART Destinations Guide Destinations Guide Fun Places to Go on BART DECEMBER 2014 FREE BART...and you’re there
BART Destinations Guide Destinations Guide Fun Places to Go on BART DECEMBER 2014 FREE BART...and you’re there Documents
BART Infographic
BART Infographic Documents
BART Installation and Upgrade Guide€¦ · BART Installation and Upgrade Guide, Release 2.5.4 2.2Installing BART on a Debian or Ubuntu Host To install BART on a Debian or Ubuntu
BART Installation and Upgrade Guide€¦ · BART Installation and Upgrade Guide, Release 2.5.4 2.2Installing BART on a Debian or Ubuntu Host To install BART on a Debian or Ubuntu Documents
Create your own custom BART BART EFFECTIVE Fares and · 2013. 10. 10. · Create your own custom BART schedule at . For personalized help, call your local BART Transit Information
Create your own custom BART BART EFFECTIVE Fares and · 2013. 10. 10. · Create your own custom BART schedule at . For personalized help, call your local BART Transit Information Documents
BART Destinations Guide · BART Destinations Guide Fun Places to Go on BART ... Powell St RIDING BART 3–4 BART ... 4 am–Midnight Saturdays 6 am–Midnight
BART Destinations Guide · BART Destinations Guide Fun Places to Go on BART ... Powell St RIDING BART 3–4 BART ... 4 am–Midnight Saturdays 6 am–Midnight Documents
Bart Deli Book
Bart Deli Book Documents
Trends in Programming Languages Bart J.F. De Smet blogs.bartdesmet.net/bart bartde@microsoft.com
Trends in Programming Languages Bart J.F. De Smet blogs.bartdesmet.net/bart [email protected] Documents