After you have installed and configured a Solaris system, you can create a baseline (control) manifest of it and use the BART to check the integrity of the system from that control manifest. BART will report file-level changes that have occurred on the system.
Exam Watch |
For the exam, you need to know that the Basic Audit Reporting Tool (BART) can report file-level changes that have occurred on the system. This is an important granular approach to maintaining file security. |
BART includes several components—enough to warrant discussion in an entire chapter—and in this section, we'll cover only those you should know for the exam. The components you need to understand for certification are creating a manifest and comparing manifests.
With BART, you can create a file-level image of the system in a catalog of files that contain information such as attributes and checksum of files for which you have permission to access. In other words, any user can run BART to catalog and monitor files as long as the user has permission to access them. Also, when running BART as superuser, the output will be available to everyone on the system, unless you specify permission restrictions.
Creating a manifest with BART is accomplished by issuing this command:
bart create options > control-manifest
where options can be the following:
-R specifies the root directory for the manifest. All paths specified by the rules will be interpreted relative to this directory. All paths reported in the manifest will be relative to this directory.
-I accepts a list of individual files to be cataloged, either on the command line or read from standard input.
-r is the name of the rules file for this manifest. Note that -, when used with the -r option, will be read the rules file from standard input.
-n turns off content signatures for all regular files in the file list. This option can be used to improve performance, or you can use this option if the contents of the file list are expected to change, as in the case of system log files.
control manifest is an optional control filename.
Alternatively, to create a manifest of every file installed on the system, you can issue the bart create command without any options. Here's an example:
# bart create ! Version 1.0 ! Monday, July 12, 2004 (08:45:40) # Format: #fname D size mode acl dirmtime uid gid #fname P size mode acl mtime uid gid #fname S size mode acl mtime uid gid #fname F size mode acl mtime uid gid contents #fname L size mode acl lnmtime uid gid dest #fname B size mode acl mtime uid gid devnode #fname C size mode acl mtime uid gid devnode . . snipped for brevity . ./var/tmp/.solaris_shellsap F 0 100600 user::rw-,group::---,mask:---,other:--- 40 eb072e 0 0 d41d8cd98f00b204e9800998ecf8427e /var/tmp/.solaris_userhomedirectory F 0 100600 user::rw-,group::---,mask:---,oth er:--- 40eb072b 0 0 d41d8cd98f00b204e9800998ecf8427e /var/tmp/dict_cache45461.tmp F 12288 100644 user::rw-,group::r--,mask:r--,other: r-- 40a3a5c5 0 1 9357c0d4c7d0763b6f3d17d5a779972d . . snipped for brevity . . /var/yp/Makefile F 18686 100555 user::r-x,group::r-x,mask:r-x,other:r-x 40a11aa5 0 2 b86f622e26dfb736a97476f7ffbae670 /var/yp/aliases F 153 100555 user::r-x,group::r-x,mask:r-x,other:r-x 40a11406 0 2 1c1060af6f4c66ccadc8fd77134f2fd7 /var/yp/nicknames F 226 100644 user::rw-,group::r--,mask:r--,other:r-- 40a114060 2 034820835249426d8982612207ed5539 /var/yp/updaters F 870 100500 user::r-x,group::---,mask:---,other:--- 403eb163 0 2 4430ce4a2aaf0fe668df60e0b615bce4
Every line in the manifest is a file entry. Lines that start with an exclamation (!) indicate metadata, and those with a pound sign (#) indicate comments and are ignored during comparisons. Following are the manifest file types you should know for the exam:
Type F for file.
Type D for directory.
Also, each line in the manifest contains the following types of information:
Size
Content
User ID
Group ID
Permissions
Another common BART manifest example that you should know for the exam is how to create a manifest about specific files only. To do so, let's say for the /etc/ passwd file, simply issue the bart create -I /etc/passwd command, as shown here:
# bart create -I /etc/passwd ! Version 1.0 ! Monday, July 12, 2004 (08:54:27) # Format: #fname D size mode acl dirmtime uid gid #fname P size mode acl mtime uid gid #fname S size mode acl mtime uid gid #fname F size mode acl mtime uid gid contents #fname L size mode acl lnmtime uid gid dest #fname B size mode acl mtime uid gid devnode #fname C size mode acl mtime uid gid devnode /etc/passwd F 730 100644 user::rw-,group::r--,mask:r--,other:r-- 40eb074e 0 3 10 b15c4f69b25fce6f3b4f4aa9116a07
Note that you can create a manifest of more than one file simply by separating the file names with a space—the following is an example:
bart create -I /etc/passwd /etc/shadow
Perhaps the most useful feature of BART is to compare manifests over time to monitor file-level changes. By doing so, you can verify the integrity of files and detect corrupt files and security breaches, all of which help troubleshoot the system.
Following are Sun's recommended steps for comparing manifests:
Assume the Primary Administrator role, or become superuser.
Create a control manifest of all files or specific files you wish to monitor.
Create a test manifest that is prepared identically to the control manifest whenever you want to monitor changes to the system:
bart create -R /etc > test-manifest
Compare the control manifest with the new comparison manifest:
bart compare options control-manifest compare-manifest > bart-report
where
-r is the name of the rules file for this comparison. Using the -r option with the - means that the directives will be read from standard input.
-i allows the user to set global IGNORE directives from the command line.
-p is the programmatic mode that generates standard nonlocalized output for programmatic parsing.
control-manifest is the output from the bart create command for the control system or control manifest on the same system.
compare-manifest is the output from the bart create command of the new system or the comparison manifest on the same system.
Examine the BART report for file-level changes and oddities.
Here are some of the key points from the certification objectives in Chapter 6.
Device policy is enabled by default and enforced in the kernel to restrict and prevent access to devices that are integral to the system. Device allocation is not enabled by default and is enforced during user allocation time to require user authorization to access peripheral devices.
To view device policies for all devices or specific ones, use the getdevpolicy command.
To modify or remove device policies for a specific device, use the update_drv -a -p policy device-driver command; where policy is the device policy or policies (separated by a space) for device-driver, which is the device driver whose device policy you wish to modify or remove.
The AUE_MODDEVPLCY audit event is part of the as audit class by default, which is used to audit changes in device policy. To audit device policies, you'll need to add the as class to the audit_control file flags argument.
Run the bsmconv script to enable the auditing service, which also enables device allocation.
The ot audit class is used to audit device allocation. To audit allocatable devices, you'll need to add the ot class to the audit_control file flags argument.
Users with the appropriate rights and authorization can allocate and deallocate devices. The authorization required to allocate a device is solaris.device .allocate. The authorization required to allocate or deallocate a device forcibly is solaris.device.revoke.
Users with the appropriate rights and authorization can allocate a device by issuing the allocate device-name command and deallocate a device by issuing the deallocate device-name command.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, because there might be more than one correct answer. Choose all correct answers for each question.
Which of the following commands would you issue to view device policies for all devices or just for specific devices?
| ||
Which of the following can be used to restrict and prevent access to devices integral to the system?
| ||
Which of the following can be used to report file-level changes that have occurred on the system?
| ||
Which of the following can be used to control access to devices on a Solaris system?
| ||
What command would you execute to verify that you have the appropriate rights to deallocate a device forcibly?
| ||
Which of the following can be used to control access to files on a Solaris system?
| ||
Users with the appropriate rights and authorization can allocate and deallocate devices. Which of these authorizations is required to allocate a device forcibly?
| ||
Which of the following can be used to restrict and prevent access to peripheral devices?
|
Answers
þ B. To view device policies for all devices or specific ones, you would use the getdevpolicy command. ý A is wrong because list_devices is used to display information about allocatable devices. C is wrong because a user with the appropriate rights and authorization can allocate a device by issuing the allocate device-name command. |
|
þ B and E. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. To modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p policy device-driver command. ý A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default and is used to audit changes in device policy. C is incorrect because the bsmconv script is used to enable the auditing service, which also enables device allocation. D is wrong because device allocation is enforced during user allocation to require user authorization in order to access a peripheral device such as a CD-ROM or printer. |
|
þ D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files by reporting file-level changes that have occurred on the system. ý A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices. |
|
þ B and C. Controlling access to devices on a Solaris operating system is accomplished by two mechanisms: device policy and device allocation. Device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system by mandating that processes that open such a device require certain privileges such as reading and writing. Device allocation, which is not enabled by default, is enforced during user allocation to require user authorization in order to access a peripheral device. ý A is wrong because access control lists (ACLs) are used to control access to files. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files. |
|
þ A. To verify that you have the appropriate rights to forcibly deallocate a device (for example, solaris.device.revoke), you can issue the auths command. ý The remaining choices are irrelevant. |
|
þ A. Access control lists (ACLs) are used to control access to files. ý B and C are wrong because device policy and device allocation are used to control access to devices. D is incorrect because the Basic Audit Reporting Tool (BART) is used to check the integrity of files. |
|
þ B. The authorization required to allocate or deallocate a device forcibly is solaris .device.revoke. ý A is wrong because solaris.device.allocate is the authorization required to allocate a device. |
|
þ C and D. The bsmconv script is used to enable the auditing service, which also enables device allocation. Device allocation is enforced during user allocation to require user authorization to access a peripheral device such as a CD-ROM or printer. ý A is wrong because the AUE_MODDEVPLCY audit event is part of the as audit class by default and is used to audit changes in device policy. B is incorrect because device policy is a default kernel-level mechanism that restricts and prevents access to devices integral to the system. E is wrong because to modify or update a device policy for a specific device to restrict or prevent access, you would use the update_drv -a -p policy device-driver command. |
By comparing BART manifests over time, which of these can you accomplish?
| ||
Which of the following can be used to check the integrity of the system's files?
| ||
You can create a manifest of more than one file by separating the filenames with a comma.
| ||
Which of these types of information are commonly found in a BART manifest?
|
Answers
þ E. The most useful feature of BART is its ability to compare manifests over time to monitor file-level changes. By doing this, you can verify the integrity of files and detect corrupt files and security breaches, all of which help troubleshoot the system. |
|
þ D. The Basic Audit Reporting Tool (BART) is used to check the integrity of files. ý A is wrong because access control lists (ACLs) are used to control access to files. B and C are wrong because device policy and device allocation are used to control access to devices. |
|
þ B. False. You can create a manifest of more than one file by separating the filenames with a space. |
|
þ F. Each line in a BART manifest contains the following types of file information: size, content, user ID, group ID, and permissions. |
Your favorite customer, ABCD Inc., called you in to enable device allocation, report the device allocation for tape drive(1) and the CD-ROM, and use BART to create a control manifest of every file installed on the system. What steps would you perform to provide the requested services? |
Answers
The first task that ABCD Inc. hired you to perform is to enable device allocation. To do so, you must assume superuser or the Primary Administrator role and run the bsmconv script located in /etc/security with the ./bsmconv command. This script is used to enable the Basic Security Module (BSM), which starts the auditing subsystem:
The next task is to report the device allocation for tape drive(1) and the CD-ROM. To view allocation information about a device, you must assume superuser or a role that has Device Security rights. At that point, to display information about allocatable devices use the list_devices device-name command; therefore, you would issue these commands to report the device allocation for tape drive(1) and the CD-ROM: list_devices st1 and list_devices sr0 Remember that device-name can be audio (for microphone and speakers), fd(n) (for diskette drive), sr(n) (for CD-ROM drive), and st(n) (for tape drive). The (n) specifies the number of the device. The final task you need to perform is to use BART to create a control manifest of every file installed on the system. Creating a manifest with BART is accomplished by issuing this command: bart create options > control-manifest where options can be as follows:
Therefore, to create a manifest of every file installed on the system, you would issue the bart create command without any options. |