BART system auditing
BART Overview
BART is Sun's Basic Audit Reporting Tool. It performs a file-level check of the software contents of a system. You can also specify the files to track and the types of discrepancies to flag by means of a rules file, bart_rules.
Other Documentation
man pages
• bart(1M)
• bart_rules(4)
• bart_manifest(4)
websites
• Ben Rockwood - Basic Auditing - http://www.cuddletech.com/blog/pivot/entry.php?id=259
• Learning Solairs - BART Lab - http://learningsolaris.com/archives/2005/03/08/lab-the-bart/
Implementation
The implementation of BART is intended to examine file changes in the global and local zone environments. A centralized host runs an auditing script every 15 minutes. If any discrepancies are found, an email goes out detailing the discrepancies.
audit.sh
This auditing script remotely logs into hosts over ssh and audits the current state of files and directories from a pre-configured list.
Next, the script compares the results of the audit to the results of the last audit.
If any discrepancies are found, the script sends an email with the details of the discrepancies.
In addition, the new state will be saved as the baseline for the next comparison. The previous state will also be backed up.
A total of 5 previous states and the lastest known state for every server being checked.
Profiles
To allow the BART user to examine secured files, the user needs to be granted some privileges. Specifially, the BART user needs the file_dac_read and file_dac_search privileges. file_dac_read allows the user to read files or directories that they usually would not be able to read. file_dac_search allows the user to search directories that they usually would not be able to search.
To create this profile, you need to add a profile to the centralized host and each remote host:
/etc/security/exec_attr
File Integrity:solaris:cmd:::/usr/bin/bart:privs=file_dac_read,file_dac_search
/etc/security/prof_attr
prof_attr:File Integrity:::File Integrity Management:
The profile will be availble for use for the BART user. To add the BART user to the profile, see the next section on Accounts.
Accounts
The auditing script executes as bartadm. This account must be created on the centralized host as well as the remote host and has the following properties:
• Home directory - /home/bartadm (This directory is shared via NFS and is automounted on client machines)
• Shell - /bin/pfsh (profile shell)
• Profiles - File Integrity
/etc/user_attr
bartadm::::type=normal;profiles=File Integrity
• SSH
⁃ Shared key from centralized host to remote host
⁃ Remote host has the following in the /home/bartadm/.ssh/authorized_keys file:
⁃ command="/usr/bin/bart create -r -" ssh-dss SSH_KEY bartadm@HOST
⁃ The command at the beginning of the SSH key forces bartadm to run bartadm create on the remote host (which generates a new manifest for that remote host) and will log bartadm off the system after the command finishes.
⁃ The '-r -' part of the command takes a rule list provided via standard input. This list follows a particular grammar (defined in bart_rules(4)) and determines the files/directories BART will inspect as well as what type of data it will collect.
Rule files
Each remote host has a rule file stored on the centralized host. The rule file is configured for the specific needs of the remote host. The rule files are named client_rules.HOST where HOST is the name of the remote host.
Other files / directories
The home directory of bartadm (/home/bartadm) is on the centralized host shared via NFS. The directory contains the following subdirectories
• ~/bin - contains audit.sh
• ~/etc - contains the rule files
• ~/manifests - contains subdirectories for each remote host. If a remote host has a subdirectory here, audit.sh will attempt to audit it.
• ~/tmp - a temporary work directory for audit.sh
Processes
Adding hosts to BART
1. Create the File Integrity profile on the remote host
⁃ Create the entry in /etc/security/exec_attr
⁃ Create the entry in /etc/security/prof_attr
2. Create the bartadm user on the remote host
⁃ Create the entry in /etc/passwd, /etc/shadow, and /etc/group (or use groupadd / useradd)
⁃ Create the entry in /etc/user_attr
3. Create an client_rules.HOST file on the centralized host in /home/bartadm/etc, where HOST is the name of the remote host
4. Create a directory named HOST on the centralized host in /home/bartadm/manifests, where HOST is the name of the remote host
5. Run the following as bartadm on the centralized host, substituting HOST for the name of the remote host:
cat /home/bartadm/etc/client_rules.HOST | /bin/ssh -T HOST > /home/bartadm/manifests/manifest
Removing hosts from BART
1. Remove the directory named HOST on the centralized host in /home/bartadm/manifests, where HOST is the name of the remote host
2. Remove the file named client_rules.HOST on the centralized host in /home/bartadm/etc, where HOST is the name of the remote host
3. If applicable:
⁃ Remove the File Integrity profile on the remote host
⁃ Remove the bartadm user and group from the remote host
BART is Sun's Basic Audit Reporting Tool. It performs a file-level check of the software contents of a system. You can also specify the files to track and the types of discrepancies to flag by means of a rules file, bart_rules.
Other Documentation
man pages
• bart(1M)
• bart_rules(4)
• bart_manifest(4)
websites
• Ben Rockwood - Basic Auditing - http://www.cuddletech.com/blog/pivot/entry.php?id=259
• Learning Solairs - BART Lab - http://learningsolaris.com/archives/2005/03/08/lab-the-bart/
Implementation
The implementation of BART is intended to examine file changes in the global and local zone environments. A centralized host runs an auditing script every 15 minutes. If any discrepancies are found, an email goes out detailing the discrepancies.
audit.sh
This auditing script remotely logs into hosts over ssh and audits the current state of files and directories from a pre-configured list.
Next, the script compares the results of the audit to the results of the last audit.
If any discrepancies are found, the script sends an email with the details of the discrepancies.
In addition, the new state will be saved as the baseline for the next comparison. The previous state will also be backed up.
A total of 5 previous states and the lastest known state for every server being checked.
Profiles
To allow the BART user to examine secured files, the user needs to be granted some privileges. Specifially, the BART user needs the file_dac_read and file_dac_search privileges. file_dac_read allows the user to read files or directories that they usually would not be able to read. file_dac_search allows the user to search directories that they usually would not be able to search.
To create this profile, you need to add a profile to the centralized host and each remote host:
/etc/security/exec_attr
File Integrity:solaris:cmd:::/usr/bin/bart:privs=file_dac_read,file_dac_search
/etc/security/prof_attr
prof_attr:File Integrity:::File Integrity Management:
The profile will be availble for use for the BART user. To add the BART user to the profile, see the next section on Accounts.
Accounts
The auditing script executes as bartadm. This account must be created on the centralized host as well as the remote host and has the following properties:
• Home directory - /home/bartadm (This directory is shared via NFS and is automounted on client machines)
• Shell - /bin/pfsh (profile shell)
• Profiles - File Integrity
/etc/user_attr
bartadm::::type=normal;profiles=File Integrity
• SSH
⁃ Shared key from centralized host to remote host
⁃ Remote host has the following in the /home/bartadm/.ssh/authorized_keys file:
⁃ command="/usr/bin/bart create -r -" ssh-dss SSH_KEY bartadm@HOST
⁃ The command at the beginning of the SSH key forces bartadm to run bartadm create on the remote host (which generates a new manifest for that remote host) and will log bartadm off the system after the command finishes.
⁃ The '-r -' part of the command takes a rule list provided via standard input. This list follows a particular grammar (defined in bart_rules(4)) and determines the files/directories BART will inspect as well as what type of data it will collect.
Rule files
Each remote host has a rule file stored on the centralized host. The rule file is configured for the specific needs of the remote host. The rule files are named client_rules.HOST where HOST is the name of the remote host.
Other files / directories
The home directory of bartadm (/home/bartadm) is on the centralized host shared via NFS. The directory contains the following subdirectories
• ~/bin - contains audit.sh
• ~/etc - contains the rule files
• ~/manifests - contains subdirectories for each remote host. If a remote host has a subdirectory here, audit.sh will attempt to audit it.
• ~/tmp - a temporary work directory for audit.sh
Processes
Adding hosts to BART
1. Create the File Integrity profile on the remote host
⁃ Create the entry in /etc/security/exec_attr
⁃ Create the entry in /etc/security/prof_attr
2. Create the bartadm user on the remote host
⁃ Create the entry in /etc/passwd, /etc/shadow, and /etc/group (or use groupadd / useradd)
⁃ Create the entry in /etc/user_attr
3. Create an client_rules.HOST file on the centralized host in /home/bartadm/etc, where HOST is the name of the remote host
4. Create a directory named HOST on the centralized host in /home/bartadm/manifests, where HOST is the name of the remote host
5. Run the following as bartadm on the centralized host, substituting HOST for the name of the remote host:
cat /home/bartadm/etc/client_rules.HOST | /bin/ssh -T HOST > /home/bartadm/manifests/manifest
Removing hosts from BART
1. Remove the directory named HOST on the centralized host in /home/bartadm/manifests, where HOST is the name of the remote host
2. Remove the file named client_rules.HOST on the centralized host in /home/bartadm/etc, where HOST is the name of the remote host
3. If applicable:
⁃ Remove the File Integrity profile on the remote host
⁃ Remove the bartadm user and group from the remote host
0 comments:
Post a Comment