Changing a disk label (EFI / SMI)

I had inserted a drive into a V440 and after running devfsadm, I ran format on the disk. I was presented with the following partition table:

partition> p
Current partition table (original):
Total disk sectors available: 143358320 + 16384 (reserved sectors)

Part Tag Flag First Sector Size Last Sector
0 usr wm 34 68.36GB 143358320
1 unassigned wm 0 0 0
2 unassigned wm 0 0 0
3 unassigned wm 0 0 0
4 unassigned wm 0 0 0
5 unassigned wm 0 0 0
6 unassigned wm 0 0 0
8 reserved wm 143358321 8.00MB 143374704

This disk was used in a zfs pool and, as a result, uses an EFI label. The more familiar label that is used is an SMI label (8 slices; numbered 0-7 with slice 2 being the whole disk). The advantage of the EFI label is that it supports LUNs over 1TB in size and prevents overlapping partitions by providing a whole-disk device called cxtydz rather than using cxtydzs2.

However, I want to use this disk for UFS partitions. This means I need to get it back the SMI label for the device. Here’s how it’s done:

# format -e
...
partition> label
[0] SMI Label
[1] EFI Label
Specify Label type[1]: 0
Warning: This disk has an EFI label. Changing to SMI label will erase all
current partitions.
Continue? y
Auto configuration via format.dat[no]?
Auto configuration via generic SCSI-2[no]?
partition> q
...
format> q
#

Running format again will show that the SMI label was placed back onto the disk:

partition> p
Current partition table (original):
Total disk cylinders available: 14087 + 2 (reserved cylinders)

Part Tag Flag Cylinders Size Blocks
0 root wm 0 - 25 129.19MB (26/0/0) 264576
1 swap wu 26 - 51 129.19MB (26/0/0) 264576
2 backup wu 0 - 14086 68.35GB (14087/0/0) 143349312
3 unassigned wm 0 0 (0/0/0) 0
4 unassigned wm 0 0 (0/0/0) 0
5 unassigned wm 0 0 (0/0/0) 0
6 usr wm 52 - 14086 68.10GB (14035/0/0) 142820160
7 unassigned wm 0 0 (0/0/0) 0

partition>

Links:
- Comparison of the EFI label and the VTOC label (Solaris 9)
- format(1M)

BART system auditing

BART Overview
BART is Sun's Basic Audit Reporting Tool. It performs a file-level check of the software contents of a system. You can also specify the files to track and the types of discrepancies to flag by means of a rules file, bart_rules.

Other Documentation
man pages
        •        bart(1M)
        •        bart_rules(4)
        •        bart_manifest(4)

websites
        •        Ben Rockwood - Basic Auditing - http://www.cuddletech.com/blog/pivot/entry.php?id=259
        •        Learning Solairs - BART Lab - http://learningsolaris.com/archives/2005/03/08/lab-the-bart/

Implementation
The implementation of BART is intended to examine file changes in the global and local zone environments. A centralized host runs an auditing script every 15 minutes. If any discrepancies are found, an email goes out detailing the discrepancies.

audit.sh
This auditing script remotely logs into hosts over ssh and audits the current state of files and directories from a pre-configured list.
Next, the script compares the results of the audit to the results of the last audit.
If any discrepancies are found, the script sends an email with the details of the discrepancies.
In addition, the new state will be saved as the baseline for the next comparison. The previous state will also be backed up.
A total of 5 previous states and the lastest known state for every server being checked.

Profiles
To allow the BART user to examine secured files, the user needs to be granted some privileges. Specifially, the BART user needs the file_dac_read and file_dac_search privileges. file_dac_read allows the user to read files or directories that they usually would not be able to read. file_dac_search allows the user to search directories that they usually would not be able to search.

To create this profile, you need to add a profile to the centralized host and each remote host:
/etc/security/exec_attr
File Integrity:solaris:cmd:::/usr/bin/bart:privs=file_dac_read,file_dac_search

/etc/security/prof_attr
prof_attr:File Integrity:::File Integrity Management:

The profile will be availble for use for the BART user. To add the BART user to the profile, see the next section on Accounts.

Accounts
The auditing script executes as bartadm. This account must be created on the centralized host as well as the remote host and has the following properties:
        •        Home directory - /home/bartadm (This directory is shared via NFS and is automounted on client machines)
        •        Shell - /bin/pfsh (profile shell)
        •        Profiles - File Integrity
        /etc/user_attr
        bartadm::::type=normal;profiles=File Integrity
        •        SSH
        ⁃        Shared key from centralized host to remote host
        ⁃        Remote host has the following in the /home/bartadm/.ssh/authorized_keys file:
        ⁃        command="/usr/bin/bart create -r -" ssh-dss SSH_KEY bartadm@HOST
        ⁃        The command at the beginning of the SSH key forces bartadm to run bartadm create on the remote host (which generates a new manifest for that remote host) and will log bartadm off the system after the command finishes.
        ⁃        The '-r -' part of the command takes a rule list provided via standard input. This list follows a particular grammar (defined in bart_rules(4)) and determines the files/directories BART will inspect as well as what type of data it will collect.

Rule files
Each remote host has a rule file stored on the centralized host. The rule file is configured for the specific needs of the remote host. The rule files are named client_rules.HOST where HOST is the name of the remote host.

Other files / directories
The home directory of bartadm (/home/bartadm) is on the centralized host shared via NFS. The directory contains the following subdirectories
        •        ~/bin - contains audit.sh
        •        ~/etc - contains the rule files
        •        ~/manifests - contains subdirectories for each remote host. If a remote host has a subdirectory here, audit.sh will attempt to audit it.
        •        ~/tmp - a temporary work directory for audit.sh

Processes
Adding hosts to BART
        1.        Create the File Integrity profile on the remote host
        ⁃        Create the entry in /etc/security/exec_attr
        ⁃        Create the entry in /etc/security/prof_attr
        2.        Create the bartadm user on the remote host
        ⁃        Create the entry in /etc/passwd, /etc/shadow, and /etc/group (or use groupadd / useradd)
        ⁃        Create the entry in /etc/user_attr
        3.        Create an client_rules.HOST file on the centralized host in /home/bartadm/etc, where HOST is the name of the remote host
        4.        Create a directory named HOST on the centralized host in /home/bartadm/manifests, where HOST is the name of the remote host
        5.         Run the following as bartadm on the centralized host, substituting HOST for the name of the remote host:
        cat /home/bartadm/etc/client_rules.HOST | /bin/ssh -T HOST > /home/bartadm/manifests/manifest

Removing hosts from BART
        1.        Remove the directory named HOST on the centralized host in /home/bartadm/manifests, where HOST is the name of the remote host
        2.        Remove the file named client_rules.HOST on the centralized host in /home/bartadm/etc, where HOST is the name of the remote host
        3.        If applicable:
        ⁃        Remove the File Integrity profile on the remote host
        ⁃        Remove the bartadm user and group from the remote host