Beruflich Dokumente
Kultur Dokumente
SubscribeviaRSS
ANYTHINGDEALINGWITH*NIXORWHATEVERIWANTTOWRITEABOUT
HOME
ABOUTME
STOPSOPA
Whyeveryoneshouldusebart(AKAdotheBartMan)
MAY/08
tags
AIX AppleCableCard
ComcastFamilyFlying
Funny
HomeRepairsHouse
Interesting
IBM
jetBlueLDAPM$Winders
MacBookProMacOSX
Morgantown Morgantown,
WVOpenSolarisPhotography
Random
PhotoShopPHP
SMF
SpamFightingSun
SunRaySyswatchtipsTiVo
TivoliTravel
Uncategorized
IfyouareusingSolaris10,andyouhavenotusedbartyet,youshouldstopeverythingandtakealookatit.
Vacation VideoVMWare
Forthosewhodon'tknowwhatbartis,itistheBasicAuditingandReportingToolthatisinSolaris10.
Zones/Containers
Inaquicksynopsisbartwillcreateareportthatshowsallfiles/directoriesonasolarismachine.Thisreportcontainsthe
permissions,owners,sizes,modifytimesandmd5hashesofallfilesonthesystem,alongwithacl'sifyouareusingZFS.
Categories
Sowhyisbartsoimportant?First,itcanbeusedasasecuritytool.WhenyouinstallanewSolaris10system,thefirst
thingyoushoulddoafteryougetitinstalledandpatchedandbeforeitisplacedonthenetworkisrunabartonthesystem
andsavethereporttoacd.Thiswillbethe"baseline"imageofthesystem.Theneveryweek/monthyoushouldruna
bartagainstthemachineagainandthenusethecompareoptiontoseewhatfileshavechanged,addedordeletedfrom
thesystem.Wherethiscomesinreallyhandyisifyourthinkthatyourmachinehasbeenhackedorcompromised.Youcan
usethecomparisontodeterminewhichfilesmayhavebeenmodifiedbythehacker.
ButthereisanonsecurityuseforbartaswellthatisVERYuseful.ThisuseisonethatIhadnotthoughtofuntilIneeded
ittheotherday.Sowhatisthisuse?Resetingthepermissionsonfilesthatwereaccidentallychangedbyaninexperienced
UNIXpersonthinkingthata"chmodR777*"isthebestwaytofixtheirproblems.
WorkX2100XMRadioZFS
Categories
SelectCategory
Blogroll
JustinsBlog
ComputerStuff
ChrisQuenelle'sWeblog
ChristopherSaul'sWeblog
ThefirstthingthatcametomymindwhenIsawthishappenwasohno,themachinehadnotevenbeenbackedupyet,
andaday'sworthofworkwouldhavebeenlost.Evenifthemachinehadbeenbackedup,doyourealizehowlongit
wouldtaketorestoreafilesystemwith40,000+files,justbecausethepermissionswerescrewedup.(Note,the
permissionsonthevariousfileswereverydifferentandevenincludedsomesetuid,andsetgiudfileswhichwerewipedout
aswell.)
Sohowdidbartsavetheday?LucklyIhadtakenabartofthemachinebeforetheworkhadbegunonthefilesystem.So
afterthechmodcommandwasissued,Ithentookabartofthefilesystemagain.Inowcouldrunabartcompareagainst
thecontrolandtestmanifestandseeexactlywhatallhadchanged.
OnceIhadthisoutput,Icouldthencreateascripttochangethepermissionsofthefiles/directoriesbacktotheoriginal
values.AlltoldafterIfinishedtweakingmyscriptittookabout20minutestoresetthepermissionsonallthefilesand
directories.
GlennBrunette'sSecurityWeblog
Joyent
TheClinganZone
TheSwordblog
OtherSites
AudiencesEverywhere
PhotoStuff
Sohereisaquickstarttogettingyourfirstbartmanifestofyoursystem:
1.Createabart_rulesfile.Ifyoudonotcreatearulesfile,youroutputwillonlyhaveFilesandnotdirectorieslistedinit.
Mysimplebart_rulesfilelookslikethis:
/
CHECKALL
/home
IGNOREALL
Iignorethe/homefilesystemasinmycaseitwasnfsmounted.Inrealityyouwouldwanttoincludealllocalfilesystems.
FroKnowsPhoto
2.Createthebart,Ikeeptherulesfilein/root/bart_rulessoIwouldrunthecommand:
bartcreateR/r/root/bart_rules>/tmp/bart.output
Thiswillcreateabartmanifestandoutputitto/tmp/bart.output.Lookingatthefirstcoupleoflinesofitlookslikethis:
unixwiz@sungeek:/home/unixwiz>head20/tmp/bart.out
!Version1.0
!Saturday,May17,2008(21:24:27)
#Format:
#fnameDsizemodeacldirmtimeuidgid
#fnamePsizemodeaclmtimeuidgid
#fnameSsizemodeaclmtimeuidgid
#fnameFsizemodeaclmtimeuidgidcontents
#fnameLsizemodeacllnmtimeuidgiddest
#fnameBsizemodeaclmtimeuidgiddevnode
#fnameCsizemodeaclmtimeuidgiddevnode
/D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300
/.ICEauthorityF310100600user::rw,group::,mask:,other:44c581c200
3eb63faf448e8a2b2c1a7b2019a8bde3
/.XauthorityF99100600user::rw,group::,mask:,other:44c560e0005ffe2e5f4b6f73e662001f62f7cae4d3
/.bash_historyF649100600user::rw,group::,mask:,other:481d110900
9132e0e798d5d05644cafc90c2aa876a
/.dtD51240755user::rwx,group::rx,mask:rx,other:rx44c560e000
/.dt/appmanagerD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00
/.dt/helpD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00
/.dt/iconsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00
/.dt/sessionlogsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534c00
/.dt/sessionlogs/sungeek_DISPLAY=:0F132100644user::rw,group::r,mask:r,other:r44c560e000
6d4e62fc972046a7a85fdb36a0ce21fd
Thefirstpartofthefile,thepartthatbeginswith#fnameisalegendastohoweachtypeoflineisformed.
Solookingatthefirstactuallineofthecontents:
/D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300
Weseethatthefnmaeis/,itisadirectory,withasizeof1024.Itsmodeis755,thelastmodifiedtimeisthe"481d0e43"
anditisownedbyuid0andgid0.
Lookingatafileinparticularweseethis:
/httpd/htdocs/index.htmlF10100644user::rw,group::r,mask:r,other:r463d4f4b00
b7a9369d4cc9f82ed707bce91ced8af8
Intheabove,weseethatthefileis10bytes,hasapermissionsof644andisownedbyroot/root.
NowsupposethatIforsomereasonbyaccidentwasinthe/httpd/htdocsdirectoryanddidachmodR777*.SinceIhad
mycontrolmanifest,Iwouldthenrunanotherbartandthenusethecompareoption.WhatIwouldgetissomethinglike
this:
#bartcompare/tmp/bart.output/tmp/bart.output2
/httpd/htdocs/index.html:
modecontrol:100644test:100777
aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwx
Herewecanseethatthepermissionshaschangedfrom644to777.Buttheoutputisnotreallyeasytoparsewithascript.
Soweneedtousethe"p"optiononthebartcompare:
#bartcomparep/tmp/bart.output/tmp/bart.output2
/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:r
user::rwx,group::rwx,mask:rwx,other:rwx
Intheabove,sincetheonlythingthatwaschangedwasthemode,thatistheonlythingthatislisted.
herearesomeotherexamples:
/var/samba/locks/browse.datmtime482f8544482f8800
/var/samba/locks/unexpected.tdbcontents7c3404e9622749702e3df56caf26fe7272983947ada3260a236394a51aef0d31
Thefirstlineshowsthatthefilebrowse.datmodifytimechanged,butnothingelse.Thesecondlineshowsthatthe
unexpected.tdbhadit'scontentschange.Thiscanbeenseebythe2differenthashes.
Hereisanotherexampleoftheindex.htmlfileabove,afterithadbeenedited:
bash3.00#bartcompare/tmp/bart.out/tmp/bart.out3
/httpd/htdocs/index.html:
sizecontrol:10test:26
modecontrol:100644test:100777
aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwx
mtimecontrol:463d4f4btest:482f8b89
contentscontrol:b7a9369d4cc9f82ed707bce91ced8af8test:1567caf683e3859cb5da7335c35438f7
Onceagainthisisinthe"human"readableformat,the"machine"readablelookslike:
bash3.00#bartcomparep/tmp/bart.out/tmp/bart.out3
/httpd/htdocs/index.htmlsize1026mode100644100777acluser::rw,group::r,mask:r,other:r
user::rwx,group::rwx,mask:rwx,other:rwxmtime463d4f4b482f8b89contentsb7a9369d4cc9f82ed707bce91ced8af8
1567caf683e3859cb5da7335c35438f7
(theaboveisactuallyallononeline.)
Onceyouhavetheoutputofthebartafterthe"oops"youwillneedtorunthebartcomparewithoptionstoignoresome
items.SinceIamonlyinterestedinthemode,thesize,mtimeandcontentscanbeignored.Iusedthefollowing:
bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2
Thisonlyshowsfilesthathavehadtheirmodechanged:
bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2
/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:r
user::rwx,group::rwx,mask:rwx,other:rwx
Youshouldredirectthisoutputtoafile,sothatitcanthenbeusedtogenerateascript.
WiththeoutputinafileIthendidthis:
cat/tmp/bart.compare|awk'{print"chmod"$3""$1}'>/tmp/CHANGEPERMS
SobasiclyIcatthefileandprintthechmodcommandallongwiththe3rdfield(100644)andthenthefirstfield
(/httpd/htdocs/index.html)andredirectthistoanewfile.OnceIspotcheckthisfile,youcanthenrunitanditwill"reset"
thepermissionsback.
NoweverythingIhaveshownaboveisbasedonthemachinehavingaUFSfilesystem.Ifyourunbartagainstafile
systemthatisZFS,youwillgetamanifestthatlookssomethinglikethis:
/home/unixwiz/bin/phpF10587732100755
owner@::deny,owner@:read_data/write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow,group@:write_data/append_data:deny,group@:read_
4743a7fa100149b8cfb15ed069bd6e43d7c2ae11a3e23
ItshowstheZFSextendedacl's.
Soifyouhaven'tstartedusingbart,youshouldstartassoonaspossible.
Postedbyunixwiz
Taggedas:Security,ShellScripts,Solaris,tips,ZFS
Comments(0)
Trackbacks(0)
CommentsOff
(subscribetocommentsonthispost)
Sorry,thecommentformisclosedatthistime.
FreakingSweetAcrobatReaderonSolarisx86
PacManJonesinDallas
Thecontentonsungeek.netisprovidedASIS,andWITHOUTANYWARRANTY.Allopinionsarepersonalandinnowayreflectanyorganization.Theauthorwillnotbeheldliableforanyproblemsresultingfromthe
Gototop
informationprovidedhere.Copyright2015unixwizLightwordThemebyAndreiLuca