UNIXWIZ

SubscribeviaRSS

ANYTHINGDEALINGWITH*NIXORWHATEVERIWANTTOWRITEABOUT

HOME

ABOUTME

STOPSOPA

Whyeveryoneshouldusebart(AKAdotheBartMan)
MAY/08

tags

AIX AppleCableCard

ComcastFamilyFlying

Funny

HomeRepairsHouse

Interesting

IBM

jetBlueLDAPM$Winders

MacBookProMacOSX
Morgantown Morgantown,
WVOpenSolarisPhotography

Random

PhotoShopPHP

Stuff Rant Security

ShellScripts
Solaris

SMF

SpamFightingSun

SunRaySyswatchtipsTiVo
TivoliTravel

Uncategorized
IfyouareusingSolaris10,andyouhavenotusedbartyet,youshouldstopeverythingandtakealookatit.

Vacation VideoVMWare

Forthosewhodon'tknowwhatbartis,itistheBasicAuditingandReportingToolthatisinSolaris10.

Zones/Containers

Inaquicksynopsisbartwillcreateareportthatshowsallfiles/directoriesonasolarismachine.Thisreportcontainsthe
permissions,owners,sizes,modifytimesandmd5hashesofallfilesonthesystem,alongwithacl'sifyouareusingZFS.

Categories

Sowhyisbartsoimportant?First,itcanbeusedasasecuritytool.WhenyouinstallanewSolaris10system,thefirst
thingyoushoulddoafteryougetitinstalledandpatchedandbeforeitisplacedonthenetworkisrunabartonthesystem
andsavethereporttoacd.Thiswillbethe"baseline"imageofthesystem.Theneveryweek/monthyoushouldruna
bartagainstthemachineagainandthenusethecompareoptiontoseewhatfileshavechanged,addedordeletedfrom
thesystem.Wherethiscomesinreallyhandyisifyourthinkthatyourmachinehasbeenhackedorcompromised.Youcan
usethecomparisontodeterminewhichfilesmayhavebeenmodifiedbythehacker.
ButthereisanonsecurityuseforbartaswellthatisVERYuseful.ThisuseisonethatIhadnotthoughtofuntilIneeded
ittheotherday.Sowhatisthisuse?Resetingthepermissionsonfilesthatwereaccidentallychangedbyaninexperienced
UNIXpersonthinkingthata"chmodR777*"isthebestwaytofixtheirproblems.

WorkX2100XMRadioZFS
Categories

SelectCategory
Blogroll
JustinsBlog
ComputerStuff
ChrisQuenelle'sWeblog
ChristopherSaul'sWeblog

ThefirstthingthatcametomymindwhenIsawthishappenwasohno,themachinehadnotevenbeenbackedupyet,
andaday'sworthofworkwouldhavebeenlost.Evenifthemachinehadbeenbackedup,doyourealizehowlongit
wouldtaketorestoreafilesystemwith40,000+files,justbecausethepermissionswerescrewedup.(Note,the
permissionsonthevariousfileswereverydifferentandevenincludedsomesetuid,andsetgiudfileswhichwerewipedout
aswell.)
Sohowdidbartsavetheday?LucklyIhadtakenabartofthemachinebeforetheworkhadbegunonthefilesystem.So
afterthechmodcommandwasissued,Ithentookabartofthefilesystemagain.Inowcouldrunabartcompareagainst
thecontrolandtestmanifestandseeexactlywhatallhadchanged.
OnceIhadthisoutput,Icouldthencreateascripttochangethepermissionsofthefiles/directoriesbacktotheoriginal
values.AlltoldafterIfinishedtweakingmyscriptittookabout20minutestoresetthepermissionsonallthefilesand
directories.

GlennBrunette'sSecurityWeblog
Joyent
TheClinganZone
TheSwordblog
OtherSites
AudiencesEverywhere

PhotoStuff

Sohereisaquickstarttogettingyourfirstbartmanifestofyoursystem:
1.Createabart_rulesfile.Ifyoudonotcreatearulesfile,youroutputwillonlyhaveFilesandnotdirectorieslistedinit.
Mysimplebart_rulesfilelookslikethis:
/
CHECKALL
/home
IGNOREALL

Iignorethe/homefilesystemasinmycaseitwasnfsmounted.Inrealityyouwouldwanttoincludealllocalfilesystems.

FroKnowsPhoto

2.Createthebart,Ikeeptherulesfilein/root/bart_rulessoIwouldrunthecommand:
bartcreateR/r/root/bart_rules>/tmp/bart.output

Thiswillcreateabartmanifestandoutputitto/tmp/bart.output.Lookingatthefirstcoupleoflinesofitlookslikethis:
unixwiz@sungeek:/home/unixwiz>head20/tmp/bart.out
!Version1.0
!Saturday,May17,2008(21:24:27)
#Format:
#fnameDsizemodeacldirmtimeuidgid
#fnamePsizemodeaclmtimeuidgid
#fnameSsizemodeaclmtimeuidgid
#fnameFsizemodeaclmtimeuidgidcontents
#fnameLsizemodeacllnmtimeuidgiddest
#fnameBsizemodeaclmtimeuidgiddevnode
#fnameCsizemodeaclmtimeuidgiddevnode
/D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300
/.ICEauthorityF310100600user::rw,group::,mask:,other:44c581c200
3eb63faf448e8a2b2c1a7b2019a8bde3
/.XauthorityF99100600user::rw,group::,mask:,other:44c560e0005ffe2e5f4b6f73e662001f62f7cae4d3
/.bash_historyF649100600user::rw,group::,mask:,other:481d110900
9132e0e798d5d05644cafc90c2aa876a
/.dtD51240755user::rwx,group::rx,mask:rx,other:rx44c560e000
/.dt/appmanagerD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00
/.dt/helpD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00
/.dt/iconsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534d00
/.dt/sessionlogsD51240755user::rwx,group::rx,mask:rx,other:rx44c5534c00
/.dt/sessionlogs/sungeek_DISPLAY=:0F132100644user::rw,group::r,mask:r,other:r44c560e000
6d4e62fc972046a7a85fdb36a0ce21fd

Thefirstpartofthefile,thepartthatbeginswith#fnameisalegendastohoweachtypeoflineisformed.
Solookingatthefirstactuallineofthecontents:
/D102440755user::rwx,group::rx,mask:rx,other:rx481d0e4300

Weseethatthefnmaeis/,itisadirectory,withasizeof1024.Itsmodeis755,thelastmodifiedtimeisthe"481d0e43"
anditisownedbyuid0andgid0.
Lookingatafileinparticularweseethis:
/httpd/htdocs/index.htmlF10100644user::rw,group::r,mask:r,other:r463d4f4b00
b7a9369d4cc9f82ed707bce91ced8af8

Intheabove,weseethatthefileis10bytes,hasapermissionsof644andisownedbyroot/root.
NowsupposethatIforsomereasonbyaccidentwasinthe/httpd/htdocsdirectoryanddidachmodR777*.SinceIhad
mycontrolmanifest,Iwouldthenrunanotherbartandthenusethecompareoption.WhatIwouldgetissomethinglike
this:
#bartcompare/tmp/bart.output/tmp/bart.output2
/httpd/htdocs/index.html:
modecontrol:100644test:100777
aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwx

Herewecanseethatthepermissionshaschangedfrom644to777.Buttheoutputisnotreallyeasytoparsewithascript.
Soweneedtousethe"p"optiononthebartcompare:
#bartcomparep/tmp/bart.output/tmp/bart.output2
/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:r
user::rwx,group::rwx,mask:rwx,other:rwx

Intheabove,sincetheonlythingthatwaschangedwasthemode,thatistheonlythingthatislisted.
herearesomeotherexamples:
/var/samba/locks/browse.datmtime482f8544482f8800
/var/samba/locks/unexpected.tdbcontents7c3404e9622749702e3df56caf26fe7272983947ada3260a236394a51aef0d31

Thefirstlineshowsthatthefilebrowse.datmodifytimechanged,butnothingelse.Thesecondlineshowsthatthe
unexpected.tdbhadit'scontentschange.Thiscanbeenseebythe2differenthashes.
Hereisanotherexampleoftheindex.htmlfileabove,afterithadbeenedited:
bash3.00#bartcompare/tmp/bart.out/tmp/bart.out3
/httpd/htdocs/index.html:
sizecontrol:10test:26
modecontrol:100644test:100777
aclcontrol:user::rw,group::r,mask:r,other:rtest:user::rwx,group::rwx,mask:rwx,other:rwx
mtimecontrol:463d4f4btest:482f8b89
contentscontrol:b7a9369d4cc9f82ed707bce91ced8af8test:1567caf683e3859cb5da7335c35438f7

Onceagainthisisinthe"human"readableformat,the"machine"readablelookslike:

bash3.00#bartcomparep/tmp/bart.out/tmp/bart.out3
/httpd/htdocs/index.htmlsize1026mode100644100777acluser::rw,group::r,mask:r,other:r
user::rwx,group::rwx,mask:rwx,other:rwxmtime463d4f4b482f8b89contentsb7a9369d4cc9f82ed707bce91ced8af8
1567caf683e3859cb5da7335c35438f7

(theaboveisactuallyallononeline.)
Onceyouhavetheoutputofthebartafterthe"oops"youwillneedtorunthebartcomparewithoptionstoignoresome
items.SinceIamonlyinterestedinthemode,thesize,mtimeandcontentscanbeignored.Iusedthefollowing:
bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2

Thisonlyshowsfilesthathavehadtheirmodechanged:
bash3.00#bartcompareisize,mtime,contents,uid,gidp/tmp/bart.out/tmp/bart.out2
/httpd/htdocs/index.htmlmode100644100777acluser::rw,group::r,mask:r,other:r
user::rwx,group::rwx,mask:rwx,other:rwx

Youshouldredirectthisoutputtoafile,sothatitcanthenbeusedtogenerateascript.
WiththeoutputinafileIthendidthis:
cat/tmp/bart.compare|awk'{print"chmod"$3""$1}'>/tmp/CHANGEPERMS

SobasiclyIcatthefileandprintthechmodcommandallongwiththe3rdfield(100644)andthenthefirstfield
(/httpd/htdocs/index.html)andredirectthistoanewfile.OnceIspotcheckthisfile,youcanthenrunitanditwill"reset"
thepermissionsback.
NoweverythingIhaveshownaboveisbasedonthemachinehavingaUFSfilesystem.Ifyourunbartagainstafile
systemthatisZFS,youwillgetamanifestthatlookssomethinglikethis:

/home/unixwiz/bin/phpF10587732100755
owner@::deny,owner@:read_data/write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:allow,group@:write_data/append_data:deny,group@:read_
4743a7fa100149b8cfb15ed069bd6e43d7c2ae11a3e23

ItshowstheZFSextendedacl's.
Soifyouhaven'tstartedusingbart,youshouldstartassoonaspossible.

Postedbyunixwiz

Taggedas:Security,ShellScripts,Solaris,tips,ZFS

Comments(0)

Trackbacks(0)

CommentsOff

(subscribetocommentsonthispost)

Sorry,thecommentformisclosedatthistime.
FreakingSweetAcrobatReaderonSolarisx86

PacManJonesinDallas

Thecontentonsungeek.netisprovidedASIS,andWITHOUTANYWARRANTY.Allopinionsarepersonalandinnowayreflectanyorganization.Theauthorwillnotbeheldliableforanyproblemsresultingfromthe
Gototop
informationprovidedhere.Copyright2015unixwizLightwordThemebyAndreiLuca