BART is install by default on Solaris servers. Its an audit tool.
1. Plan your BART configuration location
[root@sun-audit-v01]# pwd
/var/audit/BART
[root@sun-audit-v01]# ls
bart2.sh bart.sh compare manifest
[root@sun-audit-v01]#
2. Your script
[root@sun-audit-v01]# more /var/audit/BART/bart.sh
#!/bin/ksh
# Declare Variables
BARTDIR=/var/audit/BART
COMPAREDIR=${BARTDIR}/compare
MANIFESTDIR=${BARTDIR}/manifest
GDATE=/usr/local/bin/gdate
JASSDIR=/var/opt/SUNWjass/BART
RULES=${JASSDIR}/rules.txt
BARTCMD=/usr/bin/bart
HOST=`/usr/bin/hostname | cut -d'.' -f1`
TODAYBARTFILE=${MANIFESTDIR}/${HOST}-manifest-`${GDATE} +%Y%m%d`
touch ${TODAYBARTFILE}
COMPAREFILE=${COMPAREDIR}/compare-`${GDATE} +%Y%m%d`
YESTERDAYBARTFILE=${MANIFESTDIR}/${HOST}-manifest-`${GDATE} +%Y%m%d -d "yesterday"`
# Check for existence of variables
[ ! -d $BARTDIR ] && echo "$BARTDIR does not exist" && exit 1;
[ ! -d $COMPAREDIR ] && echo "$COMPAREDIR does not exist" && exit 1;
[ ! -d $MANIFESTDIR ] && echo "$MANIFESTDIR does not exist" && exit 1;
[ ! -f $GDATE ] && echo "$GDATE does not exist" && exit 1;
[ ! -d $JASSDIR ] && echo "$JASSDIR does not exist" && exit 1;
[ ! -f $RULES ] && echo "$RULES does not exist" && exit 1;
# Let's generate BART Report for Today
$BARTCMD create -r $RULES > ${TODAYBARTFILE}
# Let's do a compare from yesterday and see what changed
if [[ ! -f ${YESTERDAYBARTFILE} ]]; then
echo "Yesterday's manifest ${YESTERDAYBARTFILE} does not exist" && exit 1;
else
$BARTCMD compare ${YESTERDAYBARTFILE} ${TODAYBARTFILE} > ${COMPAREFILE}
fi
[root@sun-audit-v01]#
[root@sun-audit-v01]# more bart2.sh
#!/bin/ksh
# Declare Variables
BARTDIR=/var/audit/BART
COMPAREDIR=${BARTDIR}/compare
GDATE=/usr/local/bin/gdate
JASSDIR=/var/opt/SUNWjass/BART
RULES=${JASSDIR}/rules.txt
BARTCMD=/usr/bin/bart
HOST=`/usr/bin/hostname | cut -d'.' -f1`
# Check for
[ ! -d $BARTDIR ] && echo "$BARTDIR does not exist" && exit 1;
[ ! -d $COMPAREDIR ] && echo "$COMPAREDIR does not exist" && exit 1;
[ ! -f $GDATE ] && echo "$GDATE does not exist" && exit 1;
[ ! -d $JASSDIR ] && echo "$JASSDIR does not exist" && exit 1;
[ ! -f $RULES ] && echo "$RULES does not exist" && exit 1;
# Let's generate BART Report for Today
#$BARTCMD create -r $RULES > ${BARTDIR}/manifest-${HOST}-`${GDATE} +%Y%m%d`
#touch ${BARTDIR}/manifest-${HOST}-`${GDATE} +%Y%m%d`
touch ${BARTDIR}/${HOST}-manifest-`${GDATE} +%Y%m%d`
[root@sun-audit-v01]#
[root@sun-audit-v01]# pwd
/var/opt/SUNWjass/BART
[root@sun-audit-v01]# ls
initial-20160610 manifests rules.JASS.20131217102721
manifest03 rules rules.txt
[root@sun-audit-v01]#
3. Your rule file
[root@sun-audit-v01]# cat rules
#
# Copyright 2005 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)rules-secure 1.2 05/06/08 SMI"
#
# This file is supplied as part of the Solaris Security Toolkit and
# is used to configure BART rules. See bart_rules(4) for file format.
#
# Note: S82mkdtab is filtered out to avoid false failures. This
# file is deleted after Solaris is first booted.
#
/ !core !tmp/ !var/ !S82mkdtab
CHECK all
IGNORE contents mtime
/etc/rc*.d S* !S82mkdtab
/sbin !core
/usr/bin !core
/usr/sbin !core
CHECK contents
[root@sun-audit-v01]#
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@sun-audit-v01]# cat rules.txt
#
# Copyright 2005 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)rules-secure 1.2 05/06/08 SMI"
#
# This file is supplied as part of the Solaris Security Toolkit and
# is used to configure BART rules. See bart_rules(4) for file format.
#
# Note: S82mkdtab is filtered out to avoid false failures. This
# file is deleted after Solaris is first booted.
#
#/ !core !tmp/ !var/ !S82mkdtab
#CHECK all
#IGNORE contents mtime
#/etc/rc*.d S* !S82mkdtab
#/sbin !core
#/usr/bin !core
#/usr/sbin !core
#CHECK contents
IGNORE all
CHECK contents mtime
/usr/local
/etc
/usr/bin
/usr/sbin
/data/oracle
[root@sun-audit-v01]#
[root@sun-audit-v01]# crontab -l
#ident "@(#)root 1.21 04/03/23 SMI"
#
# The root crontab should be used to perform accounting data collection.
#
#
10 3 * * * /usr/sbin/logadm
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/lib/krb5/kprop_script ___slave_kdcs___
0 2 * * 4 /usr/lib/acct/dodisk
30 0,2,4,6,8,10,12,14,16,18,20,22 * * * /usr/local/bin/purge_audit.sh
0 3 * * * /var/audit/BART/bart.sh
[root@sun-audit-v01]#
[root@sun-audit-v01]# cat /usr/local/bin/purge_audit.sh
#!/bin/ksh
## Audit Logs are currently stored in two places
## /var/audit directory and the /var/adm/auditlog file
## logadm rotates the auditlog file nightly and keeps upto 5 copies.
## /var/audit directory stores binary data of the audit logs
## and is unnecessary to keep duplicate logs. /var/audit fills rapidly
## and needs to be purge.
if [[ ! -d /var/audit ]]; then
echo "/var/audit directory does not exist"
exit 1;
else
# becreful with this command
/usr/sbin/audit -n
find /var/audit -type f ! -name "*terminated*" -exec rm {} \;
fi
[root@sun-audit-v01]#
1. Plan your BART configuration location
[root@sun-audit-v01]# pwd
/var/audit/BART
[root@sun-audit-v01]# ls
bart2.sh bart.sh compare manifest
[root@sun-audit-v01]#
2. Your script
[root@sun-audit-v01]# more /var/audit/BART/bart.sh
#!/bin/ksh
# Declare Variables
BARTDIR=/var/audit/BART
COMPAREDIR=${BARTDIR}/compare
MANIFESTDIR=${BARTDIR}/manifest
GDATE=/usr/local/bin/gdate
JASSDIR=/var/opt/SUNWjass/BART
RULES=${JASSDIR}/rules.txt
BARTCMD=/usr/bin/bart
HOST=`/usr/bin/hostname | cut -d'.' -f1`
TODAYBARTFILE=${MANIFESTDIR}/${HOST}-manifest-`${GDATE} +%Y%m%d`
touch ${TODAYBARTFILE}
COMPAREFILE=${COMPAREDIR}/compare-`${GDATE} +%Y%m%d`
YESTERDAYBARTFILE=${MANIFESTDIR}/${HOST}-manifest-`${GDATE} +%Y%m%d -d "yesterday"`
# Check for existence of variables
[ ! -d $BARTDIR ] && echo "$BARTDIR does not exist" && exit 1;
[ ! -d $COMPAREDIR ] && echo "$COMPAREDIR does not exist" && exit 1;
[ ! -d $MANIFESTDIR ] && echo "$MANIFESTDIR does not exist" && exit 1;
[ ! -f $GDATE ] && echo "$GDATE does not exist" && exit 1;
[ ! -d $JASSDIR ] && echo "$JASSDIR does not exist" && exit 1;
[ ! -f $RULES ] && echo "$RULES does not exist" && exit 1;
# Let's generate BART Report for Today
$BARTCMD create -r $RULES > ${TODAYBARTFILE}
# Let's do a compare from yesterday and see what changed
if [[ ! -f ${YESTERDAYBARTFILE} ]]; then
echo "Yesterday's manifest ${YESTERDAYBARTFILE} does not exist" && exit 1;
else
$BARTCMD compare ${YESTERDAYBARTFILE} ${TODAYBARTFILE} > ${COMPAREFILE}
fi
[root@sun-audit-v01]#
[root@sun-audit-v01]# more bart2.sh
#!/bin/ksh
# Declare Variables
BARTDIR=/var/audit/BART
COMPAREDIR=${BARTDIR}/compare
GDATE=/usr/local/bin/gdate
JASSDIR=/var/opt/SUNWjass/BART
RULES=${JASSDIR}/rules.txt
BARTCMD=/usr/bin/bart
HOST=`/usr/bin/hostname | cut -d'.' -f1`
# Check for
[ ! -d $BARTDIR ] && echo "$BARTDIR does not exist" && exit 1;
[ ! -d $COMPAREDIR ] && echo "$COMPAREDIR does not exist" && exit 1;
[ ! -f $GDATE ] && echo "$GDATE does not exist" && exit 1;
[ ! -d $JASSDIR ] && echo "$JASSDIR does not exist" && exit 1;
[ ! -f $RULES ] && echo "$RULES does not exist" && exit 1;
# Let's generate BART Report for Today
#$BARTCMD create -r $RULES > ${BARTDIR}/manifest-${HOST}-`${GDATE} +%Y%m%d`
#touch ${BARTDIR}/manifest-${HOST}-`${GDATE} +%Y%m%d`
touch ${BARTDIR}/${HOST}-manifest-`${GDATE} +%Y%m%d`
[root@sun-audit-v01]#
[root@sun-audit-v01]# pwd
/var/opt/SUNWjass/BART
[root@sun-audit-v01]# ls
initial-20160610 manifests rules.JASS.20131217102721
manifest03 rules rules.txt
[root@sun-audit-v01]#
3. Your rule file
[root@sun-audit-v01]# cat rules
#
# Copyright 2005 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)rules-secure 1.2 05/06/08 SMI"
#
# This file is supplied as part of the Solaris Security Toolkit and
# is used to configure BART rules. See bart_rules(4) for file format.
#
# Note: S82mkdtab is filtered out to avoid false failures. This
# file is deleted after Solaris is first booted.
#
/ !core !tmp/ !var/ !S82mkdtab
CHECK all
IGNORE contents mtime
/etc/rc*.d S* !S82mkdtab
/sbin !core
/usr/bin !core
/usr/sbin !core
CHECK contents
[root@sun-audit-v01]#
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[root@sun-audit-v01]# cat rules.txt
#
# Copyright 2005 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)rules-secure 1.2 05/06/08 SMI"
#
# This file is supplied as part of the Solaris Security Toolkit and
# is used to configure BART rules. See bart_rules(4) for file format.
#
# Note: S82mkdtab is filtered out to avoid false failures. This
# file is deleted after Solaris is first booted.
#
#/ !core !tmp/ !var/ !S82mkdtab
#CHECK all
#IGNORE contents mtime
#/etc/rc*.d S* !S82mkdtab
#/sbin !core
#/usr/bin !core
#/usr/sbin !core
#CHECK contents
IGNORE all
CHECK contents mtime
/usr/local
/etc
/usr/bin
/usr/sbin
/data/oracle
[root@sun-audit-v01]#
[root@sun-audit-v01]# crontab -l
#ident "@(#)root 1.21 04/03/23 SMI"
#
# The root crontab should be used to perform accounting data collection.
#
#
10 3 * * * /usr/sbin/logadm
15 3 * * 0 /usr/lib/fs/nfs/nfsfind
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
#10 3 * * * /usr/lib/krb5/kprop_script ___slave_kdcs___
0 2 * * 4 /usr/lib/acct/dodisk
30 0,2,4,6,8,10,12,14,16,18,20,22 * * * /usr/local/bin/purge_audit.sh
0 3 * * * /var/audit/BART/bart.sh
[root@sun-audit-v01]#
[root@sun-audit-v01]# cat /usr/local/bin/purge_audit.sh
#!/bin/ksh
## Audit Logs are currently stored in two places
## /var/audit directory and the /var/adm/auditlog file
## logadm rotates the auditlog file nightly and keeps upto 5 copies.
## /var/audit directory stores binary data of the audit logs
## and is unnecessary to keep duplicate logs. /var/audit fills rapidly
## and needs to be purge.
if [[ ! -d /var/audit ]]; then
echo "/var/audit directory does not exist"
exit 1;
else
# becreful with this command
/usr/sbin/audit -n
find /var/audit -type f ! -name "*terminated*" -exec rm {} \;
fi
[root@sun-audit-v01]#
No comments:
Post a Comment