V-216221

Discussion

A file integrity baseline is a collection of file metadata used to evaluate the integrity of the system. A minimal baseline must contain metadata for all device files, setuid files, setgid files, system libraries, system binaries, and system configuration files. The minimal metadata must consist of the mode, owner, group owner, and modification times. For regular files, metadata must also include file size and a cryptographic hash of the file's contents.

Check Content

The root role is required.

Solaris 11 includes the Basic Account and Reporting Tool (BART), which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.

A Baseline BART manifest may exist in: 
/var/adm/log/bartlogs/[control manifest filename]

If a BART manifest does not exist, this is a finding.

At least weekly, create a new BART baseline report.

# bart create > /var/adm/log/bartlogs/[new manifest filename]

Compare the new report to the previous report to identify any changes in the system baseline.

# bart compare /var/adm/log/bartlogs/[baseline manifest filename] /var/adm/log/bartlogs/[new manifest filename]

Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.