The Solaris Basic Audit & Reporting Tool, bart, is a great little alternative to Tripwire or AIDE. While not nearly so robust or full featured, it does what you need it to do with very little impact. The sqlite of intrusion detection systems, if you will. I blogged about BART in 2005 and so far its still only got 1 real comment, which was simply mentioning AIDE as an alternative. No love.

Given that BART is awesome and no one seems to embrace it due to, perhaps, perceptions of complexity that are unfounded, I sought to implement a simple solution to bring BART to the masses. I call it bartlog

Quite simply, bartlog is a BASH wrapper around BART and logger which is run from cron on any schedule you like and reports any changes to syslog. Setup is simple, download bartlog and copy into /usr/sbin or whereever you prefer, then download bart.rules and copy into /etc. Now run bartlog from cron every hour or day or whatever you like.

The script is simple and intended to be tweeked, modified and made as l337 as you like. What it does is creates a BART manifest (record of files and MD5 checksums) for those directory structures specified in the bart.rules file. The first time it runs it just creates a manifest and exits. The second time you run it it creates a new manifest and then compares it against the previously created one. If it doesn't find any changes it just replaces the old manifest with the new one, this avoids you getting repetitiously alerted. However, if it does find a change it sends the change to syslog, so that its stored with your normal logs viewed either by running dmesg or reading /var/adm/messages. By default I'm using the syslog audit.err priority because by default Solaris sends those messages to /var/adm/messages, however if you are deploying this in a production environment I'd recommend using audit.warn instead and then modifying /etc/syslog.conf to send those warnings to a secure centralized syslog server. If you complete the solution with Splunk you could have a centralized, searchable log of all changes to critical files on which you could report, respond or alert on.

So I hope this fills the whole. Anyone running a Solaris system at home can download these two files, add to cron and be off and running. No hassle, no maintenance. All the love, none of the pain. If your running a system where bart isn't installed, just install SUNWbart from IPS or the install media.