Solaris has a software registry which maintains information of software packages installed. The registry is invaluable for auditing the system to determine what software has been changed, installed, removed, or patched. The software registry contains a database of installed files. This database is physically located in the file /var/sadm/install/contents . Each file, special file, and directory installed on the system has an entry in this database. If some attributes of files are changed after installation, “pkgchk” command can find it out and report it. A good command for auditing. Here is an example..

solaris98# pkgchk
ERROR: /etc/apache/magic
    file size <12965> expected <12441> actual
    file cksum <8026> expected <33401> actual
ERROR: /etc/apache/mime.types
    file size <14987> expected <9957> actual
    file cksum <46595> expected <27635> actual
ERROR: /etc/auto_master
    file size <113> expected <395> actual
    file cksum <9773> expected <34676> actual
ERROR: /etc/default/dhcpagent
    file size <3394> expected <2826> actual
    file cksum <26394> expected <43621> actual

Some fiiles are expected to change such as /etc/system – which gets edited by sysadmin very often. pkgchk has a -n option that will bypass checking these files. Though this is a tempting option to use for reducing the amount of output from an audit, it is good to know what got changed.

solaris98# pkgchk -l -p /etc/system
Pathname: /etc/system
Type: editted file
Expected mode: 0644
Expected owner: root
Expected group: sys
Referenced by the following packages:
        SUNWcsr
Current status: installed

solaris98#

If you want to check what got changed on a filesystem , you can use find & pkgchk to know it. Check the example below.

solaris98# find /usr -mount -exec pkgchk -p {} ;
ERROR: /usr
    permissions <0755> expected <0775> actual
WARNING: no information associated with pathname </usr/platform/TSBW>
WARNING: no information associated with pathname <8000>
WARNING: no information associated with pathname </usr/platform/TSBW>
WARNING: no information associated with pathname <Ultra-2i>
..

Reference : http://www.sun.com/blueprints/1299/repairing.pdf

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like