I've been setting up bart auditing for a client. It works mostly well, except I've reached a point of confusion between the docs and the code. Specifically, consider this short bart_rules(4) file:
/etc CHECK ALL IGNORE dirmtime /etc motd IGNORE all According to my understanding of bart_rules(4), /etc/motd should be ignored. The example at the end of bart_rules(4) illustrates things reasonably well. Yet if I create a control manifest, update /etc/motd (say, e.g., via chef), create a test manifest, and compare, I see that /etc/motd appears in the `bart compare` output. This seems to be contradictory to what the documentation suggests, or I'm misunderstanding the docs. I dug into the code for bart(1M) for this, and cases like these are handled by rules.c:77-79 in exclude_fname(). This returns EXCLUDE_PRUNE to create.c:456 in eval_file(), which sets ftwx->quit = FTW_PRUNE. It looks like eval_file() should check whether ftype == 'F' when it receives EXCLUDE_PRUNE from exclude_fname() and then treat this as EXCLUDE_SKIP--or, better, that exclude_fname() should do this work itself. Thoughts? Comments? Tomatoes? Am I missing something? I want to believe that this is a misunderstanding on my part, but I've not been able to find any evidence for this on my own. -- Chris Nehren ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
