Previous Table of Contents Next


The following rules apply to the entries in the tune files:

  You can use regular shell wildcard characters such as an asterisk (*) and a question mark (?) in the pathname for multiple references.
  <mode> represents the least allowable value. If the current setting is already more restrictive than the specified value, ASET does not loosen the permission settings. For example, if the specified value is 00777, the permission remains unchanged, because 00777 is always less restrictive than the current setting.
When you decrease the security level from what it was for the previous execution, or when you want to restore the system files to the state they were in before ASET was first executed, ASET recognizes what you are doing and decreases the protection level.
  You must use names for <owner> and <group> instead of numeric IDs.
  You can use a question mark (?) in place of <owner>, <group>, and <type> to prevent ASET from changing the existing values of these parameters.
  <type> can be symlink (symbolic link), directory, or file (everything else).
  Higher security level tune files reset file permissions to be at least as restrictive as they are at lower levels. Also, at higher levels, additional files are added to the list.
  A file can match more than one tune file entry. For example, etc/passwd matches etc/pass* and /etc*.
  Where two entries have different permissions, the more restrictive file permission applies. In the following example, the permission of /etc/passwd will be set to 00755, which is the more restrictive of 00755 and 00770:
/etc/pass* 00755 ? ? file
/etc/* 00770 ? ? file
  If two entries have different <owner> or <group> designations, the last entry takes precedence.

You modify settings in the tune file by adding or deleting file entries.


NOTE:  Setting a permission to a less restrictive value than the current setting has no effect; the ASET tasks do not relax permissions unless you downgrade your system security to a lower level.

The uid_aliases File

The uid_aliases file contains a list of multiple user accounts sharing the same ID. Normally, ASET warns about such multiple user accounts because this practice lessens accountability. You can allow for exceptions to this rule by listing the exceptions in the uid_aliases file. ASET does not report entries in the passwd file with duplicate user IDs if these entries are specified in the uid_aliases file.

The default /usr/aset/masters/uid_aliases file is:

#
# Copyright 1990, 1991 Sun Microsystems, Inc.  All Rights Reserved.
#
#
# sccsid = @(#) uid_aliases 1.1 1/2/91 14:39:52
#
# format:
#      uid=alias1=alias2=alias3= ...
# allows users "alias1", "aliase2", "alias3" to share the same uid.

0=+=root=checkfsys=makefsys=mountfsys=powerdown=setup=smtp=sysadm=
umountfsys 1=sync=daemon

The default entry is to make UID 0 equivalent to user accounts root, checkfsys, makefsys, mountfsys, powerdown, setup, smpt, sysadm, and umountfsys. UID1 is equivalent to the user accounts sync and daemon.

Each entry has the format

<uid>=<alias1>=<alias2>=<alias3>-...

where <uid> is the shared UID number and <aliasn> is the name of the user account that shares the UID.

The Checklist Files

The master files cklist.high, cklist.med, and cklist.low are generated when you first execute ASET, or when you run ASET after you change the security level.

The following environment variables determine the files that are checked by this task:

  CKLISTPATH_LOW
  CKLISTPATH_MED
  CKLISTPATH_HIGH

Refer to the following section for more information about ASET environment variables.


Previous Table of Contents Next