asetmasters(4)
NAME
asetmasters, tune.low, tune.med, tune.high, uid_aliases,
cklist.low, cklist.med, cklist.high - ASET master files
SYNOPSIS
/usr/aset/masters/tune.low
/usr/aset/masters/tune.med
/usr/aset/masters/tune.high
/usr/aset/masters/uid_aliases
/usr/aset/masters/cklist.low
/usr/aset/masters/cklist.med
/usr/aset/masters/cklist.high
DESCRIPTION
The /usr/aset/masters directory contains several files used
by the Automated Security Enhancement Tool (ASET). /usr/aset
is the default operating directory for ASET. An alternative
working directory can be specified by the administrators
through the aset -d command or the ASETDIR environment vari-
able. See aset(1M).
These files are provided by default to meet the need of most
environments. The administrators, however, can edit these
files to meet their specific needs. The format and usage of
these files are described below.
All the master files allow comments and blank lines to
improve readability. Comment lines must start with a lead-
ing "#" character.
tune.low
tune.med
tune.high
These files are used by the tune task (see aset(1M))
to restrict the permission settings for system
objects. Each file is used by ASET at the security
level indicated by the suffix. Each entry in the files
is of the form:
pathname mode owner group type
where
pathname
is the full pathname
mode is the permission setting
owner is the owner of the object
group is the group of the object
type is the type of the object It can be symlink for
a symbolic link, directory for a directory, or
file for everything else.
Regular shell wildcard ("*", "?", ...) characters can be
used in the pathname for multiple references. See sh(1).
The mode is a five-digit number that represents the permis-
sion setting. Note that this setting represents a least res-
trictive value. If the current setting is already more res-
trictive than the specified value, ASET does not loosen the
permission settings.
For example, if mode is 00777, the permission will not be
changed, since it is always less restrictive than the
current setting.
Names must be used for owner and group instead of
numeric ID's. ? can be used as a "don't care" charac-
ter in place of owner, group, and type to prevent
ASET from changing the existing values of these param-
eters.
uid_alias
This file allows user ID's to be shared by multiple
user accounts. Normally, ASET discourages such sharing
for accountability reason and reports user ID's that
are shared. The administrators can, however, define
permissible sharing by adding entries to the file.
Each entry is of the form:
uid=alias1=alias2=alias3= ...
where
uid is the shared user id
alias?
is the user accounts sharing the user ID
For example, if sync and daemon share the user ID 1,
the corresponding entry is:
1=sync=daemon
cklist.low
cklist.med
cklist.high
These files are used by the cklist task (see
aset(1M)), and are created the first time the
task is run at the low, medium, and high levels.
When the cklist task is run, it compares the
specified directory's contents with the
appropriate cklist.level file and reports any
discrepancies.
EXAMPLES
Example 1: Examples of Valid Entries for the tune.low,
tune.med, and tune.high Files
The following is an example of valid entries for the
tune.low, tune.med, and tune.high files:
/bin 00777 root staffsymlink
/etc 02755 root staffdirectory
/dev/sd* 00640 rootoperatorfile
SEE ALSO
aset(1M), asetenv(4)
ASET Administrator Manual
Man(1) output converted with
man2html