asetmasters(4) File Formats asetmasters(4)NAME
asetmasters, tune.low, tune.med, tune.high, uid_aliases, cklist.low,
cklist.med, cklist.high - ASET master files
SYNOPSIS
/usr/aset/masters/tune.low
/usr/aset/masters/tune.med
/usr/aset/masters/tune.high
/usr/aset/masters/uid_aliases
/usr/aset/masters/cklist.low
/usr/aset/masters/cklist.med
/usr/aset/masters/cklist.high
DESCRIPTION
The /usr/aset/masters directory contains several files used by the
Automated Security Enhancement Tool (ASET). /usr/aset is the default
operating directory for ASET. An alternative working directory can be
specified by the administrators through the aset -d command or the
ASETDIR environment variable. See aset(1M).
These files are provided by default to meet the need of most environ‐
ments. The administrators, however, can edit these files to meet their
specific needs. The format and usage of these files are described
below.
All the master files allow comments and blank lines to improve read‐
ability. Comment lines must start with a leading "#" character.
tune.low These files are used by the tune task (see aset(1M))
tune.med to restrict the permission settings for system objects.
tune.high Each file is used by ASET at the security level indi‐
cated by the suffix. Each entry in the files is of the
form:
pathname mode owner group type
where
pathname is the full pathname
mode is the permission setting
owner is the owner of the object
group is the group of the object
type is the type of the object It can be
symlink for a symbolic link, directory
for a directory, or file for every‐
thing else.
Regular shell wildcard ("*", "?", ...) characters can
be used in the pathname for multiple references. See
sh(1). The mode is a five-digit number that represents
the permission setting. Note that this setting repre‐
sents a least restrictive value. If the current setting
is already more restrictive than the specified value,
ASET does not loosen the permission settings.
For example, if mode is 00777, the permission will not
be changed, since it is always less restrictive than
the current setting.
Names must be used for owner and group instead of
numeric ID's. ? can be used as a "don't care" charac‐
ter in place of owner, group, and type to prevent
ASET from changing the existing values of these parame‐
ters.
uid_alias This file allows user ID's to be shared by multiple
user accounts. Normally, ASET discourages such sharing
for accountability reason and reports user ID's that
are shared. The administrators can, however, define
permissible sharing by adding entries to the file. Each
entry is of the form:
uid=alias1=alias2=alias3= ...
where
uid is the shared user id
alias? is the user accounts sharing the user
ID
For example, if sync and daemon share the user ID 1,
the corresponding entry is:
1=sync=daemon
cklist.low These files are used by the cklist task (see aset(1M)),
cklist.med and are created the first time the task is run at the
cklist.high low, medium, and high levels. When the cklist task is
run, it compares the specified directory's contents
with the appropriate cklist.level file and reports any
discrepancies.
EXAMPLES
Example 1: Examples of Valid Entries for the tune.low, tune.med, and
tune.high Files
The following is an example of valid entries for the tune.low,
tune.med, and tune.high files:
/bin 00777 root staffsymlink
/etc 02755 root staffdirectory
/dev/sd* 00640 rootoperatorfile
SEE ALSOaset(1M), asetenv(4)
ASET Administrator Manual
SunOS 5.10 13 Sep 1991 asetmasters(4)