asetmasters(4) manual page
Table of Contents
asetmasters, tune.low, tune.med, tune.high, uid_aliases, cklist.low, cklist.med,
cklist.high - ASET master files
/usr/aset/masters/tune.low
/usr/aset/masters/tune.med
/usr/aset/masters/tune.high
/usr/aset/masters/uid_aliases
/usr/aset/masters/cklist.low
/usr/aset/masters/cklist.med
/usr/aset/masters/cklist.high
The /usr/aset/masters directory contains several files used by the
Automated Security Enhancement Tool (ASET). /usr/aset is the default operating
directory for ASET. An alternative working directory can be specified by
the administrators through the aset -d command or the ASETDIR
environment
variable. See aset(1M)
.
These files are provided by default to meet the need
of most environments. The administrators, however, can edit these files
to meet their specific needs. The format and usage of these files are described
below.
All the master files allow comments and blank lines to improve readability.
Comment lines must start with a leading "#" character.
- tune.low
-
- tune.med
- tune.high
- These files are used by the tune task (see aset(1M)
) to restrict
the permission settings for system objects. Each file is used by ASET at
the security level indicated by the suffix. Each entry in the files is of
the form:
pathname mode owner group type
- where
- pathname
- is the full pathname
- mode
- is the permission setting
- owner
- is the owner of the object
- group
- is
the group of the object
- type
- is the type of the object It can be symlink
for a symbolic link, directory for a directory, or file for everything
else.
- Regular shell wildcard ("*", "?", ...) characters can be used in the
- pathname for multiple references. See sh(1)
. The mode is a five-digit number
that represents the permission setting. Note that this setting represents
a least restrictive value. If the current setting is already more restrictive
than the specified value, ASET does not loosen the permission settings.
For example, if mode is 00777, the permission will not be changed, since
it is always less restrictive than the current setting.
- Names must be used
for
- owner and group instead of numeric ID’s. ? can be used as a ‘don’t care’
character in place of owner, group, and type to prevent ASET from changing
the existing values of these parameters.
- uid_alias
- This file allows user
ID’s to be shared by multiple user accounts. Normally, ASET discourages such
sharing for accountability reason and reports user ID’s that are shared.
The administrators can, however, define permissible sharing by adding entries
to the file. Each entry is of the form:
uid=alias1=alias2=alias3= ...
- where
- uid
- is the shared user id
- alias?
is the user accounts sharing the user
ID
- For example, if
- sync and daemon share the user ID 1, the corresponding
entry is:
1=sync=daemon
- cklist.low
-
- cklist.med
- cklist.high
- These files are
used by the cklist task (see aset(1M)
), and are created the first time
the task is run at the low, medium, and high levels. When the cklist task
is run, it compares the specified directory’s contents with the appropriate
cklist.level file and reports any discrepancies.
The following is
an example of valid entries for the tune.low, tune.med, and tune.high files:
/bin 00777 root staff symlink /etc 02755 root staff directory /dev/sd* 00640 root operator file
aset(1M)
, asetenv(4)
ASET Administrator Manual
Table of Contents
![[Go to CFHT Home Page]](/images/cfht-icon.gif){kind=icon}
Man Pages 
Back to Software Index 
Manpage Top Level