ASET Master Files
The ASET master files—tune.high, tune.low, tune.med, and uid_aliases—are located in the /usr/aset/masters directory. ASET uses the master files to define security levels. The checklist files cklist.high, cklist.med, and cklist.low are also located in the /usr/aset/masters directory. The checklist files are generated when you execute ASET and are used by ASET to check file permissions.
File Tuning
The tune.low, tune.med, and tune.high master files define the available ASET security levels. They specify the attributes of system files at each level and are used for comparison and reference.
The tune.high file, shown below, specifies the most restrictive level of security.
# # Copyright 1990,1991,1999 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)tune.high 1.10 99/04/14 SMI" # # Tune list for level high # # The original list was largely obsoleted by the # "Safe Default File Permissions" project. # # Format: # pathname mode owner group type /.cshrc 0600 root ? file /.login 0600 root ? file /.profile 0600 root ? file /.logout 0600 root ? file #
NOTE
 | With the change in default file permissions introduced in the Solaris 8 release, the long list in previous tune.high files is now obsolete. |
The entries have the following syntax.
pathname mode owner group type
The following rules apply to the entries in the tune files.
You can use regular shell wildcard characters such as an asterisk (*) and a question mark (?) in the path name for multiple references.
mode represents the least allowable value. If the current setting is already more restrictive than the specified value, ASET does not loosen the permission settings. For example, if the specified value is 0777, the permission remains unchanged, because 0777 is always less restrictive than the current setting.
When you decrease the security level from what it was for the previous execution or when you want to restore the system files to the state they were in before ASET was first executed, ASET recognizes what you are doing and decreases the protection level.
You must use names for owner and group instead of numeric IDs.
You can use a question mark (?) in place of owner, group, and type to prevent ASET from changing the existing values of these parameters.
type can be symlink (symbolic link), directory, or file (everything else).
Higher security level tune files reset file permissions to be at least as restrictive as they are at lower levels. Also, at higher levels, additional files are added to the list.
A file can match more than one tune file entry. For example, /etc/passwd matches /etc/pass* and /etc*.
Where two entries have different permissions, the more restrictive file permission applies. In the following example, the permission of /etc/passwd is set to 00755, which is the more restrictive of 00755 and 00770.
/etc/pass* 00755 ? ? file /etc/* 00770 ? ? file
If two entries have different owner or group designations, the last entry takes precedence.
You modify settings in the tune file by adding or deleting file entries.
NOTE
Setting a permission to a less restrictive value than the current setting has no effect; the ASET tasks do not relax permissions unless you downgrade your system security to a lower level.
The uid_aliases File
The uid_aliases file contains a list of multiple user accounts sharing the same ID. Normally, ASET warns about such multiple user accounts because this practice lessens accountability. You can allow for exceptions to this rule by listing the exceptions in the uid_aliases file. ASET does not report entries in the passwd file with duplicate user IDs if these entries are specified in the uid_aliases file.
The default /usr/aset/masters/uid_aliases file is shown below.
# # Copyright 1990, 1991 Sun Microsystems, Inc. All Rights Reserved. # # # sccsid = @(#) uid_aliases 1.1 1/2/91 14:39:52 # # format: # uid=alias1=alias2=alias3= ... # allows users "alias1", "aliase2", "alias3" to share the same uid. 0=+=root=checkfsys=makefsys=mountfsys=powerdown=setup=smtp=sysadm=umountfsys 1=sync=daemon
The default entry is to make UID 0 equivalent to user accounts root, checkfsys, makefsys, mountfsys, powerdown, setup, smpt, sysadm, and umountfsys. UID1 is equivalent to the user accounts sync and daemon.
Each entry has the following format.
uid=alias1=alias2=alias3-...
where uid is the shared UID number and aliasn is the name of the user account that shares the UID.
The Checklist Files
The master files cklist.high, cklist.med, and cklist.low are generated when you first execute ASET or when you run ASET after you change the security level.
The following environment variables determine the files that are checked by this task.
CKLISTPATH_LOW
CKLISTPATH_MED
CKLISTPATH_HIGH
Refer to the following section for more information about ASET environment variables.