Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
20.  Using the Automated Security Enhancement Tool (Tasks) Automated Security Enhancement Tool (ASET) ASET Environment Variables ASETSECLEVEL Environment Variable  Previous   Contents   Next 
   
 

PERIODIC_SCHEDULE Environment Variable

The value of PERIODIC_SCHEDULE follows the same format as the crontab file. Specify the variable value as a string of five fields enclosed in double quotation marks, with each field separated by a space:

"minutes hours day-of-month month day-of-week"

Table 20-3 Periodic_Schedule Variable Values

Variable

Value

minutes hours

Specifies start time in number of minutes (0-59) after the hour and the hour (0-23)

day-of-month

Specifies the day of the month when ASET should be run, with values from 1-31

month

Specifies the month of the year when ASET should be run, with values from 1-12

day-of-week

Specifies the day of the week when ASET should be run, with values from 0-6; Sunday is day 0

The following rules apply:

  • You can specify a list of values, each delimited by a comma, for any field.

  • You can specify a value as a number, or you can specify it as a range; that is, a pair of numbers that are joined by a hyphen. A range states that the ASET tasks should be executed for every time that is included in the range.

  • You can specify an asterisk (*) as the value of any field. An asterisk inclusively specifies all possible values of the field.

The default entry for the PERIODIC_SCHEDULE variable causes ASET to execute at 12:00 midnight every day:

PERIODIC_SCHEDULE="0 0 * * *"    

TASKS Environment Variable

The TASKS variable lists the tasks that ASET performs. The default is to list all seven tasks:

TASKS="env sysconfig usrgrp tune cklist eeprom firewall"

UID_ALIASES Environment Variable

The UID_ALIASES variable specifies an aliases file. If present, ASET consults this file for a list of permitted multiple aliases. The format is UID_ALIASES=pathname, where pathname is the full path name of the aliases file.

The default is as follows:

UID_ALIASES=${ASETDIR}/masters/uid_aliases

YPCHECK Environment Variable

The YPCHECK variable extends the task of checking system tables to include NIS or NIS+ tables. This variable is a Boolean variable, which can be set to either true or false.

The default is false, which confines the checking to local system tables:

YPCHECK=false

CKLISTPATH_level Environment Variable

The three checklist path variables list the directories to be checked by the system files checks task. The following definitions of the variables are set by default. They illustrate the relationship between the variables at different levels:

CKLISTPATH_LOW=${ASETDIR}/tasks:${ASETDIR}/util:${ASETDIR}/masters:
/etc
CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin:/usr/sbin:/usr/ucblib

The values for the checklist path environment variables are similar to those values of the shell path variables, in that they are lists of directory names that are separated by colons. You use an equal sign (=) to connect the variable name to its value.

ASET File Examples

This section has examples of some ASET files, including the tune files and the aliases file.

Tune Files

ASET maintains three tune files. The following table describes the format of entries in all three tune files.

Table 20-4 Entry Format for Tune Files

Field Name

Description

pathname

The full path name of the file

mode

A five-digit number that represents the permission setting

owner

The owner of the file

group

The group owner of the file

type

The type of file

The following rules apply when you edit the tune files:

  • You can use regular shell wildcard characters, such as an asterisk (*) and a question mark (?), in the path name for multiple references. See sh(1) for more information.

  • mode represents the least restrictive value. If the current setting is already more restrictive than the specified value, ASET does not loosen the permission settings. For example, if the specified value is 00777, the permission remains unchanged, because 00777 is always less restrictive than whatever the current setting is.

    This process is how ASET handles mode setting, unless the security level is being downgraded or you are removing ASET. When you decrease the security level from what it was for the previous execution, or when you want to restore the system files to the state they were in before ASET was first executed, ASET recognizes what you are doing and decreases the protection level.

  • You must use names for owner and group instead of numeric IDs.

  • You can use a question mark (?) in place of owner, group, and type to prevent ASET from changing the existing values of these parameters.

  • type can be symlink (symbolic link), directory, or file (everything else).

  • Higher security level tune files reset file permissions to be at least as restrictive as they are at lower levels. Also, at higher security levels, additional files are added to the list.

  • A file can match more than one tune file entry. For example, etc/passwd matches the etc/pass* and /etc/* entries.

  • Where two entries have different permissions, the file permission is set to the most restrictive value. In the following example, the permission of the /etc/passwd file will be set to 00755, which is the more restrictive of 00755 and 00770.

    /etc/pass* 00755 ? ? file
    /etc/* 00770 ? ? file
  • If two entries have different owner or group designations, the last entry takes precedence. In the following example, the owner of /usr/sbin/chroot will be set to root.

    /usr/sbin/chroot 00555 bin bin file
    /usr/sbin/chroot 00555 root bin file

Aliases File

The aliases file contains a list of aliases that share the same user ID.

Each entry is in this form:

uid=alias1=alias2=alias3=...

uid

Shared UID.

aliasn

User account that share the UID.

For example, the following entry lists the UID 0 that is being shared by the sysadm and root accounts:

0=root=sysadm

 
 
 
  Previous   Contents   Next