PERIODIC_SCHEDULE Environment Variable
The value of PERIODIC_SCHEDULE follows the same format as the crontab file. Specify the variable value as a string of five fields enclosed in double quotation marks, with each field separated by a space:
"minutes hours day-of-month month day-of-week" |
Table 20-3 Periodic_Schedule Variable Values
Variable | Value |
---|---|
minutes hours | Specifies start time in number of minutes (0-59) after the hour and the hour (0-23) |
day-of-month | Specifies the day of the month when ASET should be run, with values from 1-31 |
month | Specifies the month of the year when ASET should be run, with values from 1-12 |
day-of-week | Specifies the day of the week when ASET should be run, with values from 0-6; Sunday is day 0 |
The following rules apply:
You can specify a list of values, each delimited by a comma, for any field.
You can specify a value as a number, or you can specify it as a range; that is, a pair of numbers that are joined by a hyphen. A range states that the ASET tasks should be executed for every time that is included in the range.
You can specify an asterisk (*) as the value of any field. An asterisk inclusively specifies all possible values of the field.
The default entry for the PERIODIC_SCHEDULE variable causes ASET to execute at 12:00 midnight every day:
PERIODIC_SCHEDULE="0 0 * * *" |
TASKS Environment Variable
The TASKS variable lists the tasks that ASET performs. The default is to list all seven tasks:
TASKS="env sysconfig usrgrp tune cklist eeprom firewall" |
UID_ALIASES Environment Variable
The UID_ALIASES variable specifies an aliases file. If present, ASET consults this file for a list of permitted multiple aliases. The format is UID_ALIASES=pathname, where pathname is the full path name of the aliases file.
The default is as follows:
UID_ALIASES=${ASETDIR}/masters/uid_aliases |
YPCHECK Environment Variable
The YPCHECK variable extends the task of checking system tables to include NIS or NIS+ tables. This variable is a Boolean variable, which can be set to either true or false.
The default is false, which confines the checking to local system tables:
YPCHECK=false |
CKLISTPATH_level Environment Variable
The three checklist path variables list the directories to be checked by the system files checks task. The following definitions of the variables are set by default. They illustrate the relationship between the variables at different levels:
CKLISTPATH_LOW=${ASETDIR}/tasks:${ASETDIR}/util:${ASETDIR}/masters: /etc CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin:/usr/sbin:/usr/ucblib |
The values for the checklist path environment variables are similar to those values of the shell path variables, in that they are lists of directory names that are separated by colons. You use an equal sign (=) to connect the variable name to its value.
ASET File Examples
This section has examples of some ASET files, including the tune files and the aliases file.
Tune Files
ASET maintains three tune files. The following table describes the format of entries in all three tune files.
Table 20-4 Entry Format for Tune Files
Field Name | Description |
---|---|
pathname | The full path name of the file |
mode | A five-digit number that represents the permission setting |
owner | The owner of the file |
group | The group owner of the file |
type | The type of file |
The following rules apply when you edit the tune files:
You can use regular shell wildcard characters, such as an asterisk (*) and a question mark (?), in the path name for multiple references. See sh(1) for more information.
mode represents the least restrictive value. If the current setting is already more restrictive than the specified value, ASET does not loosen the permission settings. For example, if the specified value is 00777, the permission remains unchanged, because 00777 is always less restrictive than whatever the current setting is.
This process is how ASET handles mode setting, unless the security level is being downgraded or you are removing ASET. When you decrease the security level from what it was for the previous execution, or when you want to restore the system files to the state they were in before ASET was first executed, ASET recognizes what you are doing and decreases the protection level.
You must use names for owner and group instead of numeric IDs.
You can use a question mark (?) in place of owner, group, and type to prevent ASET from changing the existing values of these parameters.
type can be symlink (symbolic link), directory, or file (everything else).
Higher security level tune files reset file permissions to be at least as restrictive as they are at lower levels. Also, at higher security levels, additional files are added to the list.
A file can match more than one tune file entry. For example, etc/passwd matches the etc/pass* and /etc/* entries.
Where two entries have different permissions, the file permission is set to the most restrictive value. In the following example, the permission of the /etc/passwd file will be set to 00755, which is the more restrictive of 00755 and 00770.
/etc/pass* 00755 ? ? file /etc/* 00770 ? ? file
If two entries have different owner or group designations, the last entry takes precedence. In the following example, the owner of /usr/sbin/chroot will be set to root.
/usr/sbin/chroot 00555 bin bin file /usr/sbin/chroot 00555 root bin file
Aliases File
The aliases file contains a list of aliases that share the same user ID.
Each entry is in this form:
uid=alias1=alias2=alias3=...
uid | Shared UID. |
aliasn | User account that share the UID. |
For example, the following entry lists the UID 0 that is being shared by the sysadm and root accounts:
0=root=sysadm