This section discusses how ASET is configured. This section also discusses the environment in which ASET operates.
ASET requires minimum administration and minimum configuration. In most cases, you can run ASET with the default values. You can, however, fine-tune some of the parameters that affect the operation and behavior of ASET to maximize its benefit. Before you change the default values, you should understand how ASET works, and how ASET affects the components of your system.
ASET relies on four configuration files to control the behavior of its tasks:
/usr/aset/asetenv
/usr/aset/masters/tune.low
/usr/aset/masters/tune.med
/usr/aset/masters/tune.high
The /usr/aset/asetenv file has two main sections:
A user-configurable environment variables section
An internal environment variables section
You can alter the user-configurable parameters section. However, the settings in the internal environment variables section are for internal use only. These settings should not be modified.
You can edit the entries in the user-configurable section to do the following:
Choose which tasks to run
Specify the directories for the system files checks task
Schedule ASET execution
Specify a UID aliases file
Extend checks to NIS+ tables
Each task that ASET performs monitors a particular area of system security. In most system environments, all the tasks are necessary to provide balanced security coverage. However, you might decide to eliminate one or more tasks.
For example, the firewall task runs at all security levels, but takes action only at the high security level. You might want to run ASET at the high security level, but you do not require firewall protection.
You can set up ASET to run at the high security level without the firewall feature. To do so, edit the TASKS list of environment variables in the asetenv file. By default, the TASKS list contains all of the ASET tasks. To delete a task, remove the task-related environment variable from the file. In this case, you would delete the firewall environment variable from the list. The next time ASET runs, the excluded task is not performed.
In the following example, the TASKS list with all of the ASET tasks is displayed.
TASKS=”env sysconfig usrgrp tune cklist eeprom firewall” |
The system files check checks the attributes of files in selected system directories. You define which directories to check by using the following environment variables.
The CKLISTPATH_LOW variable defines the directories to be checked at the low security level. CKLISTPATH_MED and CKLISTPATH_HIGH environment variables function similarly for the medium and high security levels.
The directory list that is defined by an environment variable at a lower security level should be a subset of the directory list that is defined at the next higher level. For example, all directories that are specified for CKLISTPATH_LOW should be included in CKLISTPATH_MED. Similarly, all the directories that are specified for CKLISTPATH_MED should be included in CKLISTPATH_HIGH.
Checks that are performed on these directories are not recursive. ASET only checks those directories that are explicitly listed in the environment variable. ASET does not check their subdirectories.
You can edit these environment variable definitions to add or delete directories that you want ASET to check. Note that these checklists are useful only for system files that do not normally change from day to day. A user's home directory, for example, is generally too dynamic to be a candidate for a checklist.
You can start ASET interactively, or you can use the -p option to request that the ASET tasks run at a scheduled time. You can run ASET periodically, at a time when system demand is light. For example, ASET consults PERIODIC_SCHEDULE to determine how frequently to execute the ASET tasks, and at what time to run the tasks. For detailed instructions about setting up ASET to run periodically, see How to Run ASET Periodically.
The format of PERIODIC_SCHEDULE follows the format of crontab entries. For complete information, see crontab(1).
The UID_ALIASES variable specifies an aliases file that lists shared UIDs. The default file is /usr/aset/masters/uid_aliases.
The YPCHECK environment variable specifies whether ASET should also check system configuration file tables. YPCHECK is a Boolean variable. You can specify only true or false for YPCHECK. The default value is false, which disables NIS+ table checking.
To understand how this environment variable works, consider its effect on the passwd file. When set to false, ASET checks the local passwd file. When set to true, the task also checks the NIS+ passwd table for the domain of the system.
Although ASET automatically repairs the local files, ASET only reports potential problems in the NIS+ tables. ASET does not change the tables.
ASET uses the three master tune files, tune.low, tune.med, and tune.high, to ease or tighten access to critical system files. These master files are located in the /usr/aset/masters directory. You can modify the files to suit your environment. For examples, see Tune File Examples.
The tune.low file sets permissions to values that are appropriate for default system settings. The tune.med file further restricts these permissions. The tune.med file also includes entries that are not present in tune.low. The tune.high file restricts permissions even further.
Modify settings in the tune files by adding or deleting file entries. You cannot effectively set a permission to a less restrictive value than the current setting. The ASET tasks do not relax permissions unless you downgrade your system security to a lower level.