System Administration Guide: Security Services

Configuring ASET

This section discusses how ASET is configured. This section also discusses the environment in which ASET operates.

ASET requires minimum administration and minimum configuration. In most cases, you can run ASET with the default values. You can, however, fine-tune some of the parameters that affect the operation and behavior of ASET to maximize its benefit. Before you change the default values, you should understand how ASET works, and how ASET affects the components of your system.

ASET relies on four configuration files to control the behavior of its tasks:

Modifying the Environment File (asetenv)

The /usr/aset/asetenv file has two main sections:

You can alter the user-configurable parameters section. However, the settings in the internal environment variables section are for internal use only. These settings should not be modified.

You can edit the entries in the user-configurable section to do the following:

Choosing Which Tasks to Run: TASKS

Each task that ASET performs monitors a particular area of system security. In most system environments, all the tasks are necessary to provide balanced security coverage. However, you might decide to eliminate one or more tasks.

For example, the firewall task runs at all security levels, but takes action only at the high security level. You might want to run ASET at the high security level, but you do not require firewall protection.

You can set up ASET to run at the high security level without the firewall feature. To do so, edit the TASKS list of environment variables in the asetenv file. By default, the TASKS list contains all of the ASET tasks. To delete a task, remove the task-related environment variable from the file. In this case, you would delete the firewall environment variable from the list. The next time ASET runs, the excluded task is not performed.

In the following example, the TASKS list with all of the ASET tasks is displayed.

TASKS=”env sysconfig usrgrp tune cklist eeprom firewall”

Specifying Directories for System Files Checks Task: CKLISTPATH

The system files check checks the attributes of files in selected system directories. You define which directories to check by using the following environment variables.

The CKLISTPATH_LOW variable defines the directories to be checked at the low security level. CKLISTPATH_MED and CKLISTPATH_HIGH environment variables function similarly for the medium and high security levels.

The directory list that is defined by an environment variable at a lower security level should be a subset of the directory list that is defined at the next higher level. For example, all directories that are specified for CKLISTPATH_LOW should be included in CKLISTPATH_MED. Similarly, all the directories that are specified for CKLISTPATH_MED should be included in CKLISTPATH_HIGH.

Checks that are performed on these directories are not recursive. ASET only checks those directories that are explicitly listed in the environment variable. ASET does not check their subdirectories.

You can edit these environment variable definitions to add or delete directories that you want ASET to check. Note that these checklists are useful only for system files that do not normally change from day to day. A user's home directory, for example, is generally too dynamic to be a candidate for a checklist.

Scheduling ASET Execution: PERIODIC_SCHEDULE

You can start ASET interactively, or you can use the -p option to request that the ASET tasks run at a scheduled time. You can run ASET periodically, at a time when system demand is light. For example, ASET consults PERIODIC_SCHEDULE to determine how frequently to execute the ASET tasks, and at what time to run the tasks. For detailed instructions about setting up ASET to run periodically, see How to Run ASET Periodically.

The format of PERIODIC_SCHEDULE follows the format of crontab entries. For complete information, see crontab(1).

Specifying an Aliases File: UID_ALIASES

The UID_ALIASES variable specifies an aliases file that lists shared UIDs. The default file is /usr/aset/masters/uid_aliases.

Extending Checks to NIS+ Tables: YPCHECK

The YPCHECK environment variable specifies whether ASET should also check system configuration file tables. YPCHECK is a Boolean variable. You can specify only true or false for YPCHECK. The default value is false, which disables NIS+ table checking.

To understand how this environment variable works, consider its effect on the passwd file. When set to false, ASET checks the local passwd file. When set to true, the task also checks the NIS+ passwd table for the domain of the system.

Note –

Although ASET automatically repairs the local files, ASET only reports potential problems in the NIS+ tables. ASET does not change the tables.

Modifying the Tune Files

ASET uses the three master tune files, tune.low,, and tune.high, to ease or tighten access to critical system files. These master files are located in the /usr/aset/masters directory. You can modify the files to suit your environment. For examples, see Tune File Examples.

The tune.low file sets permissions to values that are appropriate for default system settings. The file further restricts these permissions. The file also includes entries that are not present in tune.low. The tune.high file restricts permissions even further.

Note –

Modify settings in the tune files by adding or deleting file entries. You cannot effectively set a permission to a less restrictive value than the current setting. The ASET tasks do not relax permissions unless you downgrade your system security to a lower level.