Tune File Examples
ASET maintains three tune files. Each entry in a tune file occupies one line. The fields in an entry are in the following order:
pathname mode owner group type |
- pathname
-
The full path name of the file
- mode
-
A five-digit number that represents the permission setting
- owner
-
The owner of the file
- group
-
The group owner of the file
- type
-
The type of file
The following rules apply when you edit the tune files:
-
You can use regular shell wildcard characters, such as an asterisk (*) and a question mark (?), in the path name for multiple references. For more information, see sh(1).
-
mode represents the least restrictive value. If the current setting is already more restrictive than the specified value, ASET does not loosen the permission settings. For example, if the specified value is 00777, the permission remains unchanged, because 00777 is always less restrictive than whatever the current setting is.
This process is how ASET handles mode setting. The process is different if the security level is being downgraded, or if you are removing ASET. When you decrease the security level from the level in the previous execution, or when you want to restore the system files to the state they were in before ASET was first executed, ASET recognizes what you are doing and decreases the protection level.
-
You must use names for owner and group instead of numeric IDs.
-
You can use a question mark (?) in place of owner, group, and type to prevent ASET from changing the existing values of these parameters.
-
type can be symlink, directory, or file. A symlink is a symbolic link.
-
Higher security level tune files reset file permissions to be at least as restrictive as file permissions at lower levels. Also, at higher security levels, additional files are added to the list.
-
A file can match more than one tune file entry. For example, etc/passwd matches the etc/pass* and /etc/* entries.
-
Where two entries have different permissions, the file permission is set to the most restrictive value. In the following example, the permission of the /etc/passwd file is set to 00755, which is the more restrictive of 00755 and 00770.
/etc/pass* 00755 ? ? file /etc/* 00770 ? ? file
-
If two entries have different owner designations or group designations, the last entry takes precedence. In the following example, the owner of /usr/sbin/chroot is set to root.
/usr/sbin/chroot 00555 bin bin file /usr/sbin/chroot 00555 root bin file
- © 2010, Oracle Corporation and/or its affiliates