ASET maintains three tune files. The following table describes the format of entries in all three tune files.
Table 20–4 Entry Format for Tune Files
Field Name |
Description |
---|---|
pathname |
The full path name of the file |
mode |
A five-digit number that represents the permission setting |
owner |
The owner of the file |
group |
The group owner of the file |
type |
The type of file |
The following rules apply when you edit the tune files:
You can use regular shell wildcard characters, such as an asterisk (*) and a question mark (?), in the path name for multiple references. See sh(1) for more information.
mode represents the least restrictive value. If the current setting is already more restrictive than the specified value, ASET does not loosen the permission settings. For example, if the specified value is 00777, the permission remains unchanged, because 00777 is always less restrictive than whatever the current setting is.
This process is how ASET handles mode setting, unless the security level is being downgraded or you are removing ASET. When you decrease the security level from what it was for the previous execution, or when you want to restore the system files to the state they were in before ASET was first executed, ASET recognizes what you are doing and decreases the protection level.
You must use names for owner and group instead of numeric IDs.
You can use a question mark (?) in place of owner, group, and type to prevent ASET from changing the existing values of these parameters.
type can be symlink (symbolic link), directory, or file (everything else).
Higher security level tune files reset file permissions to be at least as restrictive as they are at lower levels. Also, at higher security levels, additional files are added to the list.
A file can match more than one tune file entry. For example, etc/passwd matches the etc/pass* and /etc/* entries.
Where two entries have different permissions, the file permission is set to the most restrictive value. In the following example, the permission of the /etc/passwd file will be set to 00755, which is the more restrictive of 00755 and 00770.
/etc/pass* 00755 ? ? file /etc/* 00770 ? ? file |
If two entries have different owner or group designations, the last entry takes precedence. In the following example, the owner of /usr/sbin/chroot will be set to root.
/usr/sbin/chroot 00555 bin bin file /usr/sbin/chroot 00555 root bin file |