Choose Which Tasks to Run: TASKS
Each task that ASET performs monitors a particular area of system security. In most system environments, all the tasks are necessary to provide balanced security coverage. However, you might decide to eliminate one or more tasks.
For example, the firewall task runs at all security levels, but takes action only at the high security level. You might want to run ASET at the high security level, but you do not require firewall protection.
You can set up ASET to run at the high security level without the firewall feature by editing the TASKS list of environment variables in the asetenv file. By default, the TASKS list contains all of the ASET tasks. To delete a task, remove the task-related environment variable from the file. In this case, you would delete the firewall environment variable from the list. The next time ASET runs, the excluded task will not be performed.
The following example shows the TASKS list with all of the ASET tasks.
TASKS="env sysconfig usrgrp tune cklist eeprom firewall" |
Specify Directories for System Files Checks Task: CKLISTPATH
The system files check checks the attributes of files in selected system directories. You define which directories to check by using these checklist path environment variables.
The CKLISTPATH_LOW variable defines the directories to be checked at the low security level. CKLISTPATH_MED and CKLISTPATH_HIGH environment variables function similarly for the medium and high security levels.
The directory list that is defined by an environment variable at a lower security level should be a subset of the directory list that is defined at the next higher level. For example, all directories that are specified for CKLISTPATH_LOW should be included in CKLISTPATH_MED, and all the directories that are specified for CKLISTPATH_MED should be included in CKLISTPATH_HIGH.
Checks performed on these directories are not recursive. ASET only checks those directories that are explicitly listed in the environment variable. ASET does not check their subdirectories.
You can edit these environment variable definitions to add or delete directories that you want ASET to check. Note that these checklists are useful only for system files that do not normally change from day to day. A user's home directory, for example, is generally too dynamic to be a candidate for a checklist.
Schedule ASET Execution: PERIODIC_SCHEDULE
When you start ASET, you can start it interactively, or use the -p option to request that the ASET tasks run at a scheduled time. You can run ASET periodically, at a time when system demand is light. For example, ASET consults PERIODIC_SCHEDULE to determine how frequently to execute the ASET tasks, and at what time to run them. For detailed instructions about setting up ASET to run periodically, see "How to Run ASET Periodically".
The format of PERIODIC_SCHEDULE follows the format of crontab entries. See crontab(1) for complete information.
Specify an Aliases File: UID_ALIASES
The UID_ALIASES variable specifies an aliases file that lists shared UIDs. The default file is /usr/aset/masters/uid_aliases.
Extend Checks to NIS+ Tables: YPCHECK
The YPCHECK environment variable specifies whether ASET should also check system configuration file tables. YPCHECK is a Boolean variable; you can specify only true or false for it. The default value is false, which disables NIS+ table checking.
To understand how this environment variable works, consider its effect on the passwd file. When set to false, ASET checks the local passwd file. When set to true, the task also checks the NIS+ passwd file for the domain of the system.
Note - Although ASET automatically repairs the local tables, it only reports potential problems in the NIS+ tables. ASET does not change them.
Modifying the Tune Files
ASET uses the three master tune files, tune.low, tune.med, and tune.high, to ease or tighten access to critical system files. These master files are located in the /usr/aset/masters directory, and they can be modified to suit your environment. For additional information, see "Tune Files".
The tune.low file sets permissions to values that are appropriate for default system settings. The tune.med file further restricts these permissions and includes entries that are not present in tune.low. The tune.high file restricts permissions even further.
Note - Modify settings in the tune files by adding or deleting file entries. Setting a permission to a less restrictive value than the current setting has no effect. The ASET tasks do not relax permissions unless you downgrade your system security to a lower level.
Restoring System Files Modified by ASET
When ASET is executed for the first time, it saves and archives the original system files. The aset.restore utility reinstates these files. This utility also deschedules ASET, if it is currently scheduled for periodic execution. The aset.restore command is located in /usr/aset, the ASET operating directory.
Changes that are made to system files are lost when you run the aset.restore command.
You should use the aset.restore command in the following instances:
When you want to remove ASET changes and restore the original system. If you want to deactivate ASET permanently, you can remove it from cron scheduling if the aset command had previously been added to root's crontab. For instructions on how to use cron to remove automatic execution, see "How to Stop Running ASET Periodically".
After a brief period of experimenting with ASET, to restore the original system state.
When some major system feature is not working properly, and you suspect that ASET is causing the problem.
Network Operation With the NFS System
Generally, ASET is used in standalone mode, even on a system that is part of a network. As system administrator for your standalone system, you are responsible for the security of your system and for running and managing ASET to protect your system.
You can also use ASET in the NFS distributed environment. As a network administrator, you are responsible for installing, running, and managing various administrative tasks for all your clients. To facilitate ASET management across several client systems, you can make configuration changes that are applied globally to all clients, which eliminates the need for you to log in to each system to repeat the process.
When you are deciding how to set up ASET on your networked systems, you should consider how much you want users to control security on their own systems, and how much you want to centralize responsibility for security control.
Providing a Global Configuration for Each Security Level
A situation might arise where you want to set up more than one network configuration. For example, you might want to set up one configuration for clients that are designated with low security level, another configuration for those clients with medium level, and yet another configuration with high level.
If you need to create a separate ASET network configuration for each security level, you can create three ASET configurations on the server, one configuration for each level. You would export each configuration to the clients with the appropriate security level. Some ASET components that are common to all three configurations could be shared by using links.
Collecting ASET Reports
Not only can you centralize the ASET components on a server to be accessed by clients with or without superuser privilege, but you can also set up a central directory on a server to collect all reports that are produced by tasks that run on various clients. For instructions on setting up a collection mechanism, see "How to Collect ASET Reports on a Server".
Setting up the collection of reports on a server allows you to review reports for all clients from one location. You can use this method whether or not a client has superuser privilege. Alternatively, you can leave the reports directory on the local system when you want users to monitor their own ASET reports.
ASET Environment Variables
The following table lists the ASET environment variables and the values that they specify.
Table 20-2 ASET Environment Variables and Their Meanings
Environment Variable | Value Specified |
|---|---|
ASETDIR | ASET working directory |
ASETSECLEVEL | Security level |
PERIODIC_SCHEDULE | Periodic schedule |
TASKS | Tasks to run |
UID_ALIASES | Aliases file |
YPCHECK | Whether to extend checks to NIS maps and NIS+ tables |
CKLISTPATH_LOW | Directory lists for low security |
CKLISTPATH_MED | Directory list for medium security |
CKLISTPATH_HIGH | Directory list for high security |
The environment variables that are listed in the following sections are found in the /usr/aset/asetenv file. The ASETDIR and ASETSECLEVEL variables are optional and can be set only through the shell by using the aset command. The other environment variables can be set by editing the file.
ASETDIR Environment Variable
ASETDIR specifies an ASET working directory.
From the C shell, type:
% setenv ASETDIR pathname |
From the Bourne shell or the Korn shell, type:
$ ASETDIR=pathname $ export ASETDIR |
Set pathname to the full path name of the ASET working directory.
ASETSECLEVEL Environment Variable
The ASETSECLEVEL variable specifies a security level at which ASET tasks are executed.
From the C shell, type:
% setenv ASETSECLEVEL level |
From the Bourne shell or the Korn shell, type:
$ ASETSECLEVEL=level export ASETSECLEVEL |
In these commands, level can be set to one of the following:
low | Low security level |
med | Medium security level |
high | High security level |