JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Automated Security Enhancement Tool (ASET)

ASET Security Levels

ASET Task List

System Files Permissions Tuning

System Files Checks

User and Group Checks

System Configuration Files Check

Environment Variables Check

eeprom Check

Firewall Setup

ASET Execution Log

Example of an ASET Execution Log File

ASET Reports

Format of ASET Report Files

Examining ASET Report Files

Comparing ASET Report Files

ASET Master Files

Tune Files

The uid_aliases File

The Checklist Files

ASET Environment File (asetenv)

Configuring ASET

Modifying the Environment File (asetenv)

Choosing Which Tasks to Run: TASKS

Specifying Directories for System Files Checks Task: CKLISTPATH

Scheduling ASET Execution: PERIODIC_SCHEDULE

Specifying an Aliases File: UID_ALIASES

Extending Checks to NIS+ Tables: YPCHECK

Modifying the Tune Files

Restoring System Files Modified by ASET

Network Operation With the NFS System

Providing a Global Configuration for Each Security Level

Collecting ASET Reports

ASET Environment Variables

ASETDIR Environment Variable

ASETSECLEVEL Environment Variable

PERIODIC_SCHEDULE Environment Variable

TASKS Environment Variable

UID_ALIASES Environment Variable

YPCHECK Environment Variable

CKLISTPATH_level Environment Variables

ASET File Examples

Tune File Examples

Aliases File Examples

Running ASET (Task Map)

How to Run ASET Interactively

How to Run ASET Periodically

How to Stop Running ASET Periodically

How to Collect ASET Reports on a Server

Troubleshooting ASET Problems

ASET Error Messages

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Oracle Solaris Secure Shell (Tasks)

20.  Oracle Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)



Automated Security Enhancement Tool (ASET)

The Oracle Solaris OS includes the Automated Security Enhancement Tool (ASET). ASET helps you to monitor and to control system security by automatically performing tasks that you would otherwise do manually.

The ASET security package provides automated administration tools that enable you to control and monitor your system's security. You specify a security level at which to run ASET. The security levels are low, medium, and high. At each higher level, ASET's file-control functions increase to reduce file access and tighten your system security.

There are seven tasks that ASET runs. Each task performs specific checks and adjustments to system files. The ASET tasks tighten file permissions, check the contents of critical system files for security weaknesses, and monitor crucial areas. ASET can also safeguard a network by applying the basic requirements of a firewall system to a system that serves as a gateway system. See Firewall Setup.

ASET uses master files for configuration. Master files, reports, and other ASET files are in the /usr/aset directory. These files can be changed to suit the particular requirements of your site.

Each task generates a report. The report notes detected security weaknesses and any changes that the task has made to the system files. When run at the highest security level, ASET attempts to modify all system security weaknesses. If ASET cannot correct a potential security problem, ASET reports the existence of the problem.

You can initiate an ASET session by using the /usr/aset/aset command interactively. Or, you can set up ASET to run periodically by putting an entry into the crontab file.

ASET tasks are disk-intensive. The tasks can interfere with regular activities. To minimize the impact on system performance, schedule ASET to run when system activity level is lowest. For example, run ASET once every 24 or 48 hours at midnight.

ASET Security Levels

ASET can be set to operate at one of three security levels: low, medium, or high. At each higher level, ASET's file-control functions increase to reduce file access and heighten system security. These functions range from monitoring system security without limiting users' file access, to increasingly tightening access permissions until the system is fully secured.

The following table outlines these three levels of security.

Security Level
Ensures that attributes of system files are set to standard release values. ASET performs several checks, then reports potential security weaknesses. At this level, ASET takes no action, so ASET does not affect system services.
Provides adequate security control for most environments. ASET modifies some settings of system files and parameters. ASET restricts system access to reduce the risks from security attacks. ASET reports security weaknesses and any modifications that ASET has made to restrict access. At this level, ASET does not affect system services.
Renders a highly secure system. ASET adjusts many system files and parameter settings to minimum access permissions. Most system applications and commands continue to function normally. However, at this level, security considerations take precedence over other system behavior.

Note - ASET does not change the permissions of a file to make the file less secure, unless you downgrade the security level. You could also intentionally revert the system to the settings that existed prior to running ASET.

ASET Task List

This section discusses what ASET does. You should understand each ASET task. By understanding the objectives of ASET, the operations that ASET performs, and the system components that ASET affects, you can interpret and use the reports effectively.

ASET report files contain messages that describe as specifically as possible any problems that were discovered by each ASET task. These messages can help you diagnose and correct these problems. However, successful use of ASET assumes that you possess a general understanding of system administration and system components. If you are a novice administrator, you can refer to other Oracle Solaris system administration documentation. You can read related manual pages to prepare yourself for ASET administration.

The taskstat utility identifies the tasks that have been completed. The utility also identifies the tasks that are still running. Each completed task produces a report file. For a complete description of the taskstat utility, refer to taskstat(1M).

System Files Permissions Tuning

This task sets the permissions on system files to the security level that you designate. This task is run when the system is installed. If you decide later to alter the previously established levels, then run this task again. At low security, permissions are set to values that are appropriate for an open information-sharing environment. At medium security, permissions are tightened to produce adequate security for most environments. At high security, permissions are tightened to severely restrict access.

Any modifications that this task makes to system files permissions or parameter settings are reported in the tune.rpt file. For an example of the files that ASET consults when ASET sets permissions, see Tune File Examples.

System Files Checks

This task examines system files and compares each file with a description of that file in a master file. The master file is created the first time ASET runs this task. The master file contains the system file settings that are enforced by checklist for the specified security level.

A list of directories whose files are to be checked is defined for each security level. You can use the default list, or you can modify the list, specifying different directories for each level.

For each file, the following criteria are checked:

Any discrepancies that ASET finds are reported in the cklist.rpt file. This file contains the results of comparing system file size, permission, and checksum values to the master file.

User and Group Checks

This task checks the consistency and integrity of user accounts and groups. The task uses the definitions in the passwd and group files. This task checks the local, and NIS or NIS+ password files. Password file problems for NIS+ are reported but not corrected.

his task checks for the following violations:

Discrepancies are reported in the usrgrp.rpt file.

System Configuration Files Check

During this task, ASET checks various system tables, most of which are in the /etc directory.

These files are the following:

ASET performs various checks and various modifications on these files. ASET reports problems in the sysconf.rpt file.

Environment Variables Check

This task checks how the PATH and UMASK environment variables are set for root, and for other users. The task checks the /.profile, /.login, and /.cshrc files.

The results of checking the environment for security are reported in the env.rpt file.

eeprom Check

This task checks the value of the eeprom security parameter to ensure that the parameter is set to the appropriate security level. You can set the eeprom security parameter to none, command, or full.

ASET does not change this setting, but reports its recommendations in the eeprom.rpt file.

Firewall Setup

This task ensures that the system can be safely used as a network relay. This task protects an internal network from external public networks by setting up a dedicated system as a firewall, which is described in Firewall Systems. The firewall system separates two networks. In this situation, each network approaches the other network as untrusted. The firewall setup task disables the forwarding of Internet Protocol (IP) packets. The firewall also hides routing information from the external network.

The firewall task runs at all security levels, but takes action only at the highest level. If you want to run ASET at high security, but find that your system does not require firewall protection, you can eliminate the firewall task. You eliminate the task by editing the asetenv file.

Any changes that are made are reported in the firewall.rpt file.

ASET Execution Log

ASET generates an execution log whether ASET runs interactively or in the background. By default, ASET generates the log file on standard output. The execution log confirms that ASET ran at the designated time, and also contains any execution error messages. The aset -n command directs the log to be delivered by electronic mail to a designated user. For a complete list of ASET options, see the aset(1M) man page.

Example of an ASET Execution Log File

ASET running at security level low

Machine=example; Current time = 0325_08:00

aset: Using /usr/aset as working directory

Executing task list...
All tasks executed. Some background tasks may still be running.

Run /usr/aset/util/taskstat to check their status:
     $/usr/aset/util/taskstat     aset_dir
Where aset_dir is ASET's operating directory, currently=/usr/aset

When the tasks complete, the reports can be found in:
You can view them by:
more /usr/aset/reports/latest/*.rpt 

The execution log first shows the system and time that ASET was run. Then, the execution log lists each task as the task was started.

ASET invokes a background process for each of these tasks, which are described in ASET Task List. The task is listed in the execution log when the task starts. This listing does not indicate that the task completed. To check the status of the background tasks, use the taskstat command.

ASET Reports

All report files that are generated from ASET tasks are stored in subdirectories under the /usr/aset/reports directory. This section describes the structure of the /usr/aset/reports directory, and provides guidelines on managing the report files.

ASET places the report files in subdirectories that are named to reflect the time and date when the reports are generated. This convention enables you to keep an orderly trail of records that document the system status as the status varies between ASET executions. You can monitor and compare these reports to determine the soundness of your system's security.

The following figure shows an example of the reports directory structure.

Figure 7-1 Structure of the ASET reports Directory

image:Diagram shows an example of a reports directory under the /usr/aset directory.

This example shows two report subdirectories.

The subdirectory names indicate the date and time that the reports were generated. Each report subdirectory name has the following format:


month, date, hour, and minute are all two-digit numbers. For example, 0125_01:00 represents January 25, at 1 a.m.

Each of the two report subdirectories contains a collection of reports that are generated from one execution of ASET.

The latest directory is a symbolic link that always points to the subdirectory that contains the latest reports. Therefore, to look at the latest reports that ASET has generated, you can go to the /usr/aset/reports/latest directory. There is a report file in this directory for each task that ASET performed during its most recent execution.

Format of ASET Report Files

Each report file is named after the task that generates the report. The following table lists tasks and their reports.

Table 7-1 ASET Tasks and Resulting Reports

System files permissions tuning (tune)
System files checks (cklist)
User and group checks (usrgrp)
System configuration files check (sysconf)
Environment variables check (env)
eeprom check (eeprom)
Firewall setup (firewall)

Within each report file, messages are bracketed by a beginning and an ending banner line. Sometimes, a task ends prematurely. For example, a task can end prematurely when a component of ASET is accidentally removed or damaged. In such cases, the report file usually contains a message near the end that indicates the reason for the premature termination.

The following is a sample report file, usrgrp.rpt.

*** Begin User and Group Checking ***
Checking /etc/passwd ...
Warning! Password file, line 10, no passwd
..end user check; starting group check ...
Checking /etc/group...
*** End User And group Checking ***

Examining ASET Report Files

After you initially run or reconfigure ASET, you should examine the report files closely. Reconfiguration includes modifying the asetenv file or the master files in the masters subdirectory, or changing the security level at which ASET operates.

The reports record any errors that were introduced when you reconfigured ASET. By watching the reports closely, you can react to, and solve, problems as the problems arise.

Comparing ASET Report Files

After you monitor the report files for a period during which there are no configuration changes or system updates, you might find that the content of the reports begins to stabilize. When the reports contain little unexpected information, you can use the diff utility to compare reports.

ASET Master Files

ASET's master files, tune.high, tune.low,, and uid_aliases, are located in the /usr/aset/masters directory. ASET uses the master files to define security levels. For more detail, see the asetmasters(4) man page.

Tune Files

The tune.low,, and tune.high master files define the available ASET security levels. The files specify the attributes of system files at each level and are used for comparison and reference purposes.

The uid_aliases File

The uid_aliases file contains a list of multiple user accounts that share the same user ID (UID). Normally, ASET warns about such multiple user accounts because this practice lessens accountability. You can allow for exceptions to this rule by listing the exceptions in the uid_aliases file. ASET does not report entries in the passwd file with duplicate UIDs if these entries are specified in the uid_aliases file.

Avoid having multiple user accounts share the same UID. You should consider other methods of achieving your objective. For example, if you intend for several users to share a set of permissions, you could create a group account. You could also create a role. The sharing of UIDs should be your last resort, used only when other methods cannot accomplish your objectives.

You can use the UID_ALIASES environment variable to specify an alternate aliases file. The default file is /usr/aset/masters/uid_aliases.

The Checklist Files

The master files that are used by the system files checks are generated when you first execute ASET. The master files are also generated when you run ASET after changing the security level.

The following environment variables define the files that are checked by this task:

ASET Environment File (asetenv)

The environment file, asetenv, contains a list of environment variables that affect ASET tasks. Some of these variables can be changed to modify ASET operation. For details about the asetenv file, see asetenv(4).

Configuring ASET

This section discusses how ASET is configured. This section also discusses the environment in which ASET operates.

ASET requires minimum administration and minimum configuration. In most cases, you can run ASET with the default values. You can, however, fine-tune some of the parameters that affect the operation and behavior of ASET to maximize its benefit. Before you change the default values, you should understand how ASET works, and how ASET affects the components of your system.

ASET relies on four configuration files to control the behavior of its tasks:

Modifying the Environment File (asetenv)

The /usr/aset/asetenv file has two main sections:

You can alter the user-configurable parameters section. However, the settings in the internal environment variables section are for internal use only. These settings should not be modified.

You can edit the entries in the user-configurable section to do the following:

Choosing Which Tasks to Run: TASKS

Each task that ASET performs monitors a particular area of system security. In most system environments, all the tasks are necessary to provide balanced security coverage. However, you might decide to eliminate one or more tasks.

For example, the firewall task runs at all security levels, but takes action only at the high security level. You might want to run ASET at the high security level, but you do not require firewall protection.

You can set up ASET to run at the high security level without the firewall feature. To do so, edit the TASKS list of environment variables in the asetenv file. By default, the TASKS list contains all of the ASET tasks. To delete a task, remove the task-related environment variable from the file. In this case, you would delete the firewall environment variable from the list. The next time ASET runs, the excluded task is not performed.

In the following example, the TASKS list with all of the ASET tasks is displayed.

TASKS=”env sysconfig usrgrp tune cklist eeprom firewall”

Specifying Directories for System Files Checks Task: CKLISTPATH

The system files check checks the attributes of files in selected system directories. You define which directories to check by using the following environment variables.

The CKLISTPATH_LOW variable defines the directories to be checked at the low security level. CKLISTPATH_MED and CKLISTPATH_HIGH environment variables function similarly for the medium and high security levels.

The directory list that is defined by an environment variable at a lower security level should be a subset of the directory list that is defined at the next higher level. For example, all directories that are specified for CKLISTPATH_LOW should be included in CKLISTPATH_MED. Similarly, all the directories that are specified for CKLISTPATH_MED should be included in CKLISTPATH_HIGH.

Checks that are performed on these directories are not recursive. ASET only checks those directories that are explicitly listed in the environment variable. ASET does not check their subdirectories.

You can edit these environment variable definitions to add or delete directories that you want ASET to check. Note that these checklists are useful only for system files that do not normally change from day to day. A user's home directory, for example, is generally too dynamic to be a candidate for a checklist.

Scheduling ASET Execution: PERIODIC_SCHEDULE

You can start ASET interactively, or you can use the -p option to request that the ASET tasks run at a scheduled time. You can run ASET periodically, at a time when system demand is light. For example, ASET consults PERIODIC_SCHEDULE to determine how frequently to execute the ASET tasks, and at what time to run the tasks. For detailed instructions about setting up ASET to run periodically, see How to Run ASET Periodically.

The format of PERIODIC_SCHEDULE follows the format of crontab entries. For complete information, see crontab(1).

Specifying an Aliases File: UID_ALIASES

The UID_ALIASES variable specifies an aliases file that lists shared UIDs. The default file is /usr/aset/masters/uid_aliases.

Extending Checks to NIS+ Tables: YPCHECK

The YPCHECK environment variable specifies whether ASET should also check system configuration file tables. YPCHECK is a Boolean variable. You can specify only true or false for YPCHECK. The default value is false, which disables NIS+ table checking.

To understand how this environment variable works, consider its effect on the passwd file. When set to false, ASET checks the local passwd file. When set to true, the task also checks the NIS+ passwd table for the domain of the system.

Note - Although ASET automatically repairs the local files, ASET only reports potential problems in the NIS+ tables. ASET does not change the tables.

Modifying the Tune Files

ASET uses the three master tune files, tune.low,, and tune.high, to ease or tighten access to critical system files. These master files are located in the /usr/aset/masters directory. You can modify the files to suit your environment. For examples, see Tune File Examples.

The tune.low file sets permissions to values that are appropriate for default system settings. The file further restricts these permissions. The file also includes entries that are not present in tune.low. The tune.high file restricts permissions even further.

Note - Modify settings in the tune files by adding or deleting file entries. You cannot effectively set a permission to a less restrictive value than the current setting. The ASET tasks do not relax permissions unless you downgrade your system security to a lower level.

Restoring System Files Modified by ASET

When ASET is executed for the first time, ASET saves and archives the original system files. The aset.restore utility reinstates these files. This utility also deschedules ASET, if ASET is currently scheduled for periodic execution. The aset.restore command is located in /usr/aset, the ASET operating directory.

Changes that are made to system files are lost when you run the aset.restore command.

You should use the aset.restore command in the following instances:

Network Operation With the NFS System

Generally, ASET is used in standalone mode, even on a system that is part of a network. As system administrator for your standalone system, you are responsible for the security of your system. Therefore, you are responsible for running and managing ASET to protect your system.

You can also use ASET in the NFS distributed environment. As a network administrator, you are responsible for installing, running, and managing various administrative tasks for all your clients. To facilitate ASET management across several client systems, you can make configuration changes that are applied globally to all clients. By globally applying changes, you eliminate the need to log in to each system to repeat the configuration changes.

When you are deciding how to set up ASET on your networked systems, you should consider who you want to control security. You might want users to control some security on their own systems. You might want to centralize responsibility for security control.

Providing a Global Configuration for Each Security Level

A situation might arise where you want to set up more than one network configuration. For example, you might want to set up one configuration for clients that are designated with low security level. You might want to set up another configuration for medium level clients, and yet another configuration with high level.

If you need to create a separate ASET network configuration for each security level, you can create three ASET configurations on the server. You create one configuration for each level. You would export each configuration to the clients with the appropriate security level. Some ASET components that are common to all three configurations could be shared by using links.

Collecting ASET Reports

Not only can you centralize the ASET components on a server, but you can also set up a central directory on a server to collect all ASET reports. The server can be accessed by clients with or without superuser privileges. For instructions on setting up a collection mechanism, see How to Collect ASET Reports on a Server.

By setting up the collection of reports on a server, you can review reports for all clients from one location. You can use this method whether or not a client has superuser privileges. Alternatively, you can leave the reports directory on the local system when you want users to monitor their own ASET reports.

ASET Environment Variables

The following is a list of the ASET environment variables and the values that the variables specify.


Specifies the ASET working directory


Specifies the security level


Specifies the periodic schedule


Specifies which ASET tasks to run


Specifies an aliases file


Determines whether to extend checks to NIS maps and NIS+ tables


Is the directory list for low security


Is the directory for medium security


Is the directory list for high security

The environment variables that are listed in the following sections are found in the /usr/aset/asetenv file. The ASETDIR and ASETSECLEVEL variables are optional. The variables can be set only through the shell by using the /usr/aset/aset command. The other environment variables can be set by editing the file.

ASETDIR Environment Variable

ASETDIR specifies an ASET working directory.

From the C shell, type:

% setenv ASETDIR pathname 

From the Bourne shell or the Korn shell, type:

$ ASETDIR=pathname
$ export ASETDIR

Set pathname to the full path name of the ASET working directory.

ASETSECLEVEL Environment Variable

The ASETSECLEVEL variable specifies a security level at which ASET tasks are executed.

From the C shell, type:

% setenv ASETSECLEVEL level

From the Bourne shell or the Korn shell, type:


In these commands, level can be set to one of the following:


Low security level


Medium security level


High security level

PERIODIC_SCHEDULE Environment Variable

The value of PERIODIC_SCHEDULE follows the same format as the crontab file. Specify the variable value as a string of five fields enclosed in double quotation marks, with each field separated by a space:

"minutes hours day-of-month month day-of-week"
minutes hours

Specifies start time in number of minutes (0-59) after the hour and the hour (0-23).


Specifies the day of the month when ASET should be run, with values from 1-31.


Specifies the month of the year when ASET should be run, with values from 1-12.


Specifies the day of the week when ASET should be run, with values from 0-6. Sunday is day 0.

The following rules apply when creating a periodic schedule for ASET:

The default entry for the PERIODIC_SCHEDULE variable causes ASET to execute at 12:00 midnight every day:


TASKS Environment Variable

The TASKS variable lists the tasks that ASET performs. The default is to list all seven tasks:

TASKS=”env sysconfig usrgrp tune cklist eeprom firewall”

UID_ALIASES Environment Variable

The UID_ALIASES variable specifies an aliases file. If present, ASET consults this file for a list of permitted multiple aliases. The format is UID_ALIASES=pathname, where pathname is the full path name of the aliases file.

The default is as follows:


YPCHECK Environment Variable

The YPCHECK variable extends the task of checking system tables to include NIS or NIS+ tables. The YPCHECK variable is a Boolean variable, which can be set to either true or false.

The default is false, which confines the checking to local system tables:


CKLISTPATH_level Environment Variables

The three checklist path variables list the directories to be checked by the system files checks task. The following definitions of the variables are set by default. The definitions illustrate the relationship between the variables at different levels:


The values for the checklist path environment variables are similar to the values of the shell path variables. Like the shell path variables, the checklist path environment variables are lists of directory names. The directory names are separated by colons. You use an equal sign (=) to connect the variable name to its value.

ASET File Examples

This section has examples of some ASET files, including the tune files and the aliases file.

Tune File Examples

ASET maintains three tune files. Each entry in a tune file occupies one line. The fields in an entry are in the following order:

pathname mode owner group type 

The full path name of the file


A five-digit number that represents the permission setting


The owner of the file


The group owner of the file


The type of file

The following rules apply when you edit the tune files:

Aliases File Examples

The aliases file contains a list of aliases that share the same user ID.

Each entry is in this form:



Shared UID.


User accounts that share a UID.

For example, the following entry lists the UID 0. The UID is being shared by the sysadm and root accounts: