System Administration Guide: Security Services

ASET Task List

This section discusses what ASET does. You should understand each ASET task. By understanding the objectives of ASET, the operations that ASET performs, and the system components that ASET affects, you can interpret and use the reports effectively.

ASET report files contain messages that describe as specifically as possible any problems that were discovered by each ASET task. These messages can help you diagnose and correct these problems. However, successful use of ASET assumes that you possess a general understanding of system administration and system components. If you are a novice administrator, you can refer to other Solaris system administration documentation. You can read related manual pages to prepare yourself for ASET administration.

The taskstat utility identifies the tasks that have been completed. The utility also identifies the tasks that are still running. Each completed task produces a report file. For a complete description of the taskstat utility, refer to taskstat(1M).

System Files Permissions Tuning

This task sets the permissions on system files to the security level that you designate. This task is run when the system is installed. If you decide later to alter the previously established levels, then run this task again. At low security, permissions are set to values that are appropriate for an open information-sharing environment. At medium security, permissions are tightened to produce adequate security for most environments. At high security, permissions are tightened to severely restrict access.

Any modifications that this task makes to system files permissions or parameter settings are reported in the tune.rpt file. For an example of the files that ASET consults when ASET sets permissions, see Tune File Examples.

System Files Checks

This task examines system files and compares each file with a description of that file in a master file. The master file is created the first time ASET runs this task. The master file contains the system file settings that are enforced by checklist for the specified security level.

A list of directories whose files are to be checked is defined for each security level. You can use the default list, or you can modify the list, specifying different directories for each level.

For each file, the following criteria are checked:

Any discrepancies that ASET finds are reported in the cklist.rpt file. This file contains the results of comparing system file size, permission, and checksum values to the master file.

User and Group Checks

This task checks the consistency and integrity of user accounts and groups. The task uses the definitions in the passwd and group files. This task checks the local, and NIS or NIS+ password files. Password file problems for NIS+ are reported but not corrected.

his task checks for the following violations:

Discrepancies are reported in the usrgrp.rpt file.

System Configuration Files Check

During this task, ASET checks various system tables, most of which are in the /etc directory.

These files are the following:

ASET performs various checks and various modifications on these files. ASET reports problems in the sysconf.rpt file.

Environment Variables Check

This task checks how the PATH and UMASK environment variables are set for root, and for other users. The task checks the /.profile, /.login, and /.cshrc files.

The results of checking the environment for security are reported in the env.rpt file.

eeprom Check

This task checks the value of the eeprom security parameter to ensure that the parameter is set to the appropriate security level. You can set the eeprom security parameter to none, command, or full.

ASET does not change this setting, but reports its recommendations in the eeprom.rpt file.

Firewall Setup

This task ensures that the system can be safely used as a network relay. This task protects an internal network from external public networks by setting up a dedicated system as a firewall, which is described in Firewall Systems. The firewall system separates two networks. In this situation, each network approaches the other network as untrusted. The firewall setup task disables the forwarding of Internet Protocol (IP) packets. The firewall also hides routing information from the external network.

The firewall task runs at all security levels, but takes action only at the highest level. If you want to run ASET at high security, but find that your system does not require firewall protection, you can eliminate the firewall task. You eliminate the task by editing the asetenv file.

Any changes that are made are reported in the firewall.rpt file.