This section discusses what ASET does. You should understand each ASET task. By understanding the objectives of ASET, the operations that ASET performs, and the system components that ASET affects, you can interpret and use the reports effectively.
ASET report files contain messages that describe as specifically as possible any problems that were discovered by each ASET task. These messages can help you diagnose and correct these problems. However, successful use of ASET assumes that you possess a general understanding of system administration and system components. If you are a novice administrator, you can refer to other Solaris system administration documentation. You can read related manual pages to prepare yourself for ASET administration.
The taskstat utility identifies the tasks that have been completed. The utility also identifies the tasks that are still running. Each completed task produces a report file. For a complete description of the taskstat utility, refer to taskstat(1M).
This task sets the permissions on system files to the security level that you designate. This task is run when the system is installed. If you decide later to alter the previously established levels, then run this task again. At low security, permissions are set to values that are appropriate for an open information-sharing environment. At medium security, permissions are tightened to produce adequate security for most environments. At high security, permissions are tightened to severely restrict access.
Any modifications that this task makes to system files permissions or parameter settings are reported in the tune.rpt file. For an example of the files that ASET consults when ASET sets permissions, see Tune File Examples.
This task examines system files and compares each file with a description of that file in a master file. The master file is created the first time ASET runs this task. The master file contains the system file settings that are enforced by checklist for the specified security level.
A list of directories whose files are to be checked is defined for each security level. You can use the default list, or you can modify the list, specifying different directories for each level.
For each file, the following criteria are checked:
Owner and group
Size and checksum
Number of links
Last modification time
This task checks the consistency and integrity of user accounts and groups. The task uses the definitions in the passwd and group files. This task checks the local, and NIS or NIS+ password files. Password file problems for NIS+ are reported but not corrected.
his task checks for the following violations:
Duplicate names or IDs
Entries in incorrect format
Accounts without a password
Invalid login directories
The nobody account
Null group password
A plus sign (+) in the /etc/passwd file on an NIS server or an NIS+ server
During this task, ASET checks various system tables, most of which are in the /etc directory.
These files are the following:
This task checks how the PATH and UMASK environment variables are set for root, and for other users. The task checks the /.profile, /.login, and /.cshrc files.
This task checks the value of the eeprom security parameter to ensure that the parameter is set to the appropriate security level. You can set the eeprom security parameter to none, command, or full.
This task ensures that the system can be safely used as a network relay. This task protects an internal network from external public networks by setting up a dedicated system as a firewall, which is described in Firewall Systems. The firewall system separates two networks. In this situation, each network approaches the other network as untrusted. The firewall setup task disables the forwarding of Internet Protocol (IP) packets. The firewall also hides routing information from the external network.
The firewall task runs at all security levels, but takes action only at the highest level. If you want to run ASET at high security, but find that your system does not require firewall protection, you can eliminate the firewall task. You eliminate the task by editing the asetenv file.