test

System Administration Guide: Security Services

Running ASET (Task Map)

Task 

Description 

For Instructions 

Run ASET from the command line 

Protects the system at the ASET level that you specify. Views the execution log to see the changes. 

How to Run ASET Interactively

Run ASET in batch mode at regular intervals 

Sets up a cron job to ensure that ASET protects the system. 

How to Run ASET Periodically

Stop running ASET in batch mode 

Removes the ASET cron job. 

How to Stop Running ASET Periodically

Store ASET reports on a server 

Collects ASET reports from clients for monitoring in a central location. 

How to Collect ASET Reports on a Server

To set the variables in ASET, see ASET Environment Variables. To configure ASET, see Configuring ASET.

ProcedureHow to Run ASET Interactively

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

  2. Run ASET interactively by using the aset command.


    # /usr/aset/aset -l level -d pathname
    level

    Specifies the level of security. Valid values are low, medium, or high. The default setting is low. For detailed information about security levels, see ASET Security Levels.

    pathname

    Specifies the working directory for ASET. The default is /usr/aset.

  3. Verify that ASET is running by viewing the ASET execution log that is displayed on the screen.

    The execution log message identifies which tasks are being run.

Example 7–1 Running ASET Interactively

In the following example, ASET is run at low security with the default working directory.


# /usr/aset/aset -l low
======= ASET Execution Log =======
 
ASET running at security level low
 
Machine = jupiter; Current time = 0111_09:26
 
aset: Using /usr/aset as working directory
 
Executing task list ...
	firewall
	env
	sysconf
	usrgrp
	tune
	cklist
	eeprom
 
All tasks executed. Some background tasks may still be running.
 
Run /usr/aset/util/taskstat to check their status:
 /usr/aset/util/taskstat [aset_dir]
 
where aset_dir is ASET's operating
directory,currently=/usr/aset.
 
When the tasks complete, the reports can be found in:
 /usr/aset/reports/latest/*.rpt
 
You can view them by:
 more /usr/aset/reports/latest/*.rpt

ProcedureHow to Run ASET Periodically

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

  2. If necessary, set up the time when you want ASET to run periodically.

    You should have ASET run when system demand is light. The PERIODIC_SCHEDULE environment variable in the /usr/aset/asetenv file is used to set up the time for ASET to run periodically. By default, the time is set for every day at midnight.

    If you want to set up a different time, edit the PERIODIC_SCHEDULE variable in the /usr/aset/asetenv file. For detailed information about setting the PERIODIC_SCHEDULE variable, see PERIODIC_SCHEDULE Environment Variable.

  3. Add an entry to the crontab file by using the aset command.


    # /usr/aset/aset -p

    The -p option inserts a line in the crontab file that starts ASET running at the time determined by the PERIODIC_SCHEDULE environment variable in the /usr/aset/asetenv file.

  4. Display the crontab entry to verify when ASET is scheduled to run.


    # crontab -l root

ProcedureHow to Stop Running ASET Periodically

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Edit the crontab file.


    # crontab -e root

  3. Delete the ASET entry.

  4. Save the changes and exit.

  5. Display the crontab entry to verify that the ASET entry is deleted.


    # crontab -l root

ProcedureHow to Collect ASET Reports on a Server

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Set up a directory on the server:

    1. Change to the /usr/aset directory.


      mars# cd /usr/aset

    2. Create a rptdir directory.


      mars# mkdir rptdir

    3. Change to the rptdir directory, and create a client_rpt directory.

      This step creates a client_rpt subdirectory for a client. Repeat this step for each client whose reports you need to collect.


      mars# cd rptdir
mars# mkdir client_rpt

      In the following example, the directory all_reports, and the subdirectories pluto_rpt and neptune_rpt are created.


      mars# cd /usr/aset
mars# mkdir all_reports
mars# cd all_reports
mars# mkdir pluto_rpt
mars# mkdir neptune_rpt

  3. Add the client_rpt directories to the /etc/dfs/dfstab file.

    The directories should have read and write options.

    For example, the following entries in the dfstab file are shared with read and write permissions.


    share -F nfs -o rw=pluto /usr/aset/all_reports/pluto_rpt
share -F nfs -o rw=neptune /usr/aset/all_reports/neptune_rpt

  4. Make the resources in the dfstab file available to the clients.


    # shareall

  5. On each client, mount the client subdirectory from the server at the mount point, /usr/aset/masters/reports.


    # mount server:/usr/aset/client_rpt /usr/aset/masters/reports

  6. Edit the /etc/vfstab file to mount the directory automatically at boot time.

    The following sample entry in /etc/vfstab on neptune lists the directory to be mounted from mars, /usr/aset/all_reports/neptune_rpt, and the mount point on neptune, /usr/aset/reports. At boot time, the directories that are listed in vfstab are automatically mounted.


    mars:/usr/aset/all_reports/neptune.rpt /usr/aset/reports nfs - yes hard