ASET

The Solaris 10 system software includes ASET (Automated Security Enhancement Tool), which helps you monitor and control system security by automatically performing tasks that you would otherwise do manually. ASET performs the following seven tasks, each of which makes specific checks and adjustments to system files and permissions to ensure system security:

• Verifies appropriate system file permissions

• Verifies system file contents

• Checks the consistency and integrity of /etc/passwd and /etc/group file entries

• Checks the contents of system configuration files

• Checks environment files (.profile, .login, and .cshrc)

• Verifies appropriate electrically erasable programmable read-only memory (EEPROM) settings

• Ensures that the system can be safely used as a network relay

The ASET security package provides automated administration tools that let you control and monitor a system's security. You specify a low, medium, or high security level at which ASET runs. At each higher level, ASET's file-control functions increase to reduce file access and tighten system security.

ASET tasks are disk intensive and can interfere with regular activities. To minimize their impact on system performance, you should schedule ASET to run when the system activity level is lowestfor example, once every 24 or 48 hours, at midnight.

The syntax for the aset command is as follows:

/usr/aset/aset -l <level> -d <pathname>

Options to the aset command are described in Table 4.27.

Table 4.27. aset Command Options

Option	Description
<level>	Specifies the level of security. Valid values are low, medium, and high: low This level ensures that attributes of system files are set to standard release values. At this level, ASET performs several checks and reports potential security weaknesses. At this level, ASET takes no action and does not affect system services. medium This level provides adequate security control for most environments. At this level, ASET modifies some of the settings of system files and parameters, restricting system access to reduce the risks from security attacks. ASET reports security weaknesses and any modifications that it makes to restrict access. At this level, ASET does not affect system services. high This level renders a highly secure system. At this level, ASET adjusts many system files and parameter settings to minimum access permissions. Most system applications and commands continue to function normally, but at this level, security considerations take precedence over other system behavior.
<pathname>	Specifies the working directory for ASET. The default is /usr/aset.

The following example runs ASET at low security, using the default working directory /usr/aset:

# /usr/aset/aset -l low
======= ASET Execution Log =======
ASET running at security level low
Machine = holl300s; Current time = 0530_14:03
aset: Using /usr/aset as working directory
Executing task list ...
        firewall
        env
        sysconf
        usrgrp
        tune
        cklist
        eeprom
All tasks executed. Some background tasks may still be running.
Run /usr/aset/util/taskstat to check their status:
     /usr/aset/util/taskstat     [aset_dir]
where aset_dir is ASET's operating directory,currently=/usr/aset.
When the tasks complete, the reports can be found in:
     /usr/aset/reports/latest/*.rpt
You can view them by:
     more /usr/aset/reports/latest/*.rpt
#