Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

aset


NAME
     aset - monitors or restricts accesses to  system  files  and
     directories

SYNOPSIS
     aset [-p]  [-d aset_dir]  [-l sec_level]  [-n user@host]  [-
     u userlist_file]

DESCRIPTION
     The Automated Security Enhancement Tool (ASET) is a  set  of
     administrative utilities that can improve system security by
     allowing the system administrators to check the settings  of
     system  files,  including  both the attributes (permissions,
     ownership, and the like) and  the  contents  of  the  system
     files.  It  warns  the  users of potential security problems
     and, where appropriate, sets the system files  automatically
     according to the security level specified.

     The security level for aset can be specified by setting  the
     -l command line option or the ASETSECLEVEL environment vari-
     able to be one of 3 values: low,  med,  or  high.   All  the
     functionality  operates  based  on the value of the security
     level.

     At the low level, aset  performs  a  number  of  checks  and
     reports any potential security weaknesses.

     At the med level, aset modifies some of the settings of sys-
     tem files and parameters, thus restricting system access, to
     reduce the risks from security attacks.  Again  reports  the
     security  weaknesses and the modifications performed to res-
     trict access. This does not affect the operations of  system
     services.  All the system applications and commands maintain
     all of their original functionality.

     At the high level, further restrictions are made  to  system
     access,  rendering  a  very defensive system. Security prac-
     tices which are not normally  required  are  included.  Many
     system files and parameters settings are modified to minimum
     access permissions. At this level, security is the  foremost
     concern,  higher  than  any other considerations that affect
     system behavior. The vast majority  of  system  applications
     and  commands  maintain  their functionality, although there
     may be a few that exhibit behaviors that are not familiar in
     normal system environment.

     More exact definitions of what exactly  aset  does  at  each
     level can be found in the System Administration Guide: Basic
     Administration. The asetenv(4) file  and  the  master  files
     determine  to  a  large  extent  what  aset performs at each
     level, and can be used by the experienced administrators  to
     redefine  the  definitions  of  the  levels  to  suit  their
     particular needs. See asetmasters(4). These files  are  pro-
     vided by default to fit most security conscious environments
     and in  most  cases  provide  adequate  security  safeguards
     without  modification.  They are, however, designed in a way
     that can be easily edited by experienced administrators with
     specific needs.

     aset can be periodically activated at the specified security
     level  with default definitions using the -p option. aset is
     automatically activated at  a  frequency  specified  by  the
     administrator  starting  from  a designated future time (see
     asetenv(4)). Without the -p option, aset operates only  once
     immediately.

OPTIONS
     The following options are supported:

     -d aset_dir             Specifies a working directory  other
                             than  /usr/aset  for ASET. /usr/aset
                             is the default working directory. It
                             is  where  ASET is installed, and is
                             the root directory of all ASET util-
                             ities  and  data  files.  If another
                             directory is to be used as the  ASET
                             working  directory,  you  can either
                             define it with the -d option, or set
                             the   ASETDIR  environment  variable
                             before invoking  aset.  The  command
                             line     option,    if    specified,
                             overwrites the environment variable.



     -l sec_level            Specifies  a  security  level,  low,
                             med,  or  high,  for aset to operate
                             at. The default level is  low.  Each
                             security   level   is  explained  in
                             detail above. The level can also  be
                             specified   by   setting  the  ASET-
                             SECLEVEL environment variable before
                             invoking   aset.  The  command  line
                             option, if specified, overwrites the
                             environment variable.



     -n user@host            Notifies user at machine host.  Send
                             the  output  of aset to user through
                             e-mail. If this option is not speci-
                             fied,  the  output  is  sent  to the
                             standard output. Note that  this  is
                             not  the reports of ASET, but rather
                             an  execution  log  including  error
                             messages if there are any. This out-
                             put is typically brief.  The  actual
                             reports  of  ASET  are  found in the
                             /usr/aset/reports/latest  directory.
                             See the -d option.



     -p                      Schedules  aset   to   be   executed
                             periodically. This adds an entry for
                             aset in the /etc/crontab  file.  The
                             PERIODIC_SCHEDULE  environment vari-
                             able in the  /usr/aset/asetenv  file
                             is  used to define the time for exe-
                             cution.    See    crontab(1)     and
                             asetenv(4).  If  a crontab (1) entry
                             for aset already exists,  a  warning
                             is produced in the execution log.



     -u userlist_file        Specifies a file containing  a  list
                             of  users. aset performs environment
                             checks, for example, UMASK and  PATH
                             variables,   on   these   users.  By
                             default,  aset only checks for root.
                             userlist_file is an ASCII text file.
                             Each entry in the  file  is  a  line
                             that  contains  only  one  user name
                             (login name).



USAGE
     The following paragraphs discuss the  features  provided  by
     ASET.  Hereafter, each feature is referred to as a task. The
     first task, tune, is executed only once per installation  of
     ASET.  The  other  tasks  are  executed  periodically at the
     specified frequency.

  tune Task
     This task is used to tighten  system  file  permissions.  In
     standard  releases, system files or directories have permis-
     sions defined to maximize open  information  sharing.  In  a
     more  security  conscious environment, the administrator may
     want to redefine these permission settings to more  restric-
     tive  values.  aset  allows  resetting of these permissions,
     based on the specified security level. Generally, at the low
     level  the  permissions  are  set  to what they should be as
     released. At the medium level, the permissions are tightened
     to  ensure  reasonable  security  that  is adequate for most
     environments.  At the high level they are further  tightened
     to  very  restrictive  access. The system files affected and
     the respective restrictions at different levels  are  confi-
     gurable,  using the tune.low, tune.med, and tune.high files.
     See asetmasters(4).

  cklist Task
     System directories that  contain  relatively  static  files,
     that  is,  their  contents and attributes do not change fre-
     quently, are examined and compared with a master description
     file. The /usr/aset/masters/cklist.level files are automati-
     cally generated the first time the cklist task is  executed.
     See  asetenv(4).  Any  discrepancy  found  is  reported. The
     directories and files are compared based on the following:

       o  owner and group

       o  permission bits

       o  size and checksum (if file)

       o  number of links

       o  last modification time


     The lists of directories to check are defined in asetenv(4),
     based  on the specified security level, and are configurable
     using   the   CKLISTPATH_LOW   ,   CKLISTPATH_MED   ,    and
     CKLISTPATH_HIGH  environment variables. Typically, the lower
     level lists are subsets of the higher level lists.

  usrgrp Task
     aset checks the consistency and integrity of  user  accounts
     and  groups  as  defined  in the passwd and group databases,
     respectively. Any potential problems are reported. Potential
     problems for the passwd file include:

       o  passwd file entries are not in the correct format.

       o  User accounts without a password.

       o  Duplicate user names.

       o  Duplicate user IDs. Duplicate  user  IDs  are  reported
          unless  allowed  by  the  uid_alias  file. See asetmas-
          ters(4)).

       o  Invalid login directories.

       o  If C2 is enabled, check C2 hidden passwd format.

     Potential problems for the group file include:

       o  Group file entries not in the right format.

       o  Duplicate group names.

       o  Duplicate group IDs.

       o  Null group passwords.


     aset checks the local passwd file. If the  YPCHECK  environ-
     ment  variable  is  set  to  true,  aset also checks the NIS
     passwd files. See asetenv(4). Problems  in  the  NIS  passwd
     file  are only reported and not corrected automatically. The
     checking is done for all three security levels except  where
     noted.

  sysconf Task
     aset checks various system  configuration  tables,  most  of
     which  are  in  the  /etc  directory.  aset checks and makes
     appropriate corrections for each system table at  all  three
     levels  except where noted. The following discussion assumes
     familiarity with the various system tables. See  the  manual
     pages for these tables for further details.

     The operations for each system table are:

     /etc/hosts.equiv        The default file contains  a  single
                             "+"  line,  thus  making every known
                             host a trusted host,  which  is  not
                             advised  for  system  security. aset
                             performs the following operations:

                             Low      Warns  the   administrators
                                      about the "+" line.




                             Medium



                             High     Warns  about  and   deletes
                                      that entry.




     /etc/inetd.conf         The  following  entries  for  system
                             daemons  are  checked  for  possible
                             weaknesses.

                             tftp(1) does not do any  authentica-
                             tion. aset ensures that in.tftpd(1M)
                             is started in the right directory on
                             the  server  and  is  not running on
                             clients. At the low level, it  gives
                             warnings  if the mentioned condition
                             is not true. At the medium and  high
                             levels   it   gives   warnings,  and
                             changes (if necessary) the  in.tftpd
                             entry  to  include  the -s /tftpboot
                             option after ensuring the  directory
                             /tftpboot exists.

                             ps(1) and netstat(1M) provide  valu-
                             able information to potential system
                             crackers. These  are  disabled  when
                             aset  is executed at a high security
                             level.

                             rexd is  also  known  to  have  poor
                             authentication  mechanism. aset dis-
                             ables rexd for medium and high secu-
                             rity  levels  by commenting out this
                             entry. If rexd is activated with the
                             -s  (secure  RPC)  option, it is not
                             disabled.



     /etc/aliases            The decode alias of UUCP is a poten-
                             tial  security  weakness.  aset dis-
                             ables the alias for medium and  high
                             security  levels  by  commenting out
                             this entry.



     /etc/default/login      The  CONSOLE=  line  is  checked  to
                             allow  root login only at a specific
                             terminal depending on  the  security
                             level:

                             Low      No action taken.




                             Medium


                             High     Adds the following line  to
                                      the file:


                                      CONSOLE=/dev/console




     /etc/vfstab             aset checks  for  world-readable  or
                             writable  device  files  for mounted
                             file systems.



     /etc/dfs/dfstab         aset checks for  file  systems  that
                             are  exported  without  any restric-
                             tions.



     /etc/ftpd/ftpusers      At high security level, aset ensures
                             root  is in /etc/ftpd/ftpusers, thus
                             disallowing root from  logging  into
                             in.ftpd(1M).  If  necessary,  create
                             /etc/ftpd/ftpusers. See ftpusers(4).



     /var/adm/utmpx          aset makes these  files  not  world-
                             writable  for  the  high level (some
                             applications may  not  run  properly
                             with this setting.)



     /.rhosts                The usage of a .rhosts file for  the
                             entire  system  is not advised. aset
                             gives warnings for the low level and
                             moves  it to /.rhosts.bak for levels
                             medium and high.



  env Task
     aset checks critical environment  variables  for   root  and
     users  specified with the -u userlist_file option by parsing
     the /.profile, /.login, and /.cshrc files.  This task checks
     the  PATH variable to ensure that it does not contain `.' as
     a directory, which makes an easy  target  for  trojan  horse
     attacks.  It  also  checks  that the directories in the PATH
     variable are not world-writable. Furthermore, it checks  the
     UMASK  variable  to ensure files are not created as readable
     or writable by world. Any problems found by these checks are
     reported.

  eeprom Task
     Newer versions of the EEPROM allow specification of a secure
     parameter. See eeprom(1M). aset recommends that the adminis-
     trator sets the parameter to command for  the  medium  level
     and  to  full  for  the  high level. It gives warnings if it
     detects the parameter is not set adequately.

  firewall Task
     At the high security level, aset takes proper measures  such
     that  the  system can be safely used as a firewall in a net-
     work. This mainly involves disabling IP  packets  forwarding
     and  making  routing information invisible. Firewalling pro-
     vides protection against external access to the network.

ENVIRONMENT VARIABLES
     ASETDIR         Specify ASET's working  directory.  Defaults
                     to /usr/aset.



     ASETSECLEVEL    Specify ASET's security level.  Defaults  to
                     low.



     TASKS           Specify the tasks to be  executed  by  aset.
                     Defaults to all tasks.



FILES
     /usr/aset/reports       directory of ASET reports



ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWast                     |
    |_____________________________|_____________________________|


SEE ALSO

     crontab(1), ps(1),  tftp(1),  aset.restore(1M),  eeprom(1M),
     in.ftpd(1M), in.tftpd(1M), netstat(1M), asetenv(4), asetmas-
     ters(4), ftpusers(4), attributes(5)

     System Administration Guide: Basic Administration










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments