How ASET Tasks Work

This section describes what ASET does. You should understand each ASET task to interpret and use the reports effectively, including:

•  The objective of the task

•  Operations the task performs

•  System components that are affected by the task

ASET report files contain messages that describe as specifically as possible any problems discovered by each ASET task. These messages can help you diagnose and correct these problems. Successful use of ASET assumes that you understand system administration and system components.

Reports are generated by the taskstat utility, which identifies the tasks that have been completed and the ones that are still running. Each completed task produces a report file. For a complete description of the taskstat utility, refer to the taskstat(1M) manual page.

You set up tasks and choose the files to be checked for each security level by setting environment variables in the User Configurable Parameters part of the /usr/aset/asetenv script:

###########################################
#                        #
#    User Configurable Parameters    #
#                         #
###########################################

CKLISTPATH_LOW=${ASETDIR}/tasks:${ASETDIR}/util:${ASETDIR}/masters:/etc
CKLISTPATH_MED=${CKLISTPATH_LOW}:/usr/bin:/usr/ucb
CKLISTPATH_HIGH=${CKLISTPATH_MED}:/usr/lib:/sbin:/usr/sbin:/usr/ucblib
YPCHECK=false
UID_ALIASES=${ASETDIR}/masters/uid_aliases
PERIODIC_SCHEDULE="0 0 * * *"
TASKS="firewall env sysconf usrgrp tune cklist eeprom"

For more information about ASET environment variables, see "ASET Environment File (asetenv)" on page 463.

System Files Permissions Verification

The tune task sets the permissions on system files to the security level you designate. It is run when the system is installed. If you decide later to alter the previously established levels, you must run this task again. At low security, the permissions are set to values that are appropriate for an open information-sharing environment. At medium security, the permissions are tightened to produce adequate security for most environments. At high security, they are tightened to severely restrict access.

Any modifications that this task makes to system files permissions or parameter settings are reported in the tune.rpt file.

System Files Checks

The cklist task examines system files and compares each one with a description of that file listed in a master file. The master file is created the first time ASET runs the task. The master file contains the system file settings enforced by cklist for the specified security level.

ASET defines a default list of directories whose files are to be checked for each security level. You can use the default list or you can modify it, specifying different directories for each level.

For each file, the following criteria are checked:

•  Owner and group

•  Permission bits

•  Size and checksum

•  Number of links

•  Last modification time

Any discrepancies are reported in the cklist.rpt file. This file contains the results of comparing system file size, permission, and checksum values to the master file.

User/Group Checks

The usrgrp task checks the consistency and integrity of user accounts and groups as defined in the passwd and group files. It checks the local and NIS or NIS+ password files. NIS+ password file problems are reported but not corrected.

This task checks for the following violations:

•  Duplicate names or IDs

•  Entries in incorrect format

•  Accounts without a password

•  Invalid login directories

•  The nobody account

•  Null group password

•  A plus sign (+) in the /etc/passwd file on an NIS or NIS+ server

Discrepancies are reported in the usrgrp.rpt file.

System Configuration Files Check

The sysconf task checks various system tables, most of which are in the /etc directory:

•  /etc/default/login

•  /etc/hosts.equiv

•  /etc/inetd.conf

•  /etc/aliases

•  /var/adm/utmp

•  /var/adm/utmpx

•  /.rhosts

•  /etc/vfstab

•  /etc/dfs/dfstab

•  /etc/ftpusers

ASET performs various checks and modifications on these files and reports all problems in the sysconf.rpt file.

Environment Check

The env task checks how the PATH and UMASK environment variables are set for root and other users in the /.profile, /.login, and /.cshrc files.

The results of checking the environment for security are reported in the env.rpt file.

eeprom Check

The eeprom task checks the value of the eeprom security parameter to ensure that it is set to the appropriate security level. You can set the eeprom security parameter to:

•  none

•  command

•  full

ASET does not change the eeprom setting, but reports its recommendations in the eeprom.rpt file.

Firewall Setup

The firewall task ensures that the system can be safely used as a network relay. It protects an internal network from external public networks by setting up a dedicated system as a firewall. The firewall system separates two networks, each of which approaches the other as untrusted. The firewall setup task disables the forwarding of Internet Protocol (IP) packets and hides routing information from the external network.

The firewall task runs at all security levels, but takes action only at the highest level. If you want to run ASET at high security, but find that your system does not require firewall protection, you can eliminate the firewall task; simply remove it from the list of tasks specified by the TASKS environment variable in the asetenv file.

Any changes made by this task are reported in the firewall.rpt file.