Automated Security Enhancement Tool (ASET)
ASET allows you to monitor and restrict access to system files. It can be configured for three security levels: low, medium, and high.
- At low level ASET doesn't modify any system files, but reports on potential security weaknesses.
- At medium level some system files may be modified to restrict access. This should not affect system services. It will report on security weaknesses and changes performed.
- At high level further restrictions are made to provide a secure system. System parameters are changed to provide minimal access. Most system applications should still work normally, but security is considered more important than applications at this level.
At the highest level the checks performed by ASET are:
- verify appropriate permissions for system files
- verify contents of system files
- check consistency and integrity of entries in passwd and group
- check contents of system configuration files
- check environment files: .profile, .cshrc, .login
- verify appropriate eeprom settings to restrict console login access
- disables IP packet forwarding so that the system can be used as a firewall or gateway machine
It checks files such as:
/etc/hosts.equiv for "+" entries /etc/inetd.conf for tftp, ps, netstat, and rexd entries /etc/aliases for the decode alias /etc/default/login for root access via the CONSOLE= entry /etc/vfstab for world-readable/writable file systems /etc/dfs/dfstab for files shared without restrictions /etc/ftpusers at high security places root in this file to disallow access for root /var/adm/utmp changes world-writable access at high security level /var/adm/utmpx " /.rhosts removes this for medium and high security levels
ASET uses the directory
/usr/aset
for its scripts and reports. Some of the scripts used to control ASET actions aretune.low
,tune.medium
, andtune.high
in the/usr/aset/masters
directory, which specify file ownership and permissions.ASET requires the package
SUNWast
be installed on the system.