28.10 Additional Security Features in SunOS 5.X

28.10.2 Automated Security Enhancement Tool

At low level ASET doesn't modify any system files, but reports on potential security weaknesses.

At medium level some system files may be modified to restrict access. This should not affect system services. It will report on security weaknesses and changes performed.

At high level further restrictions are made to provide a secure system. System parameters are changed to provide minimal access. Most system applications should still work normally, but security is considered more important than applications at this level.

At the highest level the checks performed by ASET are:

• verify appropriate permissions for system files

• verify contents of system files

• check consistency and integrity of entries in passwd and group

• check contents of system configuration files

• check environment files: .profile, .cshrc, .login

• verify appropriate eeprom settings to restrict console login access

• disables IP packet forwarding so that the system can be used as a firewall or gateway machine

/etc/hosts.equiv for "+" entries
/etc/inetd.conf for tftp, ps, netstat, and rexd entries
/etc/aliases for the decode alias
/etc/default/login for root access via the CONSOLE= entry
/etc/vfstab for world-readable/writable file systems
/etc/dfs/dfstab for files shared without restrictions
/etc/ftpusers at high security places root in this file to disallow access for root
/var/adm/utmp changes world-writable access at high security level
/var/adm/utmpx "
/.rhosts removes this for medium and high security levels

ASET uses the directory /usr/aset for its scripts and reports. Some of the scripts used to control ASET actions are tune.low, tune.medium, and tune.high in the /usr/aset/masters directory, which specify file ownership and permissions.

ASET requires the package SUNWast be installed on the system.