Rootroute       Hosting       Order       Map       Login   Secure Inter-Network Operations  
 
man : security(8)

Command: man perldoc info search(apropos)  

SECURITY(8)             OpenBSD System Manager's Manual            SECURITY(8)

NAME
     security - periodic system security check

SYNOPSIS
     /etc/security

DESCRIPTION
     security is a command script that examines the system for some signs of
     security weaknesses.  It is only a security aid and does not offer com-
     plete protection.  security is run by daily(8), which mails any output to
     root on a daily basis.

     The security script carries out the following list of simple checks:

     o   Check the master.passwd(5) and group(5) files for syntax, empty pass-
         words, partially closed accounts, suspicious UIDs, suspicious GIDs,
         and duplicate entries.

     o   Check root's home directory and login environment for insecure per-
         missions, suspicious paths, and umask commands in the dotfiles.

     o   Check that root and uucp are in /etc/ftpusers.

     o   Check for suspicious commands in /etc/mail/aliases.

     o   Check for insecurities in various trust files such as
         /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.

     o   Check user .rhosts and .shosts files for open access.

     o   Check user home directory permissions.

     o   Check many user dotfile permissions.

     o   Check user mailbox permissions.

     o   Check NFS exports(5) file for global export entries.

     o   Check for changes in setuid/setgid files and devices.

     o   Check disk ownership and permissions.

     o   Check for changes in the device file list.

     o   Check for permission changes in special files and system binaries
         listed in /etc/mtree/special.  security also provides hooks for ad-
         ministrators to create their own lists.  These lists should be kept
         in /etc/mtree/ and filenames must have the suffix ``.secure''.  The
         following example shows how to create such a list, to protect the
         home directory of user ``bob'':

             # mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
             # chown root:wheel /etc/mtree/bob.secure
             # chmod 600 /etc/mtree/bob.secure

         Note: These checks do not provide complete protection against Trojan
         horsed binaries, as the miscreant can modify the tree specification
         to match the replaced binary.  For details on really protecting your-
         self against modified binaries, see mtree(8).

     o   Check for changes in files listed in /etc/changelist.  Files being
         created or deleted, as well as content change in the files them-
         selves, are reported.  See changelist(5) for further details.

     o   Check for changes to the disklabels of mounted disks.

     o   Report on the installation or removal of any system package(5).

     o   Check hostname.if(5) file permissions.

     The intent of the security script is to point out some obvious holes to
     the system administrator.

ENVIRONMENT
     The following variables can be set in /etc/daily.local:

     SUIDSKIP  A whitespace-separated list of absolute paths to be skipped in
               setuid/setgid file checks and in device special file checks.

FILES
     /etc/changelist
     /etc/daily
     /etc/mtree
     /var/backups

SEE ALSO
     changelist(5), daily(8), mtree(8)

BUGS
     The name of this script may provide a false sense of security.

     There are perhaps an infinite number of ways the system can be compro-
     mised without this script noticing.

OpenBSD 4.5                      May 24, 2009                                2

rootr.net - man pages