MirOS Manual: security(8)

SECURITY(8)              BSD System Manager's Manual               SECURITY(8)


     security - periodic system security check




     security is a command script that examines the system for some signs of
     security weaknesses. It is only a security aid and does not offer com-
     plete protection. The security script is normally run from the /etc/daily
     script (see daily(8) for further details), which sends mails to root on a
     daily basis.

     The security script carries out the following list of simple checks:

     •   Check the master.passwd(5) and group(5) files for syntax, empty pass-
         words, partially closed accounts, suspicious UIDs, suspicious GIDs,
         and duplicate entries.

     •   Check root's home directory and login environment for insecure per-
         missions, suspicious paths, and umask commands in the dotfiles.

     •   Check that root and uucp are in /etc/ftpusers.

     •   Check for suspicious commands in /etc/mail/aliases.

     •   Check for insecurities in various trust files such as
         /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.

     •   Check user .rhosts and .shosts files for open access.

     •   Check user home directory permissions.

     •   Check many user dotfile permissions.

     •   Check user mailbox permissions.

     •   Check NFS exports(5) file for global export entries.

     •   Check for changes in setuid/setgid files and devices.

     •   Check disk ownership and permissions.

     •   Check for changes in the device file list.

     •   Check for permission changes in special files and system binaries
         listed in /etc/mtree/special. security also provides hooks for ad-
         ministrators to create their own lists. These lists should be kept in
         /etc/mtree/ and filenames must have the suffix ".secure". The follow-
         ing example shows how to create such a list, to protect the home
         directory of user "bob":

             # mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
             # chown root:wheel /etc/mtree/bob.secure
             # chmod 600 /etc/mtree/bob.secure

         Note: These checks do not provide complete protection against Trojan
         horsed binaries, as the miscreant can modify the tree specification
         to match the replaced binary. For details on really protecting your-
         self against modified binaries, see mtree(8).

     •   Check for content changes in those files specified by /etc/changelist
         and /etc/changelist.local. See changelist(5) for further details.

     •   Check for changes to the disklabels of mounted disks.

     The intent of the security script is to point out some obvious holes to
     the system administrator.




     changelist(5), daily(8), mtree(8)


     The name of this script may provide a false sense of security.

     There are perhaps an infinite number of ways the system can be comprom-
     ised without this script noticing.

MirOS BSD #10-current            July 1, 2000                                1

Generated on 2015-07-19 22:36:15 by $MirOS: src/scripts/roff2htm,v 1.80 2015/01/02 13:54:19 tg Exp $

These manual pages and other documentation are copyrighted by their respective writers; their source is available at our CVSweb, AnonCVS, and other mirrors. The rest is Copyright © 2002–2015 The MirOS Project, Germany.
This product includes material provided by Thorsten Glaser.

This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report – diffs preferred.