MirOS Manual: security(8)

SECURITY(8)              BSD System Manager's Manual               SECURITY(8)

NAME

     security - periodic system security check

SYNOPSIS

     /etc/security

DESCRIPTION

     security is a command script that examines the system for some signs of
     security weaknesses. It is only a security aid and does not offer com-
     plete protection. The security script is normally run from the /etc/daily
     script (see daily(8) for further details), which sends mails to root on a
     daily basis.

     The security script carries out the following list of simple checks:

     •   Check the master.passwd(5) and group(5) files for syntax, empty pass-
         words, partially closed accounts, suspicious UIDs, suspicious GIDs,
         and duplicate entries.

     •   Check root's home directory and login environment for insecure per-
         missions, suspicious paths, and umask commands in the dotfiles.

     •   Check that root and uucp are in /etc/ftpusers.

     •   Check for suspicious commands in /etc/mail/aliases.

     •   Check for insecurities in various trust files such as
         /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.

     •   Check user .rhosts and .shosts files for open access.

     •   Check user home directory permissions.

     •   Check many user dotfile permissions.

     •   Check user mailbox permissions.

     •   Check NFS exports(5) file for global export entries.

     •   Check for changes in setuid/setgid files and devices.

     •   Check disk ownership and permissions.

     •   Check for changes in the device file list.

     •   Check for permission changes in special files and system binaries
         listed in /etc/mtree/special. security also provides hooks for ad-
         ministrators to create their own lists. These lists should be kept in
         /etc/mtree/ and filenames must have the suffix ".secure". The follow-
         ing example shows how to create such a list, to protect the home
         directory of user "bob":

             # mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
             # chown root:wheel /etc/mtree/bob.secure
             # chmod 600 /etc/mtree/bob.secure

         Note: These checks do not provide complete protection against Trojan
         horsed binaries, as the miscreant can modify the tree specification
         to match the replaced binary. For details on really protecting your-
         self against modified binaries, see mtree(8).

     •   Check for content changes in those files specified by /etc/changelist
         and /etc/changelist.local. See changelist(5) for further details.

     •   Check for changes to the disklabels of mounted disks.

     The intent of the security script is to point out some obvious holes to
     the system administrator.

FILES

     /etc/changelist
     /etc/daily
     /etc/mtree
     /var/backups

SEE ALSO

     changelist(5), daily(8), mtree(8)

BUGS

     The name of this script may provide a false sense of security.

     There are perhaps an infinite number of ways the system can be comprom-
     ised without this script noticing.

MirOS BSD #10-current            July 1, 2000                                1

Generated on 2014-07-04 21:17:45 by $MirOS: src/scripts/roff2htm,v 1.79 2014/02/10 00:36:11 tg Exp $

These manual pages and other documentation are copyrighted by their respective writers; their source is available at our CVSweb, AnonCVS, and other mirrors. The rest is Copyright © 2002‒2014 The MirOS Project, Germany.
This product includes material provided by Thorsten Glaser.

This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report – diffs preferred.