SECURITY(8) BSD System Manager's Manual SECURITY(8)
security - periodic system security check
/etc/security
security is a command script that examines the system for some signs of
security weaknesses. It is only a security aid and does not offer com-
plete protection. The security script is normally run from the /etc/daily
script (see daily(8) for further details), which sends mails to root on a
daily basis.
The security script carries out the following list of simple checks:
• Check the master.passwd(5) and group(5) files for syntax, empty pass-
words, partially closed accounts, suspicious UIDs, suspicious GIDs,
and duplicate entries.
• Check root's home directory and login environment for insecure per-
missions, suspicious paths, and umask commands in the dotfiles.
• Check that root and uucp are in /etc/ftpusers.
• Check for suspicious commands in /etc/mail/aliases.
• Check for insecurities in various trust files such as
/etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.
• Check user .rhosts and .shosts files for open access.
• Check user home directory permissions.
• Check many user dotfile permissions.
• Check user mailbox permissions.
• Check NFS exports(5) file for global export entries.
• Check for changes in setuid/setgid files and devices.
• Check disk ownership and permissions.
• Check for changes in the device file list.
• Check for permission changes in special files and system binaries
listed in /etc/mtree/special. security also provides hooks for ad-
ministrators to create their own lists. These lists should be kept in
/etc/mtree/ and filenames must have the suffix ".secure". The follow-
ing example shows how to create such a list, to protect the home
directory of user "bob":
# mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
# chown root:wheel /etc/mtree/bob.secure
# chmod 600 /etc/mtree/bob.secure
Note: These checks do not provide complete protection against Trojan
horsed binaries, as the miscreant can modify the tree specification
to match the replaced binary. For details on really protecting your-
self against modified binaries, see mtree(8).
• Check for content changes in those files specified by /etc/changelist
and /etc/changelist.local. See changelist(5) for further details.
• Check for changes to the disklabels of mounted disks.
The intent of the security script is to point out some obvious holes to
the system administrator.
/etc/changelist
/etc/daily
/etc/mtree
/var/backups
changelist(5), daily(8), mtree(8)
The name of this script may provide a false sense of security.
There are perhaps an infinite number of ways the system can be comprom-
ised without this script noticing.
MirOS BSD #10-current July 1, 2000 1
Generated on 2013-04-27 00:20:00 by $MirOS: src/scripts/roff2htm,v 1.77 2013/01/01 20:49:09 tg Exp $
These manual pages and other documentation are copyrighted by their respective writers;
their source is available at our CVSweb,
AnonCVS, and other mirrors. The rest is Copyright © 2002‒2013 The MirOS Project, Germany.
This product includes material
provided by Thorsten Glaser.
This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report – diffs preferred.