SECURITY(8) BSD System Manager's Manual SECURITY(8)
security - periodic system security check
security is a command script that examines the system for some signs of security weaknesses. It is only a security aid and does not offer com- plete protection. The security script is normally run from the /etc/daily script (see daily(8) for further details), which sends mails to root on a daily basis. The security script carries out the following list of simple checks: • Check the master.passwd(5) and group(5) files for syntax, empty pass- words, partially closed accounts, suspicious UIDs, suspicious GIDs, and duplicate entries. • Check root's home directory and login environment for insecure per- missions, suspicious paths, and umask commands in the dotfiles. • Check that root and uucp are in /etc/ftpusers. • Check for suspicious commands in /etc/mail/aliases. • Check for insecurities in various trust files such as /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd. • Check user .rhosts and .shosts files for open access. • Check user home directory permissions. • Check many user dotfile permissions. • Check user mailbox permissions. • Check NFS exports(5) file for global export entries. • Check for changes in setuid/setgid files and devices. • Check disk ownership and permissions. • Check for changes in the device file list. • Check for permission changes in special files and system binaries listed in /etc/mtree/special. security also provides hooks for ad- ministrators to create their own lists. These lists should be kept in /etc/mtree/ and filenames must have the suffix ".secure". The follow- ing example shows how to create such a list, to protect the home directory of user "bob": # mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure # chown root:wheel /etc/mtree/bob.secure # chmod 600 /etc/mtree/bob.secure Note: These checks do not provide complete protection against Trojan horsed binaries, as the miscreant can modify the tree specification to match the replaced binary. For details on really protecting your- self against modified binaries, see mtree(8). • Check for content changes in those files specified by /etc/changelist and /etc/changelist.local. See changelist(5) for further details. • Check for changes to the disklabels of mounted disks. The intent of the security script is to point out some obvious holes to the system administrator.
/etc/changelist /etc/daily /etc/mtree /var/backups
changelist(5), daily(8), mtree(8)
The name of this script may provide a false sense of security. There are perhaps an infinite number of ways the system can be comprom- ised without this script noticing. MirOS BSD #10-current July 1, 2000 1
Generated on 2016-01-17 04:51:01 by $MirOS: src/scripts/roff2htm,v 1.82 2016/01/02 20:05:08 tg Exp $
These manual pages and other documentation are copyrighted by their respective writers;
their source is available at our CVSweb,
AnonCVS, and other mirrors. The rest is Copyright © 2002–2016 The MirOS Project, Germany.
This product includes material provided by mirabilos.
This manual page’s HTML representation is supposed to be valid XHTML/1.1; if not, please send a bug report – diffs preferred.