xref: /netbsd-src/share/man/man5/security.conf.5 (revision af2e7883caa7919039fabe48d01b559d16a288f1)

.\"	$NetBSD: security.conf.5,v 1.44 2024/11/14 19:57:41 plunky Exp $
.\"
.\" Copyright (c) 1996 Matthew R. Green
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd December 2, 2020
.Dt SECURITY.CONF 5
.Os
.Sh NAME
.Nm security.conf
.Nd daily security check configuration file
.Sh DESCRIPTION
The
.Nm
file specifies which of the standard
.Pa /etc/security
services are performed.
The
.Pa /etc/security
script is run, by default, every night from
.Pa /etc/daily ,
on a
.Nx
system, if configured do to so from
.Pa /etc/daily.conf .
.Pp
The variables described below can be set to "NO" to disable the test:
.Bl -tag -width check_pkg_vulnerabilities
.It Sy check_entropy
This checks whether the system has enough entropy
.Pq see Xr entropy 7 .
.It Sy check_passwd
This checks the
.Pa /etc/master.passwd
file for inconsistencies.
.It Sy check_group
This checks the
.Pa /etc/group
file for inconsistencies.
.It Sy check_rootdotfiles
This checks the root users startup files for sane settings of $PATH
and umask.
This test is not fail safe and any warning generated from
this should be checked for correctness.
.It Sy check_ftpusers
This checks that the correct users are in the
.Pa /etc/ftpusers
file.
.It Sy check_aliases
This checks for security problems in the
.Pa /etc/mail/aliases
file.
For backward compatibility,
.Pa /etc/aliases
will be checked as well if exists.
.It Sy check_rhosts
This checks for system and user rhosts files with "+" in them.
.It Sy check_homes
This checks that home directories are owned by the correct user,
and have appropriate permissions.
.It Sy check_varmail
This checks that the correct user owns mail in
.Pa /var/mail ,
and that the mail box has the right permissions.
.It Sy check_nfs
This checks that the
.Pa /etc/exports
file does not export filesystems to the world.
.It Sy check_devices
This checks for changes to devices and setuid files.
.It Sy check_mtree
This runs
.Xr mtree 8
to ensure that the system is installed correctly.
The following configuration files are checked:
.Bl -tag -width 4n
.It Pa /etc/mtree/special
Default files to check.
.It Pa /etc/mtree/special.local
Local site additions and overrides.
.It Pa /etc/mtree/DIR.secure
Specification for the directory
.Pa DIR .
.El
.It Sy check_disklabels
Backup text copies of the disklabels of available disk drives into
.Pa /var/backups/work/disklabel.XXX ,
and display any differences in those and the previous copies
as per
.Sy check_changelist
below.
If
.Xr fdisk 8
is available on the current platform, the output of
.Pa /sbin/fdisk
for each available disk drive is stored in
.Pa /var/backups/work/fdisk.XXX ,
and any differences displayed as per the disklabels.
.It Sy check_pkgs
This stores a list of all installed pkgs into
.Pa /var/backups/work/pkgs
and checks it for any changes.
.It Sy check_changelist
This determines a list of files from the contents of
.Pa /etc/changelist ,
and the output of
.Ic mtree -D
for
.Pa /etc/mtree/special
and
.Pa /etc/mtree/special.local .
For each file in the list it compares the files with their backups in
.Pa /var/backups/file.current
and
.Pa /var/backups/file.backup ,
and displays any differences found.
The following
.Xr mtree 8
.Sy tags
modify how files are determined from
.Pa /etc/mtree/special
and
.Pa /etc/mtree/special.local :
.Bl -tag -width exclude -offset indent
.It exclude
The entry is ignored; no backups are made and the differences are not
displayed.
This includes dynamic or binary files such as
.Pa /var/run/utmp .
.It nodiff
The entry is backed up but the differences are not displayed because
the contents of the file are sensitive.
This includes files such as
.Pa /etc/master.passwd .
.El
.It Sy check_pkg_vulnerabilities
Checks the currently installed packages against a database of known
vulnerabilities and reports those that are vulnerable.
Check the
.Sy fetch_pkg_vulnerabilities
setting in
.Xr daily.conf 5
to keep the database up to date.
.It Sy check_pkg_signatures
Checks the digital signature of all files installed by packages against
the expected values stored in the packages database.
.El
.Pp
The variables described below can be set to modify the tests:
.Bl -tag -width check_network
.It Sy check_homes_permit_usergroups
During the
.Sy check_homes
phase, allow the checked files to be group-writable if the group name is
the same as the username.
.It Sy check_homes_permit_other_owner
During the
.Sy check_homes
phase, allow the home directory and files of the listed users to be owned
by a different user.
.It Sy check_devices_ignore_fstypes
Lists filesystem types to ignore during the
.Sy check_devices
phase.
Prefixing the type with a
.Sq \&!
inverts the match.
For example,
.Ql procfs !local
will ignore
.Ql procfs
type filesystems and filesystems that are not
.Ql local .
.It Sy check_devices_ignore_paths
Lists pathnames to ignore during the
.Sy check_devices
phase.
Prefixing the path with a
.Sq \&!
inverts the match.
For example,
.Ql /tftp
will ignore paths under
.Pa /tftp
while
.Ql !/home
will ignore paths that are not under
.Pa /home .
.It Sy check_mtree_follow_symlinks
During the
.Sy check_mtree
phase, instruct mtree to follow symbolic links.
Please note, this may cause the
.Sy check_mtree
phase to report errors for entries for these symbolic links (i.e. of
type=link in the mtree specification) as they will always appear to be plain
files for the purposes of the check.
.Pa /etc/mtree/special.local
may be used to override the checks for the affected links.
.It Sy check_passwd_nowarn_shells
If
.Sy check_passwd
is enabled, most warnings will be suppressed for entries whose shells
are listed in this space-separated list.
This is of particular value when those shells are not in
.Pa /etc/shells .
.It Sy check_passwd_nowarn_users
If
.Sy check_passwd
is enabled, suppress warnings for these users.
.It Sy check_passwd_permit_dups
If
.Sy check_passwd
is enabled, do not warn about duplicate uids for the listed login names.
.It Sy check_passwd_permit_nonalpha
If
.Sy check_passwd
is enabled, do not warn about login names which use non-alphanumeric
characters.
.It Sy check_passwd_permit_star
If
.Sy check_passwd
is enabled, do not warn about password fields set to
.Dq * .
Note that the use of password fields such as
.Dq *ssh
is encouraged, instead.
.It Sy max_grouplen
If
.Sy check_group
is enabled, this determines the maximum permitted length of group names.
.It Sy max_loginlen
If
.Sy check_passwd
is enabled, this determines the maximum permitted length of login names.
.It Sy backup_dir
Change the backup directory from
.Pa /var/backups .
.It Sy diff_options
Specify the options passed to
.Xr diff 1
when it is invoked to show changes made to system files.
Defaults to
.Dq -u ,
for unified-format context-diffs.
.It Sy pkgdb_dir
.Em DEPRECATED .
Please set
.Dv PKGDB_DIR
in
.Xr pkg_install.conf 5
instead.
.Pp
If defined, points to the location of the packages database.
Defaults to
.Pa /usr/pkg/pkgdb .
.It Sy backup_uses_rcs
Use
.Xr rcs 1
for maintaining backup copies of files noted in
.Sy check_devices ,
.Sy check_disklabels ,
.Sy check_pkgs ,
and
.Sy check_changelist
instead of just keeping a current copy and a backup copy.
.It Sy random_file
Name of the entropy seed file used at boot.
Default is
.Pa /var/db/entropy-file
as used by
.Pa /etc/rc.d/random_seed .
Set
.Sy random_file
to empty to disable saving a seed every time
.Pa /etc/security
runs.
.El
.Sh FILES
.Bl -tag -width /etc/defaults/security.conf -compact
.It Pa /etc/defaults/security.conf
defaults for /etc/security.conf
.It Pa /etc/security
daily security check script
.It Pa /etc/security.conf
daily security check configuration
.It Pa /etc/security.local
local site additions to
.Pa /etc/security
.El
.Sh SEE ALSO
.Xr daily.conf 5
.Sh HISTORY
The
.Nm
file appeared in
.Nx 1.3 .
The
.Sy check_disklabels
functionality was added in
.Nx 1.4 .
The
.Sy backup_uses_rcs
and
.Sy check_pkgs
features were added in
.Nx 1.6 .
.Sy diff_options
appeared in
.Nx 2.0 ;
prior to that, traditional-format (context free) diffs were generated.