1.\" $OpenBSD: security.8,v 1.17 2009/05/24 22:25:12 schwarze Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd $Mdocdate: May 24 2009 $ 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh SYNOPSIS 12.Nm /etc/security 13.Sh DESCRIPTION 14.Nm 15is a command script that examines the system for some signs of security 16weaknesses. 17It is only a security aid and does not offer complete protection. 18.Nm 19is run by 20.Xr daily 8 , 21which mails any output to root on a daily basis. 22.Pp 23The 24.Nm 25script carries out the following list of simple checks: 26.Bl -bullet 27.It 28Check the 29.Xr master.passwd 5 30and 31.Xr group 5 32files for 33syntax, empty passwords, partially closed accounts, 34suspicious UIDs, suspicious GIDs, and duplicate entries. 35.It 36Check root's home directory and login environment for 37insecure permissions, suspicious paths, and umask commands in the 38dotfiles. 39.It 40Check that root and uucp are in 41.Pa /etc/ftpusers . 42.It 43Check for suspicious commands in 44.Pa /etc/mail/aliases . 45.It 46Check for insecurities in various trust files such as 47.Pa /etc/hosts.equiv , /etc/shosts.equiv , 48and 49.Pa /etc/hosts.lpd . 50.It 51Check user 52.Pa .rhosts 53and 54.Pa .shosts 55files for open access. 56.It 57Check user home directory permissions. 58.It 59Check many user dotfile permissions. 60.It 61Check user mailbox permissions. 62.It 63Check NFS 64.Xr exports 5 65file for global export entries. 66.It 67Check for changes in setuid/setgid files and devices. 68.It 69Check disk ownership and permissions. 70.It 71Check for changes in the device file list. 72.It 73Check for permission changes in special files and system binaries listed in 74.Pa /etc/mtree/special . 75.Nm 76also provides hooks for administrators to create their own lists. 77These lists should be kept in 78.Pa /etc/mtree/ 79and filenames must have the suffix 80.Dq .secure . 81The following example shows how to create such a list, 82to protect the home directory of user 83.Dq bob : 84.Bd -literal -offset 4n 85# mtree -cx -p /home/bob -K md5digest,type \*(Gt/etc/mtree/bob.secure 86# chown root:wheel /etc/mtree/bob.secure 87# chmod 600 /etc/mtree/bob.secure 88.Ed 89.Pp 90.Sy Note: 91These checks do not provide complete protection against 92Trojan horsed binaries, as 93the miscreant can modify the tree specification to match the replaced binary. 94For details on really protecting yourself against modified binaries, see 95.Xr mtree 8 . 96.It 97Check for changes in files listed in 98.Pa /etc/changelist . 99Files being created or deleted, 100as well as content change in the files themselves, 101are reported. 102See 103.Xr changelist 5 104for further details. 105.It 106Check for changes to the disklabels of mounted disks. 107.It 108Report on the installation or removal of any system 109.Xr package 5 . 110.It 111Check 112.Xr hostname.if 5 113file permissions. 114.El 115.Pp 116The intent of the 117.Nm 118script is to point out some obvious holes to the system administrator. 119.Sh ENVIRONMENT 120The following variables can be set in 121.Pa /etc/daily.local : 122.Pp 123.Bl -tag -width "SUIDSKIP" -compact 124.It Ev SUIDSKIP 125A whitespace-separated list of absolute paths to be skipped 126in setuid/setgid file checks and in device special file checks. 127.El 128.Sh FILES 129.Bl -tag -width /dev/changelist -compact 130.It Pa /etc/changelist 131.It Pa /etc/daily 132.It Pa /etc/mtree 133.It Pa /var/backups 134.El 135.Sh SEE ALSO 136.Xr changelist 5 , 137.Xr daily 8 , 138.Xr mtree 8 139.Sh BUGS 140The name of this script may provide a false sense of 141.Nm security . 142.\" Well, I thought it was amusing. 143.Pp 144There are perhaps an infinite number of ways the system can be compromised 145without this script noticing. 146