1.\" $OpenBSD: security.8,v 1.7 2003/09/25 09:22:01 jmc Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd July 1, 2000 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh SYNOPSIS 12.Nm /etc/security 13.Sh DESCRIPTION 14.Nm 15is a command script that examines the system for some signs of security 16weaknesses. 17It is only a security aid and does not offer complete protection. 18The 19.Nm 20script is normally run from the 21.Pa /etc/daily 22script (see 23.Xr daily 8 24for further details), which sends mails to root on a daily basis. 25.Pp 26The 27.Nm 28script carries out the following list of simple checks: 29.Bl -bullet 30.It 31Check the master 32.Xr passwd 5 33and 34.Xr group 5 35files for 36syntax, empty passwords, partially closed accounts, 37suspicious UIDs, suspicious GIDs, and duplicate entries. 38.It 39Check root's home directory and login environment for 40insecure permissions, suspicious paths, and umask commands in the 41dotfiles. 42.It 43Check that root and uucp are in 44.Pa /etc/ftpusers . 45.It 46Check for suspicious commands in 47.Pa /etc/mail/aliases . 48.It 49Check for insecurities in various trust files such as 50.Pa /etc/hosts.equiv , /etc/shosts.equiv , 51and 52.Pa /etc/hosts.lpd . 53.It 54Check user 55.Pa .rhosts 56and 57.Pa .shosts 58files for open access. 59.It 60Check user home directory permissions. 61.It 62Check many user dotfile permissions. 63.It 64Check user mailbox permissions. 65.It 66Check NFS 67.Xr exports 5 68file for global export entries. 69.It 70Check for changes in setuid/setgid files and devices. 71.It 72Check disk ownership and permissions. 73.It 74Check for changes in the device file list. 75.It 76Check for permission changes in special files and system binaries listed in 77.Pa /etc/mtree/special 78and 79.Pa "/etc/mtree/*.secure" . 80.Sy Note: 81This is not complete protection against Trojan horsed binaries, as 82the miscreant can modify the tree specification to match the replaced binary. 83For details on really protecting yourself against modified binaries, see 84.Xr mtree 8 . 85.It 86Check for content changes in those files specified by 87.Pa /etc/changelist . 88See 89.Xr changelist 5 90for further details. 91.El 92.Pp 93The intent of the 94.Nm 95script is to point out some obvious holes to the system administrator. 96.Sh FILES 97.Bl -tag -width /dev/changelist -compact 98.It Pa /etc/changelist 99.It Pa /etc/daily 100.It Pa /etc/mtree 101.It Pa /var/backups 102.El 103.Sh SEE ALSO 104.Xr changelist 5 , 105.Xr daily 8 , 106.Xr mtree 8 107.Sh BUGS 108The name of this script may provide a false sense of 109.Nm security . 110.\" Well, I thought it was amusing. 111.Pp 112There are perhaps an infinite number of ways the system can be compromised 113without this script noticing. 114