1.\" $OpenBSD: security.8,v 1.22 2014/03/23 22:08:59 sthen Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd $Mdocdate: March 23 2014 $ 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh SYNOPSIS 12.Nm /usr/libexec/security 13.Sh DESCRIPTION 14.Nm 15is a command script that examines the system for some signs of security 16weaknesses. 17It is only a security aid and does not offer complete protection. 18.Nm 19is run by 20.Xr daily 8 , 21which mails any output to root on a daily basis. 22.Pp 23The 24.Nm 25script carries out the following list of simple checks: 26.Bl -bullet 27.It 28Check the 29.Xr master.passwd 5 30and 31.Xr group 5 32files for 33syntax, empty passwords, partially closed accounts, 34suspicious UIDs, suspicious GIDs, and duplicate entries. 35.It 36Check root's home directory and login environment for 37insecure permissions, suspicious paths, and umask commands in the 38dotfiles. 39.It 40Check for suspicious commands in 41.Pa /etc/mail/aliases . 42.It 43Check for insecurities in various trust files such as 44.Pa /etc/hosts.equiv , /etc/shosts.equiv , 45and 46.Pa /etc/hosts.lpd . 47.It 48Check user 49.Pa .rhosts 50and 51.Pa .shosts 52files for open access. 53.It 54Check user home directory permissions. 55.It 56Check many user dotfile permissions. 57.It 58Check user mailbox permissions. 59.It 60Check NFS 61.Xr exports 5 62file for global export entries. 63.It 64Check for changes in setuid/setgid files and devices. 65.It 66Check disk ownership and permissions. 67.It 68Check for changes in the device file list. 69.It 70Check for permission changes in special files and system binaries listed in 71.Pa /etc/mtree/special . 72.Nm 73also provides hooks for administrators to create their own lists. 74These lists should be kept in 75.Pa /etc/mtree/ 76and filenames must have the suffix 77.Dq .secure . 78The following example shows how to create such a list, 79to protect the programs in 80.Pa /bin : 81.Bd -literal -offset 4n 82# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure 83# chown root:wheel /etc/mtree/bin.secure 84# chmod 600 /etc/mtree/bin.secure 85.Ed 86.Pp 87.Sy Note: 88These checks do not provide complete protection against 89Trojan horsed binaries, as 90the miscreant can modify the tree specification to match the replaced binary. 91For details on really protecting yourself against modified binaries, see 92.Xr mtree 8 . 93.It 94Check for changes in files listed in 95.Pa /etc/changelist . 96Files being created or deleted, 97as well as content change in the files themselves, 98are reported. 99See 100.Xr changelist 5 101for further details. 102.It 103Check for changes to the disklabels of mounted disks. 104.It 105Report on the installation or removal of any system 106.Xr package 5 . 107.It 108Check 109.Xr hostname.if 5 110file permissions. 111.El 112.Pp 113The intent of the 114.Nm 115script is to point out some obvious holes to the system administrator. 116.Sh ENVIRONMENT 117The following variables can be set in 118.Pa /etc/daily.local : 119.Pp 120.Bl -tag -width "SUIDSKIP" -compact 121.It Ev SUIDSKIP 122A whitespace-separated list of absolute paths to be skipped 123in setuid/setgid file checks and in device special file checks. 124Avoid trailing slashes. 125.El 126.Sh FILES 127.Bl -tag -width /dev/changelist -compact 128.It Pa /etc/changelist 129.It Pa /etc/daily 130.It Pa /etc/mtree 131.It Pa /var/backups 132.El 133.Sh SEE ALSO 134.Xr changelist 5 , 135.Xr daily 8 , 136.Xr mtree 8 137.Sh HISTORY 138A 139.Nm 140shell script appeared in 141.Bx 4.3 Reno , 142but most functionality only came with 143.Bx 4.4 . 144.Sh AUTHORS 145The present manual was written by David Leonard for 146.Ox 2.9 . 147Andrew Fresh and Ingo Schwarze rewrote 148.Nm 149from scratch in 150.Xr perl 1 151for 152.Ox 5.0 . 153.Sh BUGS 154The name of this script may provide a false sense of 155.Nm security . 156.\" Well, I thought it was amusing. 157.Pp 158There are perhaps an infinite number of ways the system can be compromised 159without this script noticing. 160