1.\" $OpenBSD: security.8,v 1.14 2008/04/17 19:49:16 sthen Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd $Mdocdate: April 17 2008 $ 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh SYNOPSIS 12.Nm /etc/security 13.Sh DESCRIPTION 14.Nm 15is a command script that examines the system for some signs of security 16weaknesses. 17It is only a security aid and does not offer complete protection. 18The 19.Nm 20script is normally run from the 21.Pa /etc/daily 22script (see 23.Xr daily 8 24for further details), which sends mails to root on a daily basis. 25.Pp 26The 27.Nm 28script carries out the following list of simple checks: 29.Bl -bullet 30.It 31Check the 32.Xr master.passwd 5 33and 34.Xr group 5 35files for 36syntax, empty passwords, partially closed accounts, 37suspicious UIDs, suspicious GIDs, and duplicate entries. 38.It 39Check root's home directory and login environment for 40insecure permissions, suspicious paths, and umask commands in the 41dotfiles. 42.It 43Check that root and uucp are in 44.Pa /etc/ftpusers . 45.It 46Check for suspicious commands in 47.Pa /etc/mail/aliases . 48.It 49Check for insecurities in various trust files such as 50.Pa /etc/hosts.equiv , /etc/shosts.equiv , 51and 52.Pa /etc/hosts.lpd . 53.It 54Check user 55.Pa .rhosts 56and 57.Pa .shosts 58files for open access. 59.It 60Check user home directory permissions. 61.It 62Check many user dotfile permissions. 63.It 64Check user mailbox permissions. 65.It 66Check NFS 67.Xr exports 5 68file for global export entries. 69.It 70Check for changes in setuid/setgid files and devices. 71.It 72Check disk ownership and permissions. 73.It 74Check for changes in the device file list. 75.It 76Check for permission changes in special files and system binaries listed in 77.Pa /etc/mtree/special . 78.Nm 79also provides hooks for administrators to create their own lists. 80These lists should be kept in 81.Pa /etc/mtree/ 82and filenames must have the suffix 83.Dq .secure . 84The following example shows how to create such a list, 85to protect the home directory of user 86.Dq bob : 87.Bd -literal -offset 4n 88# mtree -cx -p /home/bob -K md5digest,type \*(Gt/etc/mtree/bob.secure 89# chown root:wheel /etc/mtree/bob.secure 90# chmod 600 /etc/mtree/bob.secure 91.Ed 92.Pp 93.Sy Note: 94These checks do not provide complete protection against 95Trojan horsed binaries, as 96the miscreant can modify the tree specification to match the replaced binary. 97For details on really protecting yourself against modified binaries, see 98.Xr mtree 8 . 99.It 100Check for changes in files listed in 101.Pa /etc/changelist . 102Files being created or deleted, 103as well as content change in the files themselves, 104are reported. 105See 106.Xr changelist 5 107for further details. 108.It 109Check for changes to the disklabels of mounted disks. 110.It 111Report on the installation or removal of any system 112.Xr package 5 . 113.It 114Check 115.Xr hostname.if 5 116file permissions. 117.El 118.Pp 119The intent of the 120.Nm 121script is to point out some obvious holes to the system administrator. 122.Sh FILES 123.Bl -tag -width /dev/changelist -compact 124.It Pa /etc/changelist 125.It Pa /etc/daily 126.It Pa /etc/mtree 127.It Pa /var/backups 128.El 129.Sh SEE ALSO 130.Xr changelist 5 , 131.Xr daily 8 , 132.Xr mtree 8 133.Sh BUGS 134The name of this script may provide a false sense of 135.Nm security . 136.\" Well, I thought it was amusing. 137.Pp 138There are perhaps an infinite number of ways the system can be compromised 139without this script noticing. 140