1.\" $OpenBSD: security.8,v 1.3 2001/06/27 21:19:22 pvalchev Exp $ 2.Dd July 1, 2000 3.Dt SECURITY 8 4.Os 5.Sh NAME 6.Nm security 7.Nd periodic system security check 8.Sh SYNOPSIS 9.Nm /etc/security 10.Sh DESCRIPTION 11.Nm 12is a command script that examines the system for some signs of security 13weaknesses. 14It is only a security aid and does not offer complete protection. 15The 16.Nm 17script is normally run from the 18.Pa /etc/daily 19script, which sends mails to root on a daily basis. 20.Pp 21The 22.Nm 23script carries out the following list of simple checks: 24.Bl -bullet 25.It 26Check the master 27.Xr passwd 5 28and 29.Xr group 5 30files for 31syntax, empty passwords, partially closed accounts, 32suspicious UIDs, suspicious GIDs, and duplicate entries. 33.It 34Check root's home directory and login environment for 35insecure permissions, suspicious paths, and umask commands in the 36dotfiles. 37.It 38Check that root and uucp are in 39.Pa /etc/ftpusers . 40.It 41Check for suspicious commands in 42.Pa /etc/mail/aliases . 43.It 44Check for insecurities in various trust files such as 45.Pa /etc/hosts.equiv , /etc/shosts.equiv , 46and 47.Pa /etc/hosts.lpd . 48.It 49Check user 50.Pa .rhosts 51and 52.Pa .shosts 53files for open access. 54.It 55Check user home directory permissions. 56.It 57Check many user dotfile permissions. 58.It 59Check user mailbox permissions. 60.It 61Check NFS 62.Xr exports 5 63file for global export entries. 64.It 65Check for changes in setuid/setgid files and devices. 66.It 67Check disk ownership and permissions. 68.It 69Check for changes in the device file list. 70.It 71Check for permission changes in special files and system binaries listed in 72.Pa /etc/mtree/special 73and 74.Pa "/etc/mtree/*.secure" . 75.Sy Note: 76This is not complete protection against Trojan horsed binaries, as 77the miscreant can modify the tree specification to match the replaced binary. 78For details on really protecting yourself against modified binaries, see 79.Xr mtree 8 . 80.It 81Check for content changes in those files specified by 82.Pa /etc/changelist . 83.El 84.Pp 85The intent of the 86.Nm 87script is to point out some obvious holes to the system administrator. 88.Sh FILES 89.Bl -tag -width /dev/changelist -compact 90.It Pa /etc/daily 91.It Pa /etc/mtree 92.It Pa /etc/changelist 93.It Pa /var/backups 94.El 95.Sh SEE ALSO 96.Xr mtree 8 97.Sh BUGS 98The name of this script may provide a false sense of 99.Nm security . 100.\" Well, I thought it was amusing. 101.Pp 102There are perhaps an infinite number of ways the system can be compromised 103without this script noticing. 104