1.\" $OpenBSD: security.8,v 1.6 2003/06/06 19:28:06 jmc Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd July 1, 2000 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh SYNOPSIS 12.Nm /etc/security 13.Sh DESCRIPTION 14.Nm 15is a command script that examines the system for some signs of security 16weaknesses. 17It is only a security aid and does not offer complete protection. 18The 19.Nm 20script is normally run from the 21.Pa /etc/daily 22script, which sends mails to root on a daily basis. 23.Pp 24The 25.Nm 26script carries out the following list of simple checks: 27.Bl -bullet 28.It 29Check the master 30.Xr passwd 5 31and 32.Xr group 5 33files for 34syntax, empty passwords, partially closed accounts, 35suspicious UIDs, suspicious GIDs, and duplicate entries. 36.It 37Check root's home directory and login environment for 38insecure permissions, suspicious paths, and umask commands in the 39dotfiles. 40.It 41Check that root and uucp are in 42.Pa /etc/ftpusers . 43.It 44Check for suspicious commands in 45.Pa /etc/mail/aliases . 46.It 47Check for insecurities in various trust files such as 48.Pa /etc/hosts.equiv , /etc/shosts.equiv , 49and 50.Pa /etc/hosts.lpd . 51.It 52Check user 53.Pa .rhosts 54and 55.Pa .shosts 56files for open access. 57.It 58Check user home directory permissions. 59.It 60Check many user dotfile permissions. 61.It 62Check user mailbox permissions. 63.It 64Check NFS 65.Xr exports 5 66file for global export entries. 67.It 68Check for changes in setuid/setgid files and devices. 69.It 70Check disk ownership and permissions. 71.It 72Check for changes in the device file list. 73.It 74Check for permission changes in special files and system binaries listed in 75.Pa /etc/mtree/special 76and 77.Pa "/etc/mtree/*.secure" . 78.Sy Note: 79This is not complete protection against Trojan horsed binaries, as 80the miscreant can modify the tree specification to match the replaced binary. 81For details on really protecting yourself against modified binaries, see 82.Xr mtree 8 . 83.It 84Check for content changes in those files specified by 85.Pa /etc/changelist . 86.El 87.Pp 88The intent of the 89.Nm 90script is to point out some obvious holes to the system administrator. 91.Sh FILES 92.Bl -tag -width /dev/changelist -compact 93.It Pa /etc/daily 94.It Pa /etc/mtree 95.It Pa /etc/changelist 96.It Pa /var/backups 97.El 98.Sh SEE ALSO 99.Xr mtree 8 100.Sh BUGS 101The name of this script may provide a false sense of 102.Nm security . 103.\" Well, I thought it was amusing. 104.Pp 105There are perhaps an infinite number of ways the system can be compromised 106without this script noticing. 107