SECURITY(8) BSD System Manager's Manual SECURITY(8)NAMEsecurity - periodic system security check
SYNOPSIS
/etc/security
DESCRIPTIONsecurity is a command script that examines the system for some signs of
security weaknesses. It is only a security aid and does not offer com-
plete protection. The security script is normally run from the /etc/daily
script (see daily(8) for further details), which sends mails to root on a
daily basis.
The security script carries out the following list of simple checks:
+ Check the master.passwd(5) and group(5) files for syntax, empty pass-
words, partially closed accounts, suspicious UIDs, suspicious GIDs,
and duplicate entries.
+ Check root's home directory and login environment for insecure per-
missions, suspicious paths, and umask commands in the dotfiles.
+ Check that root and uucp are in /etc/ftpusers.
+ Check for suspicious commands in /etc/mail/aliases.
+ Check for insecurities in various trust files such as
/etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.
+ Check user .rhosts and .shosts files for open access.
+ Check user home directory permissions.
+ Check many user dotfile permissions.
+ Check user mailbox permissions.
+ Check NFS exports(5) file for global export entries.
+ Check for changes in setuid/setgid files and devices.
+ Check disk ownership and permissions.
+ Check for changes in the device file list.
+ Check for permission changes in special files and system binaries
listed in /etc/mtree/special. security also provides hooks for ad-
ministrators to create their own lists. These lists should be kept in
/etc/mtree/ and filenames must have the suffix ".secure". The follow-
ing example shows how to create such a list, to protect the home
directory of user "bob":
# mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
# chown root:wheel /etc/mtree/bob.secure
# chmod 600 /etc/mtree/bob.secure
Note: These checks do not provide complete protection against Trojan
horsed binaries, as the miscreant can modify the tree specification
to match the replaced binary. For details on really protecting your-
self against modified binaries, see mtree(8).
+ Check for content changes in those files specified by /etc/changelist
and /etc/changelist.local. See changelist(5) for further details.
+ Check for changes to the disklabels of mounted disks.
The intent of the security script is to point out some obvious holes to
the system administrator.
FILES
/etc/changelist
/etc/daily
/etc/mtree
/var/backups
SEE ALSOchangelist(5), daily(8), mtree(8)BUGS
The name of this script may provide a false sense of security.
There are perhaps an infinite number of ways the system can be comprom-
ised without this script noticing.
MirOS BSD #10-current July 1, 2000 1