Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   6113 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

SECURITY(8)		 BSD System Manager's Manual		   SECURITY(8)

NAME
     security - periodic system security check

SYNOPSIS
     /etc/security

DESCRIPTION
     security is a command script that examines the system for some signs of
     security weaknesses. It is only a security aid and does not offer com-
     plete protection. The security script is normally run from the /etc/daily
     script (see daily(8) for further details), which sends mails to root on a
     daily basis.

     The security script carries out the following list of simple checks:

     +	 Check the master.passwd(5) and group(5) files for syntax, empty pass-
	 words, partially closed accounts, suspicious UIDs, suspicious GIDs,
	 and duplicate entries.

     +	 Check root's home directory and login environment for insecure per-
	 missions, suspicious paths, and umask commands in the dotfiles.

     +	 Check that root and uucp are in /etc/ftpusers.

     +	 Check for suspicious commands in /etc/mail/aliases.

     +	 Check for insecurities in various trust files such as
	 /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.

     +	 Check user .rhosts and .shosts files for open access.

     +	 Check user home directory permissions.

     +	 Check many user dotfile permissions.

     +	 Check user mailbox permissions.

     +	 Check NFS exports(5) file for global export entries.

     +	 Check for changes in setuid/setgid files and devices.

     +	 Check disk ownership and permissions.

     +	 Check for changes in the device file list.

     +	 Check for permission changes in special files and system binaries
	 listed in /etc/mtree/special. security also provides hooks for ad-
	 ministrators to create their own lists. These lists should be kept in
	 /etc/mtree/ and filenames must have the suffix ".secure". The follow-
	 ing example shows how to create such a list, to protect the home
	 directory of user "bob":

	     # mtree -cx -p /home/bob -K md5digest,type >/etc/mtree/bob.secure
	     # chown root:wheel /etc/mtree/bob.secure
	     # chmod 600 /etc/mtree/bob.secure

	 Note: These checks do not provide complete protection against Trojan
	 horsed binaries, as the miscreant can modify the tree specification
	 to match the replaced binary. For details on really protecting your-
	 self against modified binaries, see mtree(8).

     +	 Check for content changes in those files specified by /etc/changelist
	 and /etc/changelist.local. See changelist(5) for further details.

     +	 Check for changes to the disklabels of mounted disks.

     The intent of the security script is to point out some obvious holes to
     the system administrator.

FILES
     /etc/changelist
     /etc/daily
     /etc/mtree
     /var/backups

SEE ALSO
     changelist(5), daily(8), mtree(8)

BUGS
     The name of this script may provide a false sense of security.

     There are perhaps an infinite number of ways the system can be comprom-
     ised without this script noticing.

MirOS BSD #10-current		 July 1, 2000				     1

Vote for polarhome