NAME
security.conf
- daily security check configuration file
DESCRIPTION
The
security.conf
file specifies which of the standard
/etc/security
services are performed.
The
/etc/security
script is run, by default, every night from
/etc/daily
,
on a
NetBSD
system, if configured do to so from
/etc/daily.conf
.
The variables described below can be set to "NO" to disable the test:
- check_passwd
-
This checks the
/etc/master.passwd
file for inconsistencies.
- check_group
-
This checks the
/etc/group
file for inconsistencies.
- check_rootdotfiles
-
This checks the root users startup files for sane settings of $PATH
and umask.
This test is not fail safe and any warning generated from
this should be checked for correctness.
- check_ftpusers
-
This checks that the correct users are in the
/etc/ftpusers
file.
- check_aliases
-
This checks for security problems in the
/etc/mail/aliases
file.
For backward compatibility,
/etc/aliases
will be checked as well if exists.
- check_rhosts
-
This checks for system and user rhosts files with "+" in them.
- check_homes
-
This checks that home directories are owned by the correct user,
and have appropriate permissions.
- check_varmail
-
This checks that the correct user owns mail in
/var/mail
,
and that the mail box has the right permissions.
- check_nfs
-
This checks that the
/etc/exports
file does not export filesystems to the world.
- check_devices
-
This checks for changes to devices and setuid files.
- check_mtree
-
This runs
mtree(8)
to ensure that the system is installed correctly.
The following configuration files are checked:
/etc/mtree/special
-
Default files to check.
/etc/mtree/special.local
-
Local site additions and overrides.
/etc/mtree/DIR.secure
-
Specification for the directory
DIR
.
- check_disklabels
-
Backup text copies of the disklabels of available disk drives into
/var/backups/work/disklabel.XXX
,
and display any differences in those and the previous copies
as per
check_changelist
below.
If
fdisk(8)
is available on the current platform, the output of
/sbin/fdisk
for each available disk drive is stored in
/var/backups/work/fdisk.XXX
,
and any differences displayed as per the disklabels.
- check_pkgs
-
This stores a list of all installed pkgs into
/var/backups/work/pkgs
and checks it for any changes.
- check_changelist
-
This determines a list of files from the contents of
/etc/changelist
,
and the output of
mtree -D
for
/etc/mtree/special
and
/etc/mtree/special.local
.
For each file in the list it compares the files with their backups in
/var/backups/file.current
and
/var/backups/file.backup
,
and displays any differences found.
The following
mtree(8)
tags
modify how files are determined from
/etc/mtree/special
and
/etc/mtree/special.local
:
- exclude
-
The entry is ignored; no backups are made and the differences are not
displayed.
This includes dynamic or binary files such as
/var/run/utmp
.
- nodiff
-
The entry is backed up but the differences are not displayed because
the contents of the file are sensitive.
This includes files such as
/etc/master.passwd
.
The variables described below can be set to modify the tests:
- check_homes_permit_usergroups
-
During the
check_homes
phase, allow the checked files to be group-writable if the group name is
the same as the username.
- check_devices_ignore_fstypes
-
Lists filesystem types to ignore during the
check_devices
phase.
Prefixing the type with a
`!'
inverts the match.
For example,
`procfs !local'
will ignore
`procfs'
type filesystems and filesystems that are not
`local'.
- check_devices_ignore_paths
-
Lists pathnames to ignore during the
check_devices
phase.
Prefixing the path with a
`!'
inverts the match.
For example,
`/tftp'
will ignore paths under
/tftp
while
`!/home'
will ignore paths that are not under
/home
.
- check_mtree_follow_symlinks
-
During the
check_mtree
phase, instruct mtree to follow symbolic links.
Please note, this may cause the
check_mtree
phase to report errors for entries for these symbolic links (i.e. of
type=link in the mtree specification) as they will always appear to be plain
files for the purposes of the check.
/etc/mtree/special.local
may be used to override the checks for the affected links.
- check_passwd_nowarn_shells
-
If
check_passwd
is enabled, most warnings will be suppressed for entries whose shells
are listed in this space-separated list.
This is of particular value when those shells are not in
/etc/shells
.
- check_passwd_nowarn_users
-
If
check_passwd
is enabled, suppress warnings for these users.
- check_passwd_permit_nonalpha
-
If
check_passwd
is enabled, do not warn about login names which use non-alphanumeric
characters.
- check_passwd_permit_star
-
If
check_passwd
is enabled, do not warn about password fields set to
``*''.
Note that the use of password fields such as
``*ssh''
is encouraged, instead.
- max_grouplen
-
If
check_group
is enabled, this determines the maximum permitted length of group names.
- max_loginlen
-
If
check_passwd
is enabled, this determines the maximum permitted length of login names.
- backup_dir
-
Change the backup directory from
/var/backup
.
- diff_options
-
Specify the options passed to
diff(1)
when it is invoked to show changes made to system files.
Defaults to
``-u'',
for unified-format context-diffs.
- pkgdb_dir
-
Change the pkg database directory from
/var/db/pkg
when
check_pkgs
is enabled.
- backup_uses_rcs
-
Use
rcs(1)
for maintaining backup copies of files noted in
check_devices,
check_disklabels,
check_pkgs,
and
check_changelist
instead of just keeping a current copy and a backup copy.
FILES
/etc/defaults/security.conf
-
defaults for /etc/security.conf
/etc/security
-
daily security check script
/etc/security.conf
-
daily security check configuration
/etc/security.local
-
local site additions to
/etc/security
SEE ALSO
daily.conf(5)
HISTORY
The
security.conf
file appeared in
NetBSD1.3.
The
check_disklabels
functionality was added in
NetBSD1.4.
The
backup_uses_rcs
and
check_pkgs
features were added in
NetBSD1.6.
diff_options
appeared in
NetBSD2.0;
prior to that, traditional-format (context free) diffs were generated.