SECURITY(8) OpenBSD System Manager's Manual SECURITY(8)
security - periodic system security check
security is a command script that examines the system for some signs of
security weaknesses. It is only a security aid and does not offer com-
plete protection. The security script is normally run from the
/etc/daily script (see daily(8) for further details), which sends mails
to root on a daily basis.
The security script carries out the following list of simple checks:
o Check the master passwd(5) and group(5) files for syntax, empty pass-
words, partially closed accounts, suspicious UIDs, suspicious GIDs,
and duplicate entries.
o Check root's home directory and login environment for insecure per-
missions, suspicious paths, and umask commands in the dotfiles.
o Check that root and uucp are in /etc/ftpusers.
o Check for suspicious commands in /etc/mail/aliases.
o Check for insecurities in various trust files such as
/etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.
o Check user .rhosts and .shosts files for open access.
o Check user home directory permissions.
o Check many user dotfile permissions.
o Check user mailbox permissions.
o Check NFS exports(5) file for global export entries.
o Check for changes in setuid/setgid files and devices.
o Check disk ownership and permissions.
o Check for changes in the device file list.
o Check for permission changes in special files and system binaries
listed in /etc/mtree/special and /etc/mtree/*.secure. Note: This is
not complete protection against Trojan horsed binaries, as the mis-
creant can modify the tree specification to match the replaced bina-
ry. For details on really protecting yourself against modified bina-
ries, see mtree(8).
o Check for content changes in those files specified by
/etc/changelist. See changelist(5) for further details.
The intent of the security script is to point out some obvious holes to
the system administrator.
changelist(5), daily(8), mtree(8)
The name of this script may provide a false sense of security.
There are perhaps an infinite number of ways the system can be compro-
mised without this script noticing.
OpenBSD 3.6 July 1, 2000 2