Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-3.6)
Apropos / Subsearch:
optional field

SECURITY(8)             OpenBSD System Manager's Manual            SECURITY(8)

     security - periodic system security check


     security is a command script that examines the system for some signs of
     security weaknesses.  It is only a security aid and does not offer com-
     plete protection.  The security script is normally run from the
     /etc/daily script (see daily(8) for further details), which sends mails
     to root on a daily basis.

     The security script carries out the following list of simple checks:

     o   Check the master passwd(5) and group(5) files for syntax, empty pass-
         words, partially closed accounts, suspicious UIDs, suspicious GIDs,
         and duplicate entries.

     o   Check root's home directory and login environment for insecure per-
         missions, suspicious paths, and umask commands in the dotfiles.

     o   Check that root and uucp are in /etc/ftpusers.

     o   Check for suspicious commands in /etc/mail/aliases.

     o   Check for insecurities in various trust files such as
         /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.

     o   Check user .rhosts and .shosts files for open access.

     o   Check user home directory permissions.

     o   Check many user dotfile permissions.

     o   Check user mailbox permissions.

     o   Check NFS exports(5) file for global export entries.

     o   Check for changes in setuid/setgid files and devices.

     o   Check disk ownership and permissions.

     o   Check for changes in the device file list.

     o   Check for permission changes in special files and system binaries
         listed in /etc/mtree/special and /etc/mtree/*.secure.  Note: This is
         not complete protection against Trojan horsed binaries, as the mis-
         creant can modify the tree specification to match the replaced bina-
         ry.  For details on really protecting yourself against modified bina-
         ries, see mtree(8).

     o   Check for content changes in those files specified by
         /etc/changelist.  See changelist(5) for further details.

     The intent of the security script is to point out some obvious holes to
     the system administrator.


     changelist(5), daily(8), mtree(8)

     The name of this script may provide a false sense of security.

     There are perhaps an infinite number of ways the system can be compro-
     mised without this script noticing.

OpenBSD 3.6                      July 1, 2000                                2