unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-3.6)
Page:
Section:
Apropos / Subsearch:
optional field

SECURITY(8)             OpenBSD System Manager's Manual            SECURITY(8)

NAME
     security - periodic system security check

SYNOPSIS
     /etc/security

DESCRIPTION
     security is a command script that examines the system for some signs of
     security weaknesses.  It is only a security aid and does not offer com-
     plete protection.  The security script is normally run from the
     /etc/daily script (see daily(8) for further details), which sends mails
     to root on a daily basis.

     The security script carries out the following list of simple checks:

     o   Check the master passwd(5) and group(5) files for syntax, empty pass-
         words, partially closed accounts, suspicious UIDs, suspicious GIDs,
         and duplicate entries.

     o   Check root's home directory and login environment for insecure per-
         missions, suspicious paths, and umask commands in the dotfiles.

     o   Check that root and uucp are in /etc/ftpusers.

     o   Check for suspicious commands in /etc/mail/aliases.

     o   Check for insecurities in various trust files such as
         /etc/hosts.equiv, /etc/shosts.equiv, and /etc/hosts.lpd.

     o   Check user .rhosts and .shosts files for open access.

     o   Check user home directory permissions.

     o   Check many user dotfile permissions.

     o   Check user mailbox permissions.

     o   Check NFS exports(5) file for global export entries.

     o   Check for changes in setuid/setgid files and devices.

     o   Check disk ownership and permissions.

     o   Check for changes in the device file list.

     o   Check for permission changes in special files and system binaries
         listed in /etc/mtree/special and /etc/mtree/*.secure.  Note: This is
         not complete protection against Trojan horsed binaries, as the mis-
         creant can modify the tree specification to match the replaced bina-
         ry.  For details on really protecting yourself against modified bina-
         ries, see mtree(8).

     o   Check for content changes in those files specified by
         /etc/changelist.  See changelist(5) for further details.

     The intent of the security script is to point out some obvious holes to
     the system administrator.

FILES
     /etc/changelist
     /etc/daily
     /etc/mtree
     /var/backups

SEE ALSO
     changelist(5), daily(8), mtree(8)

BUGS
     The name of this script may provide a false sense of security.

     There are perhaps an infinite number of ways the system can be compro-
     mised without this script noticing.

OpenBSD 3.6                      July 1, 2000                                2