NAME
security.conf —
daily security check
configuration file
DESCRIPTION
The
security.conf file specifies which of the standard
/etc/security services are performed. The
/etc/security script is run, by default, every night from
/etc/daily, on a
NetBSD system, if
configured do to so from
/etc/daily.conf.
The variables described below can be set to "NO" to disable the test:
-
-
- check_passwd
- This checks the /etc/master.passwd file
for inconsistencies.
-
-
- check_group
- This checks the /etc/group file for
inconsistencies.
-
-
- check_rootdotfiles
- This checks the root users startup files for sane settings
of $PATH and umask. This test is not fail safe and any warning generated
from this should be checked for correctness.
-
-
- check_ftpusers
- This checks that the correct users are in the
/etc/ftpusers file.
-
-
- check_aliases
- This checks for security problems in the
/etc/mail/aliases file. For backward compatibility,
/etc/aliases will be checked as well if exists.
-
-
- check_rhosts
- This checks for system and user rhosts files with
"+" in them.
-
-
- check_homes
- This checks that home directories are owned by the correct
user, and have appropriate permissions.
-
-
- check_varmail
- This checks that the correct user owns mail in
/var/mail, and that the mail box has the right
permissions.
-
-
- check_nfs
- This checks that the /etc/exports file
does not export filesystems to the world.
-
-
- check_devices
- This checks for changes to devices and setuid files.
-
-
- check_mtree
- This runs
mtree(8) to ensure that the
system is installed correctly. The following configuration files are
checked:
-
-
- /etc/mtree/special
- Default files to check.
-
-
- /etc/mtree/special.local
- Local site additions and overrides.
-
-
- /etc/mtree/DIR.secure
- Specification for the directory
DIR.
-
-
- check_disklabels
- Backup text copies of the disklabels of available disk
drives into /var/backups/work/disklabel.XXX, and display
any differences in those and the previous copies as per
check_changelist below. If
fdisk(8) is available on the
current platform, the output of /sbin/fdisk for each
available disk drive is stored in
/var/backups/work/fdisk.XXX, and any differences
displayed as per the disklabels.
-
-
- check_pkgs
- This stores a list of all installed pkgs into
/var/backups/work/pkgs and checks it for any
changes.
-
-
- check_changelist
- This determines a list of files from the contents of
/etc/changelist, and the output of mtree
-D for /etc/mtree/special and
/etc/mtree/special.local. For each file in the list it
compares the files with their backups in
/var/backups/file.current and
/var/backups/file.backup, and displays any differences
found. The following mtree(8)
tags modify how files are determined from
/etc/mtree/special and
/etc/mtree/special.local:
-
-
- exclude
- The entry is ignored; no backups are made and the
differences are not displayed. This includes dynamic or binary files
such as /var/run/utmp.
-
-
- nodiff
- The entry is backed up but the differences are not
displayed because the contents of the file are sensitive. This
includes files such as /etc/master.passwd.
-
-
- check_pkg_vulnerabilities
- Checks the currently installed packages against a database
of known vulnerabilities and reports those that are vulnerable. Check the
fetch_pkg_vulnerabilities setting in
daily.conf(5) to keep
the database up to date.
-
-
- check_pkg_signatures
- Checks the digital signature of all files installed by
packages against the expected values stored in the packages database.
The variables described below can be set to modify the tests:
-
-
- check_homes_permit_usergroups
- During the check_homes phase, allow the
checked files to be group-writable if the group name is the same as the
username.
-
-
- check_homes_permit_other_owner
- During the check_homes phase, allow the
home directory and files of the listed users to be owned by a different
user.
-
-
- check_devices_ignore_fstypes
- Lists filesystem types to ignore during the
check_devices phase. Prefixing the type with a
‘!’ inverts the match. For example,
‘
procfs !local
’ will ignore
‘procfs
’ type filesystems and
filesystems that are not ‘local
’.
-
-
- check_devices_ignore_paths
- Lists pathnames to ignore during the
check_devices phase. Prefixing the path with a
‘!’ inverts the match. For example,
‘
/tftp
’ will ignore paths under
/tftp while ‘!/home
’
will ignore paths that are not under /home.
-
-
- check_mtree_follow_symlinks
- During the check_mtree phase, instruct
mtree to follow symbolic links. Please note, this may cause the
check_mtree phase to report errors for entries for these
symbolic links (i.e. of type=link in the mtree specification) as they will
always appear to be plain files for the purposes of the check.
/etc/mtree/special.local may be used to override the
checks for the affected links.
-
-
- check_passwd_nowarn_shells
- If check_passwd is enabled, most warnings
will be suppressed for entries whose shells are listed in this
space-separated list. This is of particular value when those shells are
not in /etc/shells.
-
-
- check_passwd_nowarn_users
- If check_passwd is enabled, suppress
warnings for these users.
-
-
- check_passwd_permit_dups
- If check_passwd is enabled, do not warn
about duplicate uids for the listed login names.
-
-
- check_passwd_permit_nonalpha
- If check_passwd is enabled, do not warn
about login names which use non-alphanumeric characters.
-
-
- check_passwd_permit_star
- If check_passwd is enabled, do not warn
about password fields set to “*”. Note that the use of
password fields such as “*ssh” is encouraged, instead.
-
-
- max_grouplen
- If check_group is enabled, this
determines the maximum permitted length of group names.
-
-
- max_loginlen
- If check_passwd is enabled, this
determines the maximum permitted length of login names.
-
-
- backup_dir
- Change the backup directory from
/var/backup.
-
-
- diff_options
- Specify the options passed to
diff(1) when it is invoked to
show changes made to system files. Defaults to “-u”, for
unified-format context-diffs.
-
-
- pkgdb_dir
- DEPRECATED. Please set
PKGDB_DIR
in
pkg_install.conf(5)
instead.
If defined, points to the location of the packages database. Defaults to
/var/db/pkg.
-
-
- backup_uses_rcs
- Use rcs(1) for
maintaining backup copies of files noted in
check_devices, check_disklabels,
check_pkgs, and check_changelist
instead of just keeping a current copy and a backup copy.
FILES
- /etc/defaults/security.conf
- defaults for /etc/security.conf
- /etc/security
- daily security check script
- /etc/security.conf
- daily security check configuration
- /etc/security.local
- local site additions to
/etc/security
SEE ALSO
daily.conf(5)
HISTORY
The
security.conf file appeared in
NetBSD
1.3. The
check_disklabels functionality was added in
NetBSD 1.4. The
backup_uses_rcs and
check_pkgs features were added in
NetBSD
1.6.
diff_options appeared in
NetBSD
2.0; prior to that, traditional-format (context free) diffs were
generated.