Copyright (c) 1996 Matthew R. Green
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
.Dd December 2, 2020 .Dt SECURITY.CONF 5 .Os .Sh NAME .Nm security.conf .Nd daily security check configuration file .Sh DESCRIPTION The .Nm file specifies which of the standard
a /etc/security services are performed. The
a /etc/security script is run, by default, every night from
a /etc/daily , on a .Nx system, if configured do to so from
a /etc/daily.conf .
p The variables described below can be set to "NO" to disable the test: l -tag -width check_pkg_vulnerabilities t Sy check_entropy This checks whether the system has enough entropy
q see Xr entropy 7 . t Sy check_passwd This checks the
a /etc/master.passwd file for inconsistencies. t Sy check_group This checks the
a /etc/group file for inconsistencies. t Sy check_rootdotfiles This checks the root users startup files for sane settings of $PATH and umask. This test is not fail safe and any warning generated from this should be checked for correctness. t Sy check_ftpusers This checks that the correct users are in the
a /etc/ftpusers file. t Sy check_aliases This checks for security problems in the
a /etc/mail/aliases file. For backward compatibility,
a /etc/aliases will be checked as well if exists. t Sy check_rhosts This checks for system and user rhosts files with "+" in them. t Sy check_homes This checks that home directories are owned by the correct user, and have appropriate permissions. t Sy check_varmail This checks that the correct user owns mail in
a /var/mail , and that the mail box has the right permissions. t Sy check_nfs This checks that the
a /etc/exports file does not export filesystems to the world. t Sy check_devices This checks for changes to devices and setuid files. t Sy check_mtree This runs .Xr mtree 8 to ensure that the system is installed correctly. The following configuration files are checked: l -tag -width 4n t Pa /etc/mtree/special Default files to check. t Pa /etc/mtree/special.local Local site additions and overrides. t Pa /etc/mtree/DIR.secure Specification for the directory
a DIR . .El t Sy check_disklabels Backup text copies of the disklabels of available disk drives into
a /var/backups/work/disklabel.XXX , and display any differences in those and the previous copies as per .Sy check_changelist below. If .Xr fdisk 8 is available on the current platform, the output of
a /sbin/fdisk for each available disk drive is stored in
a /var/backups/work/fdisk.XXX , and any differences displayed as per the disklabels. t Sy check_pkgs This stores a list of all installed pkgs into
a /var/backups/work/pkgs and checks it for any changes. t Sy check_changelist This determines a list of files from the contents of
a /etc/changelist , and the output of c mtree -D for
a /etc/mtree/special.local . For each file in the list it compares the files with their backups in
a /var/backups/file.current and
a /var/backups/file.backup , and displays any differences found. The following .Xr mtree 8 .Sy tags modify how files are determined from
a /etc/mtree/special.local : l -tag -width exclude -offset indent t exclude The entry is ignored; no backups are made and the differences are not displayed. This includes dynamic or binary files such as
a /var/run/utmp . t nodiff The entry is backed up but the differences are not displayed because the contents of the file are sensitive. This includes files such as
a /etc/master.passwd . .El t Sy check_pkg_vulnerabilities Checks the currently installed packages against a database of known vulnerabilities and reports those that are vulnerable. Check the .Sy fetch_pkg_vulnerabilities setting in .Xr daily.conf 5 to keep the database up to date. t Sy check_pkg_signatures Checks the digital signature of all files installed by packages against the expected values stored in the packages database. .El
p The variables described below can be set to modify the tests: l -tag -width check_network t Sy check_homes_permit_usergroups During the .Sy check_homes phase, allow the checked files to be group-writable if the group name is the same as the username. t Sy check_homes_permit_other_owner During the .Sy check_homes phase, allow the home directory and files of the listed users to be owned by a different user. t Sy check_devices_ignore_fstypes Lists filesystem types to ignore during the .Sy check_devices phase. Prefixing the type with a .Sq ! inverts the match. For example, .Ql procfs !local will ignore .Ql procfs type filesystems and filesystems that are not .Ql local . t Sy check_devices_ignore_paths Lists pathnames to ignore during the .Sy check_devices phase. Prefixing the path with a .Sq ! inverts the match. For example, .Ql /tftp will ignore paths under
a /tftp while .Ql !/home will ignore paths that are not under
a /home . t Sy check_mtree_follow_symlinks During the .Sy check_mtree phase, instruct mtree to follow symbolic links. Please note, this may cause the .Sy check_mtree phase to report errors for entries for these symbolic links (i.e. of type=link in the mtree specification) as they will always appear to be plain files for the purposes of the check.
a /etc/mtree/special.local may be used to override the checks for the affected links. t Sy check_passwd_nowarn_shells If .Sy check_passwd is enabled, most warnings will be suppressed for entries whose shells are listed in this space-separated list. This is of particular value when those shells are not in
a /etc/shells . t Sy check_passwd_nowarn_users If .Sy check_passwd is enabled, suppress warnings for these users. t Sy check_passwd_permit_dups If .Sy check_passwd is enabled, do not warn about duplicate uids for the listed login names. t Sy check_passwd_permit_nonalpha If .Sy check_passwd is enabled, do not warn about login names which use non-alphanumeric characters. t Sy check_passwd_permit_star If .Sy check_passwd is enabled, do not warn about password fields set to .Dq * . Note that the use of password fields such as .Dq *ssh is encouraged, instead. t Sy max_grouplen If .Sy check_group is enabled, this determines the maximum permitted length of group names. t Sy max_loginlen If .Sy check_passwd is enabled, this determines the maximum permitted length of login names. t Sy backup_dir Change the backup directory from
a /var/backups . t Sy diff_options Specify the options passed to .Xr diff 1 when it is invoked to show changes made to system files. Defaults to .Dq -u , for unified-format context-diffs. t Sy pkgdb_dir .Em DEPRECATED . Please set .Dv PKGDB_DIR in .Xr pkg_install.conf 5 instead.
p If defined, points to the location of the packages database. Defaults to
a /usr/pkg/pkgdb . t Sy backup_uses_rcs Use .Xr rcs 1 for maintaining backup copies of files noted in .Sy check_devices , .Sy check_disklabels , .Sy check_pkgs , and .Sy check_changelist instead of just keeping a current copy and a backup copy. t Sy random_file Name of the entropy seed file used at boot. Default is
a /var/db/entropy-file as used by
a /etc/rc.d/random_seed . Set .Sy random_file to empty to disable saving a seed every time
a /etc/security runs. .El .Sh FILES l -tag -width /etc/defaults/security.conf -compact t Pa /etc/defaults/security.conf defaults for /etc/security.conf t Pa /etc/security daily security check script t Pa /etc/security.conf daily security check configuration t Pa /etc/security.local local site additions to
a /etc/security .El .Sh SEE ALSO .Xr daily.conf 5 .Sh HISTORY The .Nm file appeared in .Nx 1.3 . The .Sy check_disklabels functionality was added in .Nx 1.4 . The .Sy backup_uses_rcs and .Sy check_pkgs features were added in .Nx 1.6 . .Sy diff_options appeared in .Nx 2.0 ; prior to that, traditional-format (context free) diffs were generated.
Indexes created Sat Sep 20 22:09:52 GMT 2025