Copyright (c) 1996 Matthew R. Green
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
.Dd October 15, 2001 .Dt SECURITY.CONF 5 .Os .Sh NAME .Nm security.conf .Nd daily security check configuration file .Sh DESCRIPTION The .Nm file specifies which of the standard
a /etc/security services are performed. The
a /etc/security script is run, by default, every night from
a /etc/daily , on a .Nx system, if configured do to so from
a /etc/daily.conf .
p The variables described below can be set to "NO" to disable the test: l -tag -width check_network t Sy check_passwd This checks the
a /etc/master.passwd file for inconsistancies. t Sy check_group This checks the
a /etc/group file for inconsistancies. t Sy check_rootdotfiles This checks the root users startup files for sane settings of $PATH and umask. This test is not fail safe and any warning generated from this should be checked for correctness. t Sy check_ftpusers This checks that the correct users are in the
a /etc/ftpusers file. t Sy check_aliases This checks for security problems in the
a /etc/mail/aliases file. For backward compatibility,
a /etc/aliases will be checked as well if exists. t Sy check_rhosts This checks for system and user rhosts files with "+" in them. t Sy check_homes This checks that home directories are owned by the correct user, and have appropriate permissions. t Sy check_varmail This checks that the correct user owns mail in
a /var/mail , and that the mail box has the right permissions. t Sy check_nfs This checks that the
a /etc/exports file does not export filesystems to the world. t Sy check_devices This checks for changes to devices and setuid files. t Sy check_mtree This runs .Xr mtree 8 to ensure that the system is installed correctly. The following configuration files are checked: l -tag -width 4n t Pa /etc/mtree/special Default files to check. t Pa /etc/mtree/special.local Local site additions. t Pa /etc/mtree/DIR.secure Specification for the directory
a DIR . .El t Sy check_disklabels Backup text copies of the disklabels of available disk drives into
a /var/backups/work/disklabel.XXX , and display any differences in those and the previous copies as per .Sy check_changelist below. If .Xr fdisk 8 is available on the current platform, the output of
a /sbin/fdisk for each available disk drive is stored in
a /var/backups/work/fdisk.XXX , and any differences displayed as per the disklabels. t Sy check_pkgs This stores a list of all installed pkgs into
a /var/backups/work/pkgs and checks it for any changes. t Sy check_changelist This determines a list of files from the contents of
a /etc/changelist , and the output of c mtree -D for
a /etc/mtree/special.local . For each file in the list it compares the files with their backups in
a /var/backups/file.current and
a /var/backups/file.backup , and displays any differences found. The following .Xr mtree 8 .Sy tags modify how files are determined from
a /etc/mtree/special.local : l -tag -width exclude -offset indent t exclude The entry is ignored; no backups are made and the differences are not displayed. This includes dynamic or binary files such as
a /var/run/utmp . t nodiff The entry is backed up but the differences are not displayed because the contents of the file are sensitive. This includes files such as
a /etc/master.passwd . .El .El
p The variables described below can be set to modify the tests: l -tag -width check_network t Sy max_grouplen If .Sy check_group is enabled, this determines the maximum permitted length of group names. t Sy max_loginlen If .Sy check_passwd is enabled, this determines the maximum permitted length of login names. t Sy backup_dir Change the backup directory from
a /var/backup . t Sy pkgdb_dir Change the pkg database directory from
a /var/db/pkg when .Sy check_pkgs is enabled. t Sy backup_uses_rcs Use .Xr rcs 1 for maintaining backup copies of files noted in .Sy check_devices , .Sy check_disklabels , .Sy check_pkgs , and .Sy check_changelist instead of just keeping a current copy and a backup copy. .El .Sh FILES l -tag -width /etc/security.local -compact t Pa /etc/security daily security check script t Pa /etc/security.conf daily security check configuration t Pa /etc/security.local local site additions to
a /etc/security .El .Sh SEE ALSO .Xr daily.conf 5 .Sh HISTORY The .Nm file appeared in .Nx 1.3 . The .Sy check_disklabels functionality was added in .Nx 1.4 . The .Sy backup_uses_rcs and .Sy check_pkgs features were added in .Nx 1.6 .
Indexes created Mon Oct 27 20:09:55 GMT 2025