security.conf(5)
- NetBSD Manual Pages
SECURITY.CONF(5) NetBSD File Formats Manual SECURITY.CONF(5)
NAME
security.conf -- daily security check configuration file
DESCRIPTION
The security.conf file specifies which of the standard /etc/security ser-
vices are performed. The /etc/security script is run, by default, every
night from /etc/daily, on a NetBSD system, if configured do to so from
/etc/daily.conf.
The variables described below can be set to "NO" to disable the test:
check_passwd This checks the /etc/master.passwd file for inconsisten-
cies.
check_group This checks the /etc/group file for inconsistencies.
check_rootdotfiles
This checks the root users startup files for sane settings
of $PATH and umask. This test is not fail safe and any
warning generated from this should be checked for correct-
ness.
check_ftpusers
This checks that the correct users are in the
/etc/ftpusers file.
check_aliases This checks for security problems in the /etc/mail/aliases
file. For backward compatibility, /etc/aliases will be
checked as well if exists.
check_rhosts This checks for system and user rhosts files with "+" in
them.
check_homes This checks that home directories are owned by the correct
user, and have appropriate permissions.
check_varmail This checks that the correct user owns mail in /var/mail,
and that the mail box has the right permissions.
check_nfs This checks that the /etc/exports file does not export
filesystems to the world.
check_devices This checks for changes to devices and setuid files.
check_mtree This runs mtree(8) to ensure that the system is installed
correctly. The following configuration files are checked:
/etc/mtree/special
Default files to check.
/etc/mtree/special.local
Local site additions and overrides.
/etc/mtree/DIR.secure
Specification for the directory DIR.
check_disklabels
Backup text copies of the disklabels of available disk
drives into /var/backups/work/disklabel.XXX, and display
any differences in those and the previous copies as per
check_changelist below. If fdisk(8) is available on the
current platform, the output of /sbin/fdisk for each
available disk drive is stored in
/var/backups/work/fdisk.XXX, and any differences displayed
as per the disklabels.
check_pkgs This stores a list of all installed pkgs into
/var/backups/work/pkgs and checks it for any changes.
check_changelist
This determines a list of files from the contents of
/etc/changelist, and the output of mtree -D for
/etc/mtree/special and /etc/mtree/special.local. For each
file in the list it compares the files with their backups
in /var/backups/file.current and /var/backups/file.backup,
and displays any differences found. The following
mtree(8) tags modify how files are determined from
/etc/mtree/special and /etc/mtree/special.local:
exclude The entry is ignored; no backups are made
and the differences are not displayed.
This includes dynamic or binary files such
as /var/run/utmp.
nodiff The entry is backed up but the differences
are not displayed because the contents of
the file are sensitive. This includes
files such as /etc/master.passwd.
The variables described below can be set to modify the tests:
check_homes_permit_usergroups
During the check_homes phase, allow the checked files to
be group-writable if the group name is the same as the
username.
check_devices_ignore_fstypes
Lists filesystem types to ignore during the check_devices
phase. Prefixing the type with a `!' inverts the match.
For example, `procfs !local' will ignore `procfs' type
filesystems and filesystems that are not `local'.
check_devices_ignore_paths
Lists pathnames to ignore during the check_devices phase.
Prefixing the path with a `!' inverts the match. For
example, `/tftp' will ignore paths under /tftp while
`!/home' will ignore paths that are not under /home.
check_mtree_follow_symlinks
During the check_mtree phase, instruct mtree to follow
symbolic links. Please note, this may cause the
check_mtree phase to report errors for entries for these
symbolic links (i.e. of type=link in the mtree specifica-
tion) as they will always appear to be plain files for the
purposes of the check. /etc/mtree/special.local may be
used to override the checks for the affected links.
check_passwd_nowarn_shells
If check_passwd is enabled, most warnings will be sup-
pressed for entries whose shells are listed in this space-
separated list. This is of particular value when those
shells are not in /etc/shells.
check_passwd_nowarn_users
If check_passwd is enabled, suppress warnings for these
users.
check_passwd_permit_nonalpha
If check_passwd is enabled, do not warn about login names
which use non-alphanumeric characters.
check_passwd_permit_star
If check_passwd is enabled, do not warn about password
fields set to ``*''. Note that the use of password fields
such as ``*ssh'' is encouraged, instead.
max_grouplen If check_group is enabled, this determines the maximum
permitted length of group names.
max_loginlen If check_passwd is enabled, this determines the maximum
permitted length of login names.
backup_dir Change the backup directory from /var/backup.
diff_options Specify the options passed to diff(1) when it is invoked
to show changes made to system files. Defaults to ``-u'',
for unified-format context-diffs.
pkgdb_dir Change the pkg database directory from /var/db/pkg when
check_pkgs is enabled.
backup_uses_rcs
Use rcs(1) for maintaining backup copies of files noted in
check_devices, check_disklabels, check_pkgs, and
check_changelist instead of just keeping a current copy
and a backup copy.
FILES
/etc/defaults/security.conf defaults for /etc/security.conf
/etc/security daily security check script
/etc/security.conf daily security check configuration
/etc/security.local local site additions to /etc/security
SEE ALSO
daily.conf(5)
HISTORY
The security.conf file appeared in NetBSD 1.3. The check_disklabels
functionality was added in NetBSD 1.4. The backup_uses_rcs and
check_pkgs features were added in NetBSD 1.6. diff_options appeared in
NetBSD 2.0; prior to that, traditional-format (context free) diffs were
generated.
NetBSD 5.1 May 29, 2006 NetBSD 5.1
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.