SECURITY.CONF(5) NetBSD File Formats Manual SECURITY.CONF(5)
NAME
security.conf -- daily security check configuration file
DESCRIPTION
The security.conf file specifies which of the standard /etc/security ser- vices are performed. The /etc/security script is run, by default, every night from /etc/daily, on a NetBSD system, if configured do to so from /etc/daily.conf. The variables described below can be set to "NO" to disable the test: check_passwd This checks the /etc/master.passwd file for inconsisten- cies. check_group This checks the /etc/group file for inconsistencies. check_rootdotfiles This checks the root users startup files for sane settings of $PATH and umask. This test is not fail safe and any warning generated from this should be checked for correct- ness. check_ftpusers This checks that the correct users are in the /etc/ftpusers file. check_aliases This checks for security problems in the /etc/mail/aliases file. For backward compatibility, /etc/aliases will be checked as well if exists. check_rhosts This checks for system and user rhosts files with "+" in them. check_homes This checks that home directories are owned by the correct user, and have appropriate permissions. check_varmail This checks that the correct user owns mail in /var/mail, and that the mail box has the right permissions. check_nfs This checks that the /etc/exports file does not export filesystems to the world. check_devices This checks for changes to devices and setuid files. check_mtree This runs mtree(8) to ensure that the system is installed correctly. The following configuration files are checked: /etc/mtree/special Default files to check. /etc/mtree/special.local Local site additions and overrides. /etc/mtree/DIR.secure Specification for the directory DIR. check_disklabels Backup text copies of the disklabels of available disk drives into /var/backups/work/disklabel.XXX, and display any differences in those and the previous copies as per check_changelist below. If fdisk(8) is available on the current platform, the output of /sbin/fdisk for each available disk drive is stored in /var/backups/work/fdisk.XXX, and any differences displayed as per the disklabels. check_pkgs This stores a list of all installed pkgs into /var/backups/work/pkgs and checks it for any changes. check_changelist This determines a list of files from the contents of /etc/changelist, and the output of mtree -D for /etc/mtree/special and /etc/mtree/special.local. For each file in the list it compares the files with their backups in /var/backups/file.current and /var/backups/file.backup, and displays any differences found. The following mtree(8) tags modify how files are determined from /etc/mtree/special and /etc/mtree/special.local: exclude The entry is ignored; no backups are made and the differences are not displayed. This includes dynamic or binary files such as /var/run/utmp. nodiff The entry is backed up but the differences are not displayed because the contents of the file are sensitive. This includes files such as /etc/master.passwd. The variables described below can be set to modify the tests: check_homes_permit_usergroups During the check_homes phase, allow the checked files to be group-writable if the group name is the same as the username. check_devices_ignore_fstypes Lists filesystem types to ignore during the check_devices phase. Prefixing the type with a `!' inverts the match. For example, `procfs !local' will ignore `procfs' type filesystems and filesystems that are not `local'. check_devices_ignore_paths Lists pathnames to ignore during the check_devices phase. Prefixing the path with a `!' inverts the match. For example, `/tftp' will ignore paths under /tftp while `!/home' will ignore paths that are not under /home. check_mtree_follow_symlinks During the check_mtree phase, instruct mtree to follow symbolic links. Please note, this may cause the check_mtree phase to report errors for entries for these symbolic links (i.e. of type=link in the mtree specifica- tion) as they will always appear to be plain files for the purposes of the check. /etc/mtree/special.local may be used to override the checks for the affected links. check_passwd_nowarn_shells If check_passwd is enabled, most warnings will be sup- pressed for entries whose shells are listed in this space- separated list. This is of particular value when those shells are not in /etc/shells. check_passwd_nowarn_users If check_passwd is enabled, suppress warnings for these users. check_passwd_permit_nonalpha If check_passwd is enabled, do not warn about login names which use non-alphanumeric characters. check_passwd_permit_star If check_passwd is enabled, do not warn about password fields set to ``*''. Note that the use of password fields such as ``*ssh'' is encouraged, instead. max_grouplen If check_group is enabled, this determines the maximum permitted length of group names. max_loginlen If check_passwd is enabled, this determines the maximum permitted length of login names. backup_dir Change the backup directory from /var/backup. diff_options Specify the options passed to diff(1) when it is invoked to show changes made to system files. Defaults to ``-u'', for unified-format context-diffs. pkgdb_dir Change the pkg database directory from /var/db/pkg when check_pkgs is enabled. backup_uses_rcs Use rcs(1) for maintaining backup copies of files noted in check_devices, check_disklabels, check_pkgs, and check_changelist instead of just keeping a current copy and a backup copy.
FILES
/etc/defaults/security.conf defaults for /etc/security.conf /etc/security daily security check script /etc/security.conf daily security check configuration /etc/security.local local site additions to /etc/security
SEE ALSO
daily.conf(5)
HISTORY
The security.conf file appeared in NetBSD 1.3. The check_disklabels functionality was added in NetBSD 1.4. The backup_uses_rcs and check_pkgs features were added in NetBSD 1.6. diff_options appeared in NetBSD 2.0; prior to that, traditional-format (context free) diffs were generated. NetBSD 5.1.2 May 29, 2006 NetBSD 5.1.2
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.