2001-10-15 12:53:28 +04:00
|
|
|
.\" $NetBSD: security.conf.5,v 1.16 2001/10/15 08:53:28 lukem Exp $
|
1997-01-05 14:50:12 +03:00
|
|
|
.\"
|
|
|
|
.\" Copyright (c) 1996 Matthew R. Green
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
1997-10-10 09:39:47 +04:00
|
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
1997-01-05 14:50:12 +03:00
|
|
|
.\" derived from this software without specific prior written permission.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
|
|
|
.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
|
|
|
.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
|
|
.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
2001-10-15 12:53:28 +04:00
|
|
|
.Dd October 15, 2001
|
1997-01-05 14:50:12 +03:00
|
|
|
.Dt SECURITY.CONF 5
|
1999-03-17 23:19:44 +03:00
|
|
|
.Os
|
1997-01-05 14:50:12 +03:00
|
|
|
.Sh NAME
|
|
|
|
.Nm security.conf
|
|
|
|
.Nd daily security check configuration file
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
file specifies which of the standard
|
|
|
|
.Pa /etc/security
|
|
|
|
services are performed. The
|
|
|
|
.Pa /etc/security
|
|
|
|
script is run, by default, every night from
|
|
|
|
.Pa /etc/daily ,
|
|
|
|
on a
|
|
|
|
.Nx
|
|
|
|
system, if configured do to so from
|
|
|
|
.Pa /etc/daily.conf .
|
|
|
|
.Pp
|
|
|
|
The variables described below can be set to "NO" to disable the test:
|
|
|
|
.Bl -tag -width check_network
|
|
|
|
.It Sy check_passwd
|
|
|
|
This checks the
|
|
|
|
.Pa /etc/master.passwd
|
|
|
|
file for inconsistancies.
|
|
|
|
.It Sy check_group
|
|
|
|
This checks the
|
|
|
|
.Pa /etc/group
|
|
|
|
file for inconsistancies.
|
|
|
|
.It Sy check_rootdotfiles
|
|
|
|
This checks the root users startup files for sane settings of $PATH
|
|
|
|
and umask. This test is not fail safe and any warning generated from
|
|
|
|
this should be checked for correctness.
|
|
|
|
.It Sy check_ftpusers
|
|
|
|
This checks that the correct users are in the
|
|
|
|
.Pa /etc/ftpusers
|
|
|
|
file.
|
|
|
|
.It Sy check_aliases
|
|
|
|
This checks for security problems in the
|
2000-05-05 22:28:53 +04:00
|
|
|
.Pa /etc/mail/aliases
|
1997-01-05 14:50:12 +03:00
|
|
|
file.
|
2000-05-05 22:28:53 +04:00
|
|
|
For backward compatibility,
|
|
|
|
.Pa /etc/aliases
|
|
|
|
will be checked as well if exists.
|
1997-01-05 14:50:12 +03:00
|
|
|
.It Sy check_rhosts
|
|
|
|
This checks for system and user rhosts files with "+" in them.
|
|
|
|
.It Sy check_homes
|
2001-10-15 12:53:28 +04:00
|
|
|
This checks that home directories are owned by the correct user,
|
|
|
|
and have appropriate permissions.
|
1997-01-05 14:50:12 +03:00
|
|
|
.It Sy check_varmail
|
|
|
|
This checks that the correct user owns mail in
|
|
|
|
.Pa /var/mail ,
|
|
|
|
and that the mail box has the right permissions.
|
|
|
|
.It Sy check_nfs
|
|
|
|
This checks that the
|
|
|
|
.Pa /etc/exports
|
|
|
|
file does not export filesystems to the world.
|
|
|
|
.It Sy check_devices
|
|
|
|
This checks for changes to devices and setuid files.
|
|
|
|
.It Sy check_mtree
|
|
|
|
This runs
|
|
|
|
.Xr mtree 8
|
|
|
|
to ensure that the system is installed correctly.
|
2001-10-15 12:53:28 +04:00
|
|
|
The following configuration files are checked:
|
|
|
|
.Bl -tag -width 4n
|
|
|
|
.It Pa /etc/mtree/special
|
|
|
|
Default files to check.
|
|
|
|
.It Pa /etc/mtree/special.local
|
|
|
|
Local site additions.
|
|
|
|
.It Pa /etc/mtree/DIR.secure
|
|
|
|
Specification for the directory
|
|
|
|
.Pa DIR .
|
|
|
|
.El
|
1998-08-25 17:50:45 +04:00
|
|
|
.It Sy check_disklabels
|
|
|
|
Backup text copies of the disklabels of available disk drives into
|
2001-10-15 12:53:28 +04:00
|
|
|
.Pa /var/backups/work/disklabel.XXX ,
|
1998-08-25 17:50:45 +04:00
|
|
|
and display any differences in those and the previous copies
|
|
|
|
as per
|
|
|
|
.Sy check_changelist
|
|
|
|
below.
|
2001-10-15 12:53:28 +04:00
|
|
|
If
|
|
|
|
.Xr fdisk 8
|
|
|
|
is available on the current platform, the output of
|
|
|
|
.Pa /sbin/fdisk
|
|
|
|
for each available disk drive is stored in
|
|
|
|
.Pa /var/backups/work/fdisk.XXX ,
|
|
|
|
and any differences displayed as per the disklabels.
|
2001-10-01 07:02:34 +04:00
|
|
|
.It Sy check_pkgs
|
|
|
|
This stores a list of all installed pkgs into
|
2001-10-15 12:53:28 +04:00
|
|
|
.Pa /var/backups/work/pkgs
|
2001-10-01 07:02:34 +04:00
|
|
|
and checks it for any changes.
|
1997-01-05 14:50:12 +03:00
|
|
|
.It Sy check_changelist
|
2001-10-15 12:53:28 +04:00
|
|
|
This determines a list of files from the contents of
|
|
|
|
.Pa /etc/changelist ,
|
|
|
|
and the output of
|
|
|
|
.Ic mtree -D
|
|
|
|
for
|
|
|
|
.Pa /etc/mtree/special
|
|
|
|
and
|
|
|
|
.Pa /etc/mtree/special.local .
|
|
|
|
For each file in the list it compares the files with their backups in
|
1997-07-02 02:55:26 +04:00
|
|
|
.Pa /var/backups/file.current
|
2001-09-08 05:29:04 +04:00
|
|
|
and
|
1998-08-25 17:50:45 +04:00
|
|
|
.Pa /var/backups/file.backup ,
|
|
|
|
and displays any differences found.
|
2001-10-15 12:53:28 +04:00
|
|
|
The following
|
|
|
|
.Xr mtree 8
|
|
|
|
.Sy tags
|
|
|
|
modify how files are determined from
|
|
|
|
.Pa /etc/mtree/special
|
|
|
|
and
|
|
|
|
.Pa /etc/mtree/special.local :
|
|
|
|
.Bl -tag -width exclude -offset indent
|
|
|
|
.It exclude
|
|
|
|
The entry is ignored; no backups are made and the differences are not
|
|
|
|
displayed.
|
|
|
|
This includes dynamic or binary files such as
|
|
|
|
.Pa /var/run/utmp .
|
|
|
|
.It nodiff
|
|
|
|
The entry is backed up but the differences are not displayed because
|
|
|
|
the contents of the file are sensitive.
|
|
|
|
This includes files such as
|
|
|
|
.Pa /etc/master.passwd .
|
|
|
|
.El
|
1997-01-05 14:50:12 +03:00
|
|
|
.El
|
|
|
|
.Pp
|
1999-02-18 21:53:32 +03:00
|
|
|
The variables described below can be set to modify the tests:
|
|
|
|
.Bl -tag -width check_network
|
2001-02-11 12:55:09 +03:00
|
|
|
.It Sy max_grouplen
|
|
|
|
If
|
|
|
|
.Sy check_group
|
|
|
|
is enabled, this determines the maximum permitted length of group names.
|
1999-02-18 21:53:32 +03:00
|
|
|
.It Sy max_loginlen
|
|
|
|
If
|
|
|
|
.Sy check_passwd
|
|
|
|
is enabled, this determines the maximum permitted length of login names.
|
2001-01-09 20:30:29 +03:00
|
|
|
.It Sy backup_dir
|
|
|
|
Change the backup directory from
|
|
|
|
.Pa /var/backup .
|
2001-10-15 12:53:28 +04:00
|
|
|
.It Sy pkgdb_dir
|
2001-10-01 07:02:34 +04:00
|
|
|
Change the pkg database directory from
|
|
|
|
.Pa /var/db/pkg
|
|
|
|
when
|
|
|
|
.Sy check_pkgs
|
|
|
|
is enabled.
|
|
|
|
.It Sy backup_uses_rcs
|
|
|
|
Use
|
|
|
|
.Xr rcs 1
|
|
|
|
for maintaining backup copies of files noted in
|
|
|
|
.Sy check_devices ,
|
|
|
|
.Sy check_disklabels ,
|
|
|
|
.Sy check_pkgs ,
|
|
|
|
and
|
|
|
|
.Sy check_changelist
|
|
|
|
instead of just keeping a current copy and a backup copy.
|
1999-02-18 21:53:32 +03:00
|
|
|
.El
|
1997-01-05 14:50:12 +03:00
|
|
|
.Sh FILES
|
2000-05-26 21:08:21 +04:00
|
|
|
.Bl -tag -width /etc/security.local -compact
|
|
|
|
.It Pa /etc/security
|
|
|
|
daily security check script
|
|
|
|
.It Pa /etc/security.conf
|
|
|
|
daily security check configuration
|
|
|
|
.It Pa /etc/security.local
|
|
|
|
local site additions to
|
1997-01-05 14:50:12 +03:00
|
|
|
.Pa /etc/security
|
2000-05-26 21:08:21 +04:00
|
|
|
.El
|
1997-01-05 14:50:12 +03:00
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr daily.conf 5
|
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
file appeared in
|
|
|
|
.Nx 1.3 .
|
1998-08-25 17:50:45 +04:00
|
|
|
The
|
|
|
|
.Sy check_disklabels
|
|
|
|
functionality was added in
|
|
|
|
.Nx 1.4 .
|
2001-10-01 07:02:34 +04:00
|
|
|
The
|
|
|
|
.Sy backup_uses_rcs
|
|
|
|
and
|
|
|
|
.Sy check_pkgs
|
|
|
|
features were added in
|
|
|
|
.Nx 1.6 .
|