1.\" $OpenBSD: security.8,v 1.25 2014/09/08 01:27:55 schwarze Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd $Mdocdate: September 8 2014 $ 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh SYNOPSIS 12.Nm /usr/libexec/security 13.Sh DESCRIPTION 14.Nm 15is a command script that examines the system for some signs of security 16weaknesses. 17It is only a security aid and does not offer complete protection. 18.Nm 19is run by 20.Xr daily 8 , 21which mails any output to root on a daily basis. 22.Pp 23The 24.Nm 25script carries out the following list of simple checks: 26.Bl -bullet 27.It 28Check the 29.Xr master.passwd 5 30and 31.Xr group 5 32files for 33syntax, empty passwords, partially closed accounts, 34suspicious UIDs, suspicious GIDs, and duplicate entries. 35.It 36Check root's home directory and login environment for 37insecure permissions, suspicious paths, and umask commands in the 38dotfiles. 39.It 40Check for suspicious commands in 41.Pa /etc/mail/aliases . 42.It 43Check for insecurities in 44.Pa /etc/hosts.lpd . 45.It 46Check user 47.Pa .rhosts 48and 49.Pa .shosts 50files for open access. 51.It 52Check user home directory permissions. 53.It 54Check many user dotfile permissions. 55.It 56Check user mailbox permissions. 57.It 58Check NFS 59.Xr exports 5 60file for global export entries. 61.It 62Check for changes in setuid/setgid files and devices. 63.It 64Check disk ownership and permissions. 65.It 66Check for changes in the device file list. 67.It 68Check for permission changes in special files and system binaries listed in 69.Pa /etc/mtree/special . 70.Nm 71also provides hooks for administrators to create their own lists. 72These lists should be kept in 73.Pa /etc/mtree/ 74and filenames must have the suffix 75.Dq .secure . 76The following example shows how to create such a list, 77to protect the programs in 78.Pa /bin : 79.Bd -literal -offset 4n 80# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure 81# chown root:wheel /etc/mtree/bin.secure 82# chmod 600 /etc/mtree/bin.secure 83.Ed 84.Pp 85.Sy Note: 86These checks do not provide complete protection against 87Trojan horse binaries, as 88the miscreant can modify the tree specification to match the replaced binary. 89For details on really protecting yourself against modified binaries, see 90.Xr mtree 8 . 91.It 92Check for changes in files listed in 93.Pa /etc/changelist . 94Files being created or deleted, 95as well as content change in the files themselves, 96are reported. 97See 98.Xr changelist 5 99for further details. 100.It 101Check for changes to the disklabels of mounted disks. 102.It 103Report on the installation or removal of any system 104.Xr package 5 . 105.It 106Check 107.Xr hostname.if 5 108file permissions. 109.El 110.Pp 111The intent of the 112.Nm 113script is to point out some obvious holes to the system administrator. 114.Sh ENVIRONMENT 115The following variables can be set in 116.Pa /etc/daily.local : 117.Pp 118.Bl -tag -width "SUIDSKIP" -compact 119.It Ev SUIDSKIP 120A whitespace-separated list of absolute paths to be skipped 121in setuid/setgid file checks and in device special file checks. 122Avoid trailing slashes. 123.El 124.Sh FILES 125.Bl -tag -width /dev/changelist -compact 126.It Pa /etc/changelist 127.It Pa /etc/daily 128.It Pa /etc/mtree 129.It Pa /var/backups 130.El 131.Sh SEE ALSO 132.Xr changelist 5 , 133.Xr daily 8 , 134.Xr mtree 8 135.Sh HISTORY 136A 137.Nm 138shell script appeared in 139.Bx 4.3 Reno , 140but most functionality only came with 141.Bx 4.4 . 142.Sh AUTHORS 143.An -nosplit 144The present manual was written by 145.An David Leonard 146for 147.Ox 2.9 . 148.An Andrew Fresh Aq Mt afresh1@openbsd.org 149and 150.An Ingo Schwarze Aq Mt schwarze@openbsd.org 151rewrote 152.Nm 153from scratch in 154.Xr perl 1 155for 156.Ox 5.0 . 157.Sh BUGS 158The name of this script may provide a false sense of 159.Nm security . 160.\" Well, I thought it was amusing. 161.Pp 162There are perhaps an infinite number of ways the system can be compromised 163without this script noticing. 164