1.\" $OpenBSD: security.8,v 1.26 2017/07/13 19:16:33 jmc Exp $ 2.\" 3.\" David Leonard, 2001. Public Domain. 4.\" 5.Dd $Mdocdate: July 13 2017 $ 6.Dt SECURITY 8 7.Os 8.Sh NAME 9.Nm security 10.Nd periodic system security check 11.Sh DESCRIPTION 12.Nm 13is a command script that examines the system for some signs of security 14weaknesses. 15It is only a security aid and does not offer complete protection. 16.Nm 17is run by 18.Xr daily 8 , 19which mails any output to root on a daily basis. 20.Pp 21The 22.Nm 23script carries out the following list of simple checks: 24.Bl -bullet 25.It 26Check the 27.Xr master.passwd 5 28and 29.Xr group 5 30files for 31syntax, empty passwords, partially closed accounts, 32suspicious UIDs, suspicious GIDs, and duplicate entries. 33.It 34Check root's home directory and login environment for 35insecure permissions, suspicious paths, and umask commands in the 36dotfiles. 37.It 38Check for suspicious commands in 39.Pa /etc/mail/aliases . 40.It 41Check for insecurities in 42.Pa /etc/hosts.lpd . 43.It 44Check user 45.Pa .rhosts 46and 47.Pa .shosts 48files for open access. 49.It 50Check user home directory permissions. 51.It 52Check many user dotfile permissions. 53.It 54Check user mailbox permissions. 55.It 56Check NFS 57.Xr exports 5 58file for global export entries. 59.It 60Check for changes in setuid/setgid files and devices. 61.It 62Check disk ownership and permissions. 63.It 64Check for changes in the device file list. 65.It 66Check for permission changes in special files and system binaries listed in 67.Pa /etc/mtree/special . 68.Nm 69also provides hooks for administrators to create their own lists. 70These lists should be kept in 71.Pa /etc/mtree/ 72and filenames must have the suffix 73.Dq .secure . 74The following example shows how to create such a list, 75to protect the programs in 76.Pa /bin : 77.Bd -literal -offset 4n 78# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure 79# chown root:wheel /etc/mtree/bin.secure 80# chmod 600 /etc/mtree/bin.secure 81.Ed 82.Pp 83.Sy Note: 84These checks do not provide complete protection against 85Trojan horse binaries, as 86the miscreant can modify the tree specification to match the replaced binary. 87For details on really protecting yourself against modified binaries, see 88.Xr mtree 8 . 89.It 90Check for changes in files listed in 91.Pa /etc/changelist . 92Files being created or deleted, 93as well as content change in the files themselves, 94are reported. 95See 96.Xr changelist 5 97for further details. 98.It 99Check for changes to the disklabels of mounted disks. 100.It 101Report on the installation or removal of any system 102.Xr package 5 . 103.It 104Check 105.Xr hostname.if 5 106file permissions. 107.El 108.Pp 109The intent of the 110.Nm 111script is to point out some obvious holes to the system administrator. 112.Sh ENVIRONMENT 113The following variables can be set in 114.Pa /etc/daily.local : 115.Pp 116.Bl -tag -width "SUIDSKIP" -compact 117.It Ev SUIDSKIP 118A whitespace-separated list of absolute paths to be skipped 119in setuid/setgid file checks and in device special file checks. 120Avoid trailing slashes. 121.El 122.Sh FILES 123.Bl -tag -width /dev/changelist -compact 124.It Pa /etc/changelist 125.It Pa /etc/daily 126.It Pa /etc/mtree 127.It Pa /usr/libexec/security 128.It Pa /var/backups 129.El 130.Sh SEE ALSO 131.Xr changelist 5 , 132.Xr daily 8 , 133.Xr mtree 8 134.Sh HISTORY 135A 136.Nm 137shell script appeared in 138.Bx 4.3 Reno , 139but most functionality only came with 140.Bx 4.4 . 141.Sh AUTHORS 142.An -nosplit 143The present manual was written by 144.An David Leonard 145for 146.Ox 2.9 . 147.An Andrew Fresh Aq Mt afresh1@openbsd.org 148and 149.An Ingo Schwarze Aq Mt schwarze@openbsd.org 150rewrote 151.Nm 152from scratch in 153.Xr perl 1 154for 155.Ox 5.0 . 156.Sh BUGS 157The name of this script may provide a false sense of 158.Nm security . 159.\" Well, I thought it was amusing. 160.Pp 161There are perhaps an infinite number of ways the system can be compromised 162without this script noticing. 163