periodic system security check
is a command script that examines
the system for some signs of security weaknesses. It is only a security aid
and does not offer complete protection.
is run by
, which mails any output
to root on a daily basis.
script carries out the following
list of simple checks:
- Check the
group(5) files for syntax,
empty passwords, partially closed accounts, suspicious UIDs, suspicious
GIDs, and duplicate entries.
- Check root's home directory and login environment for insecure
permissions, suspicious paths, and umask commands in the dotfiles.
- Check for suspicious commands in
- Check for insecurities in
- Check user .rhosts and
.shosts files for open access.
- Check user home directory permissions.
- Check many user dotfile permissions.
- Check user mailbox permissions.
- Check NFS exports(5) file
for global export entries.
- Check for changes in setuid/setgid files and devices.
- Check disk ownership and permissions.
- Check for changes in the device file list.
- Check for permission changes in special files and system binaries listed
security also provides hooks for
administrators to create their own lists. These lists should be kept in
/etc/mtree/ and filenames must have the
suffix “.secure”. The following example shows how to create
such a list, to protect the programs in
Note: These checks do not provide complete
protection against Trojan horse binaries, as the miscreant can modify the
tree specification to match the replaced binary. For details on really
protecting yourself against modified binaries, see
# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure
# chown root:wheel /etc/mtree/bin.secure
# chmod 600 /etc/mtree/bin.secure
- Check for changes in files listed in
/etc/changelist. Files being created or
deleted, as well as content change in the files themselves, are reported.
See changelist(5) for
- Check for changes to the disklabels of mounted disks.
- Report on the installation or removal of any system
- Check hostname.if(5)
The intent of the
script is to point
out some obvious holes to the system administrator.
The following variables can be set in
- A whitespace-separated list of absolute paths to be skipped in
setuid/setgid file checks and in device special file checks. Avoid
shell script appeared in
, but most functionality only came with
The present manual was written by David
for OpenBSD 2.9
and Ingo Schwarze
from scratch in
The name of this script may provide a false sense of
There are perhaps an infinite number of ways the system can be compromised
without this script noticing.