periodic system security check
is a command script that examines the
system for some signs of security weaknesses. It is only a security aid and
does not offer complete protection. security
run by daily(8)
, which mails any
output to root on a daily basis.
script carries out the following list
of simple checks:
- Check the
group(5) files for syntax,
empty passwords, partially closed accounts, suspicious UIDs, suspicious
GIDs, and duplicate entries.
- Check root's home directory and login environment for
insecure permissions, suspicious paths, and umask commands in the
- Check for suspicious commands in
- Check for insecurities in
- Check user .rhosts and
.shosts files for open access.
- Check user home directory permissions.
- Check many user dotfile permissions.
- Check user mailbox permissions.
- Check NFS
exports(5) file for global
- Check for changes in setuid/setgid files and
- Check disk ownership and permissions.
- Check for changes in the device file list.
- Check for permission changes in special files and system
binaries listed in /etc/mtree/special.
security also provides hooks for
administrators to create their own lists. These lists should be kept in
/etc/mtree/ and filenames must have the
suffix “.secure”. The following example shows how to create
such a list, to protect the programs in /bin:
Note: These checks do not provide complete
protection against Trojan horse binaries, as the miscreant can modify the
tree specification to match the replaced binary. For details on really
protecting yourself against modified binaries, see
# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure
# chown root:wheel /etc/mtree/bin.secure
# chmod 600 /etc/mtree/bin.secure
- Check for changes in files listed in
/etc/changelist. Files being created or
deleted, as well as content change in the files themselves, are reported.
See changelist(5) for
- Check for changes to the disklabels of mounted
- Report on the installation or removal of any system
The intent of the security
script is to point out
some obvious holes to the system administrator.
The following variables can be set in
- A whitespace-separated list of absolute paths to be skipped
in setuid/setgid file checks and in device special file checks. Avoid
shell script appeared in
, but most functionality only came with
The present manual was written by David
for OpenBSD 2.9
and Ingo Schwarze
from scratch in
The name of this script may provide a false sense of
There are perhaps an infinite number of ways the system can be compromised
without this script noticing.