SECURITY(8) | System Manager's Manual | SECURITY(8) |
security
—
periodic system security check
security
is a command script that examines
the system for some signs of security weaknesses. It is only a security aid
and does not offer complete protection. security
is
run by daily(8), which mails
any output to root on a daily basis.
The security
script carries out the
following list of simple checks:
security
also provides hooks for administrators to
create their own lists. These lists should be kept in
/etc/mtree/ and filenames must have the suffix
“.secure”. The following example shows how to create such a
list, to protect the programs in /bin:
# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure # chown root:wheel /etc/mtree/bin.secure # chmod 600 /etc/mtree/bin.secure
Note: These checks do not provide complete protection against Trojan horse binaries, as the miscreant can modify the tree specification to match the replaced binary. For details on really protecting yourself against modified binaries, see mtree(8).
The intent of the security
script is to
point out some obvious holes to the system administrator.
The following variables can be set in /etc/daily.local:
SUIDSKIP
A security
shell script appeared in
4.3BSD-Reno, but most functionality only came with
4.4BSD.
The present manual was written by David
Leonard for OpenBSD 2.9.
Andrew Fresh
<afresh1@openbsd.org>
and Ingo Schwarze
<schwarze@openbsd.org>
rewrote security
from scratch in
perl(1) for
OpenBSD 5.0.
The name of this script may provide a false sense of
security
.
There are perhaps an infinite number of ways the system can be compromised without this script noticing.
July 13, 2017 | OpenBSD-6.8 |