periodic system security
security is a command script that examines
the system for some signs of security weaknesses. It is only a security aid
and does not offer complete protection.
run by daily(8), which mails any output to root on a daily basis.
security script carries out the
following list of simple checks:
- Check the master.passwd(5) and group(5) files for syntax, empty passwords, partially closed accounts, suspicious UIDs, suspicious GIDs, and duplicate entries.
- Check root's home directory and login environment for insecure permissions, suspicious paths, and umask commands in the dotfiles.
- Check for suspicious commands in /etc/mail/aliases.
- Check for insecurities in /etc/hosts.lpd.
- Check user .rhosts and .shosts files for open access.
- Check user home directory permissions.
- Check many user dotfile permissions.
- Check user mailbox permissions.
- Check NFS exports(5) file for global export entries.
- Check for changes in setuid/setgid files and devices.
- Check disk ownership and permissions.
- Check for changes in the device file list.
- Check for permission changes in special files and system binaries listed
securityalso provides hooks for administrators to create their own lists. These lists should be kept in /etc/mtree/ and filenames must have the suffix “.secure”. The following example shows how to create such a list, to protect the programs in /bin:
# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure # chown root:wheel /etc/mtree/bin.secure # chmod 600 /etc/mtree/bin.secure
Note: These checks do not provide complete protection against Trojan horse binaries, as the miscreant can modify the tree specification to match the replaced binary. For details on really protecting yourself against modified binaries, see mtree(8).
- Check for changes in files listed in /etc/changelist. Files being created or deleted, as well as content change in the files themselves, are reported. See changelist(5) for further details.
- Check for changes to the disklabels of mounted disks.
- Report on the installation or removal of any system package(5).
- Check hostname.if(5) file permissions.
The intent of the
security script is to
point out some obvious holes to the system administrator.
The following variables can be set in /etc/daily.local:
- A whitespace-separated list of absolute paths to be skipped in setuid/setgid file checks and in device special file checks. Avoid trailing slashes.
changelist(5), daily(8), mtree(8)
security shell script appeared in
4.3BSD-Reno, but most functionality only came with
The present manual was written by David
Leonard for OpenBSD 2.9.
and Ingo Schwarze
security from scratch in
perl(1) for OpenBSD 5.0.
The name of this script may provide a false sense of
There are perhaps an infinite number of ways the system can be compromised without this script noticing.