SECURITY.CONF(5)          NetBSD Programmer's Manual          SECURITY.CONF(5)

     security.conf - daily security check configuration file

     The security.conf file specifies which of the standard /etc/security ser-
     vices are performed.  The /etc/security script is run, by default, every
     night from /etc/daily, on a NetBSD system, if configured do to so from

     The variables described below can be set to "NO" to disable the test:

     check_passwd   This checks the /etc/master.passwd file for inconsistan-

     check_group    This checks the /etc/group file for inconsistancies.

                    This checks the root users startup files for sane settings
                    of $PATH and umask.  This test is not fail safe and any
                    warning generated from this should be checked for correct-

                    This checks that the correct users are in the
                    /etc/ftpusers file.

     check_aliases  This checks for security problems in the /etc/mail/aliases
                    file.  For backward compatibility, /etc/aliases will be
                    checked as well if exists.

     check_rhosts   This checks for system and user rhosts files with "+" in

     check_homes    This checks that home directories are owned by the correct
                    user, and have appropriate permissions.

     check_varmail  This checks that the correct user owns mail in /var/mail,
                    and that the mail box has the right permissions.

     check_nfs      This checks that the /etc/exports file does not export
                    filesystems to the world.

     check_devices  This checks for changes to devices and setuid files.

     check_mtree    This runs mtree(8) to ensure that the system is installed
                    correctly.  The following configuration files are checked:

                          Default files to check.

                          Local site additions.

                          Specification for the directory DIR.

                    Backup text copies of the disklabels of available disk
                    drives into /var/backups/work/disklabel.XXX, and display
                    any differences in those and the previous copies as per
                    check_changelist below.  If fdisk(8) is available on the
                    current platform, the output of /sbin/fdisk for each
                    available disk drive is stored in
                    /var/backups/work/fdisk.XXX, and any differences displayed
                    as per the disklabels.

     check_pkgs     This stores a list of all installed pkgs into
                    /var/backups/work/pkgs and checks it for any changes.

                    This determines a list of files from the contents of
                    /etc/changelist, and the output of mtree -D for
                    /etc/mtree/special and /etc/mtree/special.local.  For each
                    file in the list it compares the files with their backups
                    in /var/backups/file.current and /var/backups/file.backup,
                    and displays any differences found.  The following
                    mtree(8) tags modify how files are determined from
                    /etc/mtree/special and /etc/mtree/special.local:

                          exclude  The entry is ignored; no backups are made
                                   and the differences are not displayed.
                                   This includes dynamic or binary files such
                                   as /var/run/utmp.

                          nodiff   The entry is backed up but the differences
                                   are not displayed because the contents of
                                   the file are sensitive.  This includes
                                   files such as /etc/master.passwd.

     The variables described below can be set to modify the tests:

     max_grouplen   If check_group is enabled, this determines the maximum
                    permitted length of group names.

     max_loginlen   If check_passwd is enabled, this determines the maximum
                    permitted length of login names.

     backup_dir     Change the backup directory from /var/backup.

     pkgdb_dir      Change the pkg database directory from /var/db/pkg when
                    check_pkgs is enabled.

                    Use rcs(1) for maintaining backup copies of files noted in
                    check_devices, check_disklabels, check_pkgs, and
                    check_changelist instead of just keeping a current copy
                    and a backup copy.

     /etc/security        daily security check script
     /etc/security.conf   daily security check configuration
     /etc/security.local  local site additions to /etc/security


     The security.conf file appeared in NetBSD 1.3.  The check_disklabels
     functionality was added in NetBSD 1.4.  The backup_uses_rcs and
     check_pkgs features were added in NetBSD 1.6.

NetBSD 1.6                     October 15, 2001                              2

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2019 Modified for NetBSD by Kimmo Suominen