SECURITY.CONF(5)          NetBSD File Formats Manual          SECURITY.CONF(5)

NAME
     security.conf -- daily security check configuration file

DESCRIPTION
     The security.conf file specifies which of the standard /etc/security ser-
     vices are performed.  The /etc/security script is run, by default, every
     night from /etc/daily, on a NetBSD system, if configured do to so from
     /etc/daily.conf.

     The variables described below can be set to "NO" to disable the test:

     check_passwd   This checks the /etc/master.passwd file for inconsisten-
                    cies.

     check_group    This checks the /etc/group file for inconsistencies.

     check_rootdotfiles
                    This checks the root users startup files for sane settings
                    of $PATH and umask.  This test is not fail safe and any
                    warning generated from this should be checked for correct-
                    ness.

     check_ftpusers
                    This checks that the correct users are in the
                    /etc/ftpusers file.

     check_aliases  This checks for security problems in the /etc/mail/aliases
                    file.  For backward compatibility, /etc/aliases will be
                    checked as well if exists.

     check_rhosts   This checks for system and user rhosts files with "+" in
                    them.

     check_homes    This checks that home directories are owned by the correct
                    user, and have appropriate permissions.

     check_varmail  This checks that the correct user owns mail in /var/mail,
                    and that the mail box has the right permissions.

     check_nfs      This checks that the /etc/exports file does not export
                    filesystems to the world.

     check_devices  This checks for changes to devices and setuid files.

     check_mtree    This runs mtree(8) to ensure that the system is installed
                    correctly.  The following configuration files are checked:

                    /etc/mtree/special
                          Default files to check.

                    /etc/mtree/special.local
                          Local site additions and overrides.

                    /etc/mtree/DIR.secure
                          Specification for the directory DIR.

     check_disklabels
                    Backup text copies of the disklabels of available disk
                    drives into /var/backups/work/disklabel.XXX, and display
                    any differences in those and the previous copies as per
                    check_changelist below.  If fdisk(8) is available on the
                    current platform, the output of /sbin/fdisk for each
                    available disk drive is stored in
                    /var/backups/work/fdisk.XXX, and any differences displayed
                    as per the disklabels.

     check_pkgs     This stores a list of all installed pkgs into
                    /var/backups/work/pkgs and checks it for any changes.

     check_changelist
                    This determines a list of files from the contents of
                    /etc/changelist, and the output of mtree -D for
                    /etc/mtree/special and /etc/mtree/special.local.  For each
                    file in the list it compares the files with their backups
                    in /var/backups/file.current and /var/backups/file.backup,
                    and displays any differences found.  The following
                    mtree(8) tags modify how files are determined from
                    /etc/mtree/special and /etc/mtree/special.local:

                          exclude  The entry is ignored; no backups are made
                                   and the differences are not displayed.
                                   This includes dynamic or binary files such
                                   as /var/run/utmp.

                          nodiff   The entry is backed up but the differences
                                   are not displayed because the contents of
                                   the file are sensitive.  This includes
                                   files such as /etc/master.passwd.

     The variables described below can be set to modify the tests:

     check_homes_permit_usergroups
                    During the check_homes phase, allow the checked files to
                    be group-writable if the group name is the same as the
                    username.

     check_devices_ignore_fstypes
                    Lists filesystem types to ignore during the check_devices
                    phase.  Prefixing the type with a `!' inverts the match.
                    For example, `procfs !local' will ignore `procfs' type
                    filesystems and filesystems that are not `local'.

     check_devices_ignore_paths
                    Lists pathnames to ignore during the check_devices phase.
                    Prefixing the path with a `!' inverts the match.  For
                    example, `/tftp' will ignore paths under /tftp while
                    `!/home' will ignore paths that are not under /home.

     check_mtree_follow_symlinks
                    During the check_mtree phase, instruct mtree to follow
                    symbolic links.  Please note, this may cause the
                    check_mtree phase to report errors for entries for these
                    symbolic links (i.e. of type=link in the mtree specifica-
                    tion) as they will always appear to be plain files for the
                    purposes of the check.  /etc/mtree/special.local may be
                    used to override the checks for the affected links.

     check_passwd_nowarn_shells
                    If check_passwd is enabled, most warnings will be sup-
                    pressed for entries whose shells are listed in this space-
                    separated list.  This is of particular value when those
                    shells are not in /etc/shells.

     check_passwd_nowarn_users
                    If check_passwd is enabled, suppress warnings for these
                    users.

     check_passwd_permit_nonalpha
                    If check_passwd is enabled, do not warn about login names
                    which use non-alphanumeric characters.

     check_passwd_permit_star
                    If check_passwd is enabled, do not warn about password
                    fields set to ``*''.  Note that the use of password fields
                    such as ``*ssh'' is encouraged, instead.

     max_grouplen   If check_group is enabled, this determines the maximum
                    permitted length of group names.

     max_loginlen   If check_passwd is enabled, this determines the maximum
                    permitted length of login names.

     backup_dir     Change the backup directory from /var/backup.

     diff_options   Specify the options passed to diff(1) when it is invoked
                    to show changes made to system files.  Defaults to ``-u'',
                    for unified-format context-diffs.

     pkgdb_dir      Change the pkg database directory from /var/db/pkg when
                    check_pkgs is enabled.

     backup_uses_rcs
                    Use rcs(1) for maintaining backup copies of files noted in
                    check_devices, check_disklabels, check_pkgs, and
                    check_changelist instead of just keeping a current copy
                    and a backup copy.

FILES
     /etc/defaults/security.conf  defaults for /etc/security.conf
     /etc/security                daily security check script
     /etc/security.conf           daily security check configuration
     /etc/security.local          local site additions to /etc/security

SEE ALSO
     daily.conf(5)

HISTORY
     The security.conf file appeared in NetBSD 1.3.  The check_disklabels
     functionality was added in NetBSD 1.4.  The backup_uses_rcs and
     check_pkgs features were added in NetBSD 1.6.  diff_options appeared in
     NetBSD 2.0; prior to that, traditional-format (context free) diffs were
     generated.

NetBSD 5.0.1                     May 29, 2006                     NetBSD 5.0.1

You can also request any man page by name and (optionally) by section:

Command: 
Section: 
Architecture: 
Collection: 
 

Use the DEFAULT collection to view manual pages for third-party software.


©1994 Man-cgi 1.15, Panagiotis Christias <christia@softlab.ntua.gr>
©1996-2014 Modified for NetBSD by Kimmo Suominen