SECURITY.CONF(5)          NetBSD File Formats Manual          SECURITY.CONF(5)

     security.conf -- daily security check configuration file

     The security.conf file specifies which of the standard /etc/security ser-
     vices are performed.  The /etc/security script is run, by default, every
     night from /etc/daily, on a NetBSD system, if configured do to so from

     The variables described below can be set to "NO" to disable the test:

     check_passwd   This checks the /etc/master.passwd file for inconsisten-

     check_group    This checks the /etc/group file for inconsistencies.

                    This checks the root users startup files for sane settings
                    of $PATH and umask.  This test is not fail safe and any
                    warning generated from this should be checked for correct-

                    This checks that the correct users are in the
                    /etc/ftpusers file.

     check_aliases  This checks for security problems in the /etc/mail/aliases
                    file.  For backward compatibility, /etc/aliases will be
                    checked as well if exists.

     check_rhosts   This checks for system and user rhosts files with "+" in

     check_homes    This checks that home directories are owned by the correct
                    user, and have appropriate permissions.

     check_varmail  This checks that the correct user owns mail in /var/mail,
                    and that the mail box has the right permissions.

     check_nfs      This checks that the /etc/exports file does not export
                    filesystems to the world.

     check_devices  This checks for changes to devices and setuid files.

     check_mtree    This runs mtree(8) to ensure that the system is installed
                    correctly.  The following configuration files are checked:

                          Default files to check.

                          Local site additions and overrides.

                          Specification for the directory DIR.

                    Backup text copies of the disklabels of available disk
                    drives into /var/backups/work/disklabel.XXX, and display
                    any differences in those and the previous copies as per
                    check_changelist below.  If fdisk(8) is available on the
                    current platform, the output of /sbin/fdisk for each
                    available disk drive is stored in
                    /var/backups/work/fdisk.XXX, and any differences displayed
                    as per the disklabels.

     check_pkgs     This stores a list of all installed pkgs into
                    /var/backups/work/pkgs and checks it for any changes.

                    This determines a list of files from the contents of
                    /etc/changelist, and the output of mtree -D for
                    /etc/mtree/special and /etc/mtree/special.local.  For each
                    file in the list it compares the files with their backups
                    in /var/backups/file.current and /var/backups/file.backup,
                    and displays any differences found.  The following
                    mtree(8) tags modify how files are determined from
                    /etc/mtree/special and /etc/mtree/special.local:

                          exclude  The entry is ignored; no backups are made
                                   and the differences are not displayed.
                                   This includes dynamic or binary files such
                                   as /var/run/utmp.

                          nodiff   The entry is backed up but the differences
                                   are not displayed because the contents of
                                   the file are sensitive.  This includes
                                   files such as /etc/master.passwd.

     The variables described below can be set to modify the tests:

                    During the check_homes phase, allow the checked files to
                    be group-writable if the group name is the same as the

                    Lists filesystem types to ignore during the check_devices
                    phase.  Prefixing the type with a `!' inverts the match.
                    For example, `procfs !local' will ignore `procfs' type
                    filesystems and filesystems that are not `local'.

                    Lists pathnames to ignore during the check_devices phase.
                    Prefixing the path with a `!' inverts the match.  For
                    example, `/tftp' will ignore paths under /tftp while
                    `!/home' will ignore paths that are not under /home.

                    During the check_mtree phase, instruct mtree to follow
                    symbolic links.  Please note, this may cause the
                    check_mtree phase to report errors for entries for these
                    symbolic links (i.e. of type=link in the mtree specifica-
                    tion) as they will always appear to be plain files for the
                    purposes of the check.  /etc/mtree/special.local may be
                    used to override the checks for the affected links.

                    If check_passwd is enabled, most warnings will be sup-
                    pressed for entries whose shells are listed in this space-
                    separated list.  This is of particular value when those
                    shells are not in /etc/shells.

                    If check_passwd is enabled, suppress warnings for these

                    If check_passwd is enabled, do not warn about login names
                    which use non-alphanumeric characters.

                    If check_passwd is enabled, do not warn about password
                    fields set to ``*''.  Note that the use of password fields
                    such as ``*ssh'' is encouraged, instead.

     max_grouplen   If check_group is enabled, this determines the maximum
                    permitted length of group names.

     max_loginlen   If check_passwd is enabled, this determines the maximum
                    permitted length of login names.

     backup_dir     Change the backup directory from /var/backup.

     diff_options   Specify the options passed to diff(1) when it is invoked
                    to show changes made to system files.  Defaults to ``-u'',
                    for unified-format context-diffs.

     pkgdb_dir      Change the pkg database directory from /var/db/pkg when
                    check_pkgs is enabled.

                    Use rcs(1) for maintaining backup copies of files noted in
                    check_devices, check_disklabels, check_pkgs, and
                    check_changelist instead of just keeping a current copy
                    and a backup copy.

     /etc/defaults/security.conf  defaults for /etc/security.conf
     /etc/security                daily security check script
     /etc/security.conf           daily security check configuration
     /etc/security.local          local site additions to /etc/security


     The security.conf file appeared in NetBSD 1.3.  The check_disklabels
     functionality was added in NetBSD 1.4.  The backup_uses_rcs and
     check_pkgs features were added in NetBSD 1.6.  diff_options appeared in
     NetBSD 2.0; prior to that, traditional-format (context free) diffs were

NetBSD 5.0.1                     May 29, 2006                     NetBSD 5.0.1

You can also request any man page by name and (optionally) by section:


Use the DEFAULT collection to view manual pages for third-party software.

©1994 Man-cgi 1.15, Panagiotis Christias
©1996-2018 Modified for NetBSD by Kimmo Suominen