summaryrefslogtreecommitdiff
path: root/static/netbsd/man5/security.conf.5
diff options
context:
space:
mode:
Diffstat (limited to 'static/netbsd/man5/security.conf.5')
-rw-r--r--static/netbsd/man5/security.conf.5332
1 files changed, 332 insertions, 0 deletions
diff --git a/static/netbsd/man5/security.conf.5 b/static/netbsd/man5/security.conf.5
new file mode 100644
index 00000000..9b392663
--- /dev/null
+++ b/static/netbsd/man5/security.conf.5
@@ -0,0 +1,332 @@
+.\" $NetBSD: security.conf.5,v 1.44 2024/11/14 19:57:41 plunky Exp $
+.\"
+.\" Copyright (c) 1996 Matthew R. Green
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd December 2, 2020
+.Dt SECURITY.CONF 5
+.Os
+.Sh NAME
+.Nm security.conf
+.Nd daily security check configuration file
+.Sh DESCRIPTION
+The
+.Nm
+file specifies which of the standard
+.Pa /etc/security
+services are performed.
+The
+.Pa /etc/security
+script is run, by default, every night from
+.Pa /etc/daily ,
+on a
+.Nx
+system, if configured do to so from
+.Pa /etc/daily.conf .
+.Pp
+The variables described below can be set to "NO" to disable the test:
+.Bl -tag -width check_pkg_vulnerabilities
+.It Sy check_entropy
+This checks whether the system has enough entropy
+.Pq see Xr entropy 7 .
+.It Sy check_passwd
+This checks the
+.Pa /etc/master.passwd
+file for inconsistencies.
+.It Sy check_group
+This checks the
+.Pa /etc/group
+file for inconsistencies.
+.It Sy check_rootdotfiles
+This checks the root users startup files for sane settings of $PATH
+and umask.
+This test is not fail safe and any warning generated from
+this should be checked for correctness.
+.It Sy check_ftpusers
+This checks that the correct users are in the
+.Pa /etc/ftpusers
+file.
+.It Sy check_aliases
+This checks for security problems in the
+.Pa /etc/mail/aliases
+file.
+For backward compatibility,
+.Pa /etc/aliases
+will be checked as well if exists.
+.It Sy check_rhosts
+This checks for system and user rhosts files with "+" in them.
+.It Sy check_homes
+This checks that home directories are owned by the correct user,
+and have appropriate permissions.
+.It Sy check_varmail
+This checks that the correct user owns mail in
+.Pa /var/mail ,
+and that the mail box has the right permissions.
+.It Sy check_nfs
+This checks that the
+.Pa /etc/exports
+file does not export filesystems to the world.
+.It Sy check_devices
+This checks for changes to devices and setuid files.
+.It Sy check_mtree
+This runs
+.Xr mtree 8
+to ensure that the system is installed correctly.
+The following configuration files are checked:
+.Bl -tag -width 4n
+.It Pa /etc/mtree/special
+Default files to check.
+.It Pa /etc/mtree/special.local
+Local site additions and overrides.
+.It Pa /etc/mtree/DIR.secure
+Specification for the directory
+.Pa DIR .
+.El
+.It Sy check_disklabels
+Backup text copies of the disklabels of available disk drives into
+.Pa /var/backups/work/disklabel.XXX ,
+and display any differences in those and the previous copies
+as per
+.Sy check_changelist
+below.
+If
+.Xr fdisk 8
+is available on the current platform, the output of
+.Pa /sbin/fdisk
+for each available disk drive is stored in
+.Pa /var/backups/work/fdisk.XXX ,
+and any differences displayed as per the disklabels.
+.It Sy check_pkgs
+This stores a list of all installed pkgs into
+.Pa /var/backups/work/pkgs
+and checks it for any changes.
+.It Sy check_changelist
+This determines a list of files from the contents of
+.Pa /etc/changelist ,
+and the output of
+.Ic mtree -D
+for
+.Pa /etc/mtree/special
+and
+.Pa /etc/mtree/special.local .
+For each file in the list it compares the files with their backups in
+.Pa /var/backups/file.current
+and
+.Pa /var/backups/file.backup ,
+and displays any differences found.
+The following
+.Xr mtree 8
+.Sy tags
+modify how files are determined from
+.Pa /etc/mtree/special
+and
+.Pa /etc/mtree/special.local :
+.Bl -tag -width exclude -offset indent
+.It exclude
+The entry is ignored; no backups are made and the differences are not
+displayed.
+This includes dynamic or binary files such as
+.Pa /var/run/utmp .
+.It nodiff
+The entry is backed up but the differences are not displayed because
+the contents of the file are sensitive.
+This includes files such as
+.Pa /etc/master.passwd .
+.El
+.It Sy check_pkg_vulnerabilities
+Checks the currently installed packages against a database of known
+vulnerabilities and reports those that are vulnerable.
+Check the
+.Sy fetch_pkg_vulnerabilities
+setting in
+.Xr daily.conf 5
+to keep the database up to date.
+.It Sy check_pkg_signatures
+Checks the digital signature of all files installed by packages against
+the expected values stored in the packages database.
+.El
+.Pp
+The variables described below can be set to modify the tests:
+.Bl -tag -width check_network
+.It Sy check_homes_permit_usergroups
+During the
+.Sy check_homes
+phase, allow the checked files to be group-writable if the group name is
+the same as the username.
+.It Sy check_homes_permit_other_owner
+During the
+.Sy check_homes
+phase, allow the home directory and files of the listed users to be owned
+by a different user.
+.It Sy check_devices_ignore_fstypes
+Lists filesystem types to ignore during the
+.Sy check_devices
+phase.
+Prefixing the type with a
+.Sq \&!
+inverts the match.
+For example,
+.Ql procfs !local
+will ignore
+.Ql procfs
+type filesystems and filesystems that are not
+.Ql local .
+.It Sy check_devices_ignore_paths
+Lists pathnames to ignore during the
+.Sy check_devices
+phase.
+Prefixing the path with a
+.Sq \&!
+inverts the match.
+For example,
+.Ql /tftp
+will ignore paths under
+.Pa /tftp
+while
+.Ql !/home
+will ignore paths that are not under
+.Pa /home .
+.It Sy check_mtree_follow_symlinks
+During the
+.Sy check_mtree
+phase, instruct mtree to follow symbolic links.
+Please note, this may cause the
+.Sy check_mtree
+phase to report errors for entries for these symbolic links (i.e. of
+type=link in the mtree specification) as they will always appear to be plain
+files for the purposes of the check.
+.Pa /etc/mtree/special.local
+may be used to override the checks for the affected links.
+.It Sy check_passwd_nowarn_shells
+If
+.Sy check_passwd
+is enabled, most warnings will be suppressed for entries whose shells
+are listed in this space-separated list.
+This is of particular value when those shells are not in
+.Pa /etc/shells .
+.It Sy check_passwd_nowarn_users
+If
+.Sy check_passwd
+is enabled, suppress warnings for these users.
+.It Sy check_passwd_permit_dups
+If
+.Sy check_passwd
+is enabled, do not warn about duplicate uids for the listed login names.
+.It Sy check_passwd_permit_nonalpha
+If
+.Sy check_passwd
+is enabled, do not warn about login names which use non-alphanumeric
+characters.
+.It Sy check_passwd_permit_star
+If
+.Sy check_passwd
+is enabled, do not warn about password fields set to
+.Dq * .
+Note that the use of password fields such as
+.Dq *ssh
+is encouraged, instead.
+.It Sy max_grouplen
+If
+.Sy check_group
+is enabled, this determines the maximum permitted length of group names.
+.It Sy max_loginlen
+If
+.Sy check_passwd
+is enabled, this determines the maximum permitted length of login names.
+.It Sy backup_dir
+Change the backup directory from
+.Pa /var/backups .
+.It Sy diff_options
+Specify the options passed to
+.Xr diff 1
+when it is invoked to show changes made to system files.
+Defaults to
+.Dq -u ,
+for unified-format context-diffs.
+.It Sy pkgdb_dir
+.Em DEPRECATED .
+Please set
+.Dv PKGDB_DIR
+in
+.Xr pkg_install.conf 5
+instead.
+.Pp
+If defined, points to the location of the packages database.
+Defaults to
+.Pa /usr/pkg/pkgdb .
+.It Sy backup_uses_rcs
+Use
+.Xr rcs 1
+for maintaining backup copies of files noted in
+.Sy check_devices ,
+.Sy check_disklabels ,
+.Sy check_pkgs ,
+and
+.Sy check_changelist
+instead of just keeping a current copy and a backup copy.
+.It Sy random_file
+Name of the entropy seed file used at boot.
+Default is
+.Pa /var/db/entropy-file
+as used by
+.Pa /etc/rc.d/random_seed .
+Set
+.Sy random_file
+to empty to disable saving a seed every time
+.Pa /etc/security
+runs.
+.El
+.Sh FILES
+.Bl -tag -width /etc/defaults/security.conf -compact
+.It Pa /etc/defaults/security.conf
+defaults for /etc/security.conf
+.It Pa /etc/security
+daily security check script
+.It Pa /etc/security.conf
+daily security check configuration
+.It Pa /etc/security.local
+local site additions to
+.Pa /etc/security
+.El
+.Sh SEE ALSO
+.Xr daily.conf 5
+.Sh HISTORY
+The
+.Nm
+file appeared in
+.Nx 1.3 .
+The
+.Sy check_disklabels
+functionality was added in
+.Nx 1.4 .
+The
+.Sy backup_uses_rcs
+and
+.Sy check_pkgs
+features were added in
+.Nx 1.6 .
+.Sy diff_options
+appeared in
+.Nx 2.0 ;
+prior to that, traditional-format (context free) diffs were generated.
generated by cgit v1.2.3 (git 2.46.0) at 2026-05-15 13:00:58 +0000