diff options
Diffstat (limited to 'static/openbsd/man8/security.8')
| -rw-r--r-- | static/openbsd/man8/security.8 | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/static/openbsd/man8/security.8 b/static/openbsd/man8/security.8 new file mode 100644 index 00000000..28c300c4 --- /dev/null +++ b/static/openbsd/man8/security.8 @@ -0,0 +1,173 @@ +.\" $OpenBSD: security.8,v 1.28 2025/03/31 17:35:28 schwarze Exp $ +.\" +.\" David Leonard, 2001. Public Domain. +.\" +.Dd $Mdocdate: March 31 2025 $ +.Dt SECURITY 8 +.Os +.Sh NAME +.Nm security +.Nd periodic system security check +.Sh DESCRIPTION +.Nm +is a command script that examines the system for some signs of security +weaknesses. +It is only a security aid and does not offer complete protection. +.Nm +is run by +.Xr daily 8 , +which mails any output to root on a daily basis. +.Pp +The +.Nm +script carries out the following list of simple checks: +.Bl -bullet +.It +Check the +.Xr master.passwd 5 +and +.Xr group 5 +files for +syntax, empty passwords, partially closed accounts, +suspicious UIDs, suspicious GIDs, and duplicate entries. +.It +Check root's home directory and login environment for +insecure permissions, suspicious paths, and umask commands in the +dotfiles. +.It +Check for suspicious commands in +.Pa /etc/mail/aliases . +.It +Check for insecurities in +.Pa /etc/hosts.lpd . +.It +Check user +.Pa .rhosts +and +.Pa .shosts +files for open access. +.It +Check user home directory permissions. +.It +Check many user dotfile permissions. +.It +Check user mailbox permissions. +.It +Check NFS +.Xr exports 5 +file for global export entries. +.It +Check for changes in setuid/setgid files and devices. +.It +Check disk ownership and permissions. +.It +Check for changes in the device file list. +.It +Check for permission changes in special files and system binaries listed in +.Pa /etc/mtree/special . +.Nm +also provides hooks for administrators to create their own lists. +These lists should be kept in +.Pa /etc/mtree/ +and filenames must have the suffix +.Dq .secure . +The following example shows how to create such a list, +to protect the programs in +.Pa /bin : +.Bd -literal -offset 4n +# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure +# chown root:wheel /etc/mtree/bin.secure +# chmod 600 /etc/mtree/bin.secure +.Ed +.Pp +.Sy Note: +These checks do not provide complete protection against +Trojan horse binaries, as +the miscreant can modify the tree specification to match the replaced binary. +For details on really protecting yourself against modified binaries, see +.Xr mtree 8 . +.It +Check for changes in files listed in +.Pa /etc/changelist . +Files being created or deleted, +as well as content change in the files themselves, +are reported. +See +.Xr changelist 5 +for further details. +.It +Check for changes to the disklabels and partition tables of mounted disks. +.It +Report on the installation or removal of any system +.Xr package 5 . +.It +Check +.Xr hostname.if 5 +file permissions. +.El +.Pp +The intent of the +.Nm +script is to point out some obvious holes to the system administrator. +.Sh ENVIRONMENT +The following variables can be set in +.Pa /etc/daily.local : +.Pp +.Bl -tag -width "PASSWDSKIP" -compact +.It Ev PASSWDSKIP +A whitespace-separated list of +.Ar name : Ns Ar shell +pairs allowed to have empty passwords. +For example, a machine running both CVS and gotd for anonymous access +might set: +.Bd -literal -offset indent +PASSWDSKIP="anoncvs:/usr/local/bin/anoncvssh + anonymous:/usr/local/bin/gotsh" +.Ed +.Pp +.It Ev SUIDSKIP +A whitespace-separated list of absolute paths to be skipped +in setuid/setgid file checks and in device special file checks. +Avoid trailing slashes. +.El +.Sh FILES +.Bl -tag -width /dev/changelist -compact +.It Pa /etc/changelist +.It Pa /etc/daily +.It Pa /etc/mtree +.It Pa /usr/libexec/security +.It Pa /var/backups +.El +.Sh SEE ALSO +.Xr changelist 5 , +.Xr daily 8 , +.Xr mtree 8 +.Sh HISTORY +A +.Nm +shell script appeared in +.Bx 4.3 Reno , +but most functionality only came with +.Bx 4.4 . +.Sh AUTHORS +.An -nosplit +The present manual was written by +.An David Leonard +for +.Ox 2.9 . +.An Andrew Fresh Aq Mt afresh1@openbsd.org +and +.An Ingo Schwarze Aq Mt schwarze@openbsd.org +rewrote +.Nm +from scratch in +.Xr perl 1 +for +.Ox 5.0 . +.Sh BUGS +The name of this script may provide a false sense of +.Nm security . +.\" Well, I thought it was amusing. +.Pp +There are perhaps an infinite number of ways the system can be compromised +without this script noticing. |