SECURITY.CONF(5) BSD File Formats Manual SECURITY.CONF(5)NAMEsecurity.conf — daily security check configuration file
DESCRIPTION
The security.conf file specifies which of the standard /etc/security ser‐
vices are performed. The /etc/security script is run, by default, every
night from /etc/daily, on a NetBSD system, if configured do to so from
/etc/daily.conf.
The variables described below can be set to "NO" to disable the test:
check_passwd This checks the /etc/master.passwd file for
inconsistencies.
check_group This checks the /etc/group file for inconsis‐
tencies.
check_rootdotfiles This checks the root users startup files for
sane settings of $PATH and umask. This test
is not fail safe and any warning generated
from this should be checked for correctness.
check_ftpusers This checks that the correct users are in the
/etc/ftpusers file.
check_aliases This checks for security problems in the
/etc/mail/aliases file. For backward compati‐
bility, /etc/aliases will be checked as well
if exists.
check_rhosts This checks for system and user rhosts files
with "+" in them.
check_homes This checks that home directories are owned by
the correct user, and have appropriate permis‐
sions.
check_varmail This checks that the correct user owns mail in
/var/mail, and that the mail box has the right
permissions.
check_nfs This checks that the /etc/exports file does
not export filesystems to the world.
check_devices This checks for changes to devices and setuid
files.
check_mtree This runs mtree(8) to ensure that the system
is installed correctly. The following config‐
uration files are checked:
/etc/mtree/special
Default files to check.
/etc/mtree/special.local
Local site additions and overrides.
/etc/mtree/DIR.secure
Specification for the directory DIR.
check_disklabels Backup text copies of the disklabels of avail‐
able disk drives into
/var/backups/work/disklabel.XXX, and display
any differences in those and the previous
copies as per check_changelist below. If
fdisk(8) is available on the current platform,
the output of /sbin/fdisk for each available
disk drive is stored in
/var/backups/work/fdisk.XXX, and any differ‐
ences displayed as per the disklabels.
check_pkgs This stores a list of all installed pkgs into
/var/backups/work/pkgs and checks it for any
changes.
check_changelist This determines a list of files from the con‐
tents of /etc/changelist, and the output of
mtree -D for /etc/mtree/special and
/etc/mtree/special.local. For each file in
the list it compares the files with their
backups in /var/backups/file.current and
/var/backups/file.backup, and displays any
differences found. The following mtree(8)
tags modify how files are determined from
/etc/mtree/special and
/etc/mtree/special.local:
exclude The entry is ignored; no back‐
ups are made and the differ‐
ences are not displayed. This
includes dynamic or binary
files such as /var/run/utmp.
nodiff The entry is backed up but the
differences are not displayed
because the contents of the
file are sensitive. This
includes files such as
/etc/master.passwd.
check_pkg_vulnerabilities Checks the currently installed packages
against a database of known vulnerabilities
and reports those that are vulnerable. Check
the fetch_pkg_vulnerabilities setting in
daily.conf(5) to keep the database up to date.
check_pkg_signatures Checks the digital signature of all files
installed by packages against the expected
values stored in the packages database.
The variables described below can be set to modify the tests:
check_homes_permit_usergroups
During the check_homes phase, allow the checked files to
be group-writable if the group name is the same as the
username.
check_devices_ignore_fstypes
Lists filesystem types to ignore during the check_devices
phase. Prefixing the type with a ‘!’ inverts the match.
For example, ‘procfs !local’ will ignore ‘procfs’ type
filesystems and filesystems that are not ‘local’.
check_devices_ignore_paths
Lists pathnames to ignore during the check_devices phase.
Prefixing the path with a ‘!’ inverts the match. For
example, ‘/tftp’ will ignore paths under /tftp while
‘!/home’ will ignore paths that are not under /home.
check_mtree_follow_symlinks
During the check_mtree phase, instruct mtree to follow
symbolic links. Please note, this may cause the
check_mtree phase to report errors for entries for these
symbolic links (i.e. of type=link in the mtree specifica‐
tion) as they will always appear to be plain files for the
purposes of the check. /etc/mtree/special.local may be
used to override the checks for the affected links.
check_passwd_nowarn_shells
If check_passwd is enabled, most warnings will be sup‐
pressed for entries whose shells are listed in this space-
separated list. This is of particular value when those
shells are not in /etc/shells.
check_passwd_nowarn_users
If check_passwd is enabled, suppress warnings for these
users.
check_passwd_permit_nonalpha
If check_passwd is enabled, do not warn about login names
which use non-alphanumeric characters.
check_passwd_permit_star
If check_passwd is enabled, do not warn about password
fields set to “*”. Note that the use of password fields
such as “*ssh” is encouraged, instead.
max_grouplen If check_group is enabled, this determines the maximum
permitted length of group names.
max_loginlen If check_passwd is enabled, this determines the maximum
permitted length of login names.
backup_dir Change the backup directory from /var/backup.
diff_options Specify the options passed to diff(1) when it is invoked
to show changes made to system files. Defaults to “-u”,
for unified-format context-diffs.
pkgdb_dir DEPRECATED. Please set PKGDB_DIR in pkg_install.conf(5)
instead.
If defined, points to the location of the packages data‐
base. Defaults to /var/db/pkg.
backup_uses_rcs
Use rcs(1) for maintaining backup copies of files noted in
check_devices, check_disklabels, check_pkgs, and
check_changelist instead of just keeping a current copy
and a backup copy.
FILES
/etc/defaults/security.conf defaults for /etc/security.conf
/etc/security daily security check script
/etc/security.conf daily security check configuration
/etc/security.local local site additions to /etc/security
SEE ALSOdaily.conf(5)HISTORY
The security.conf file appeared in NetBSD 1.3. The check_disklabels
functionality was added in NetBSD 1.4. The backup_uses_rcs and
check_pkgs features were added in NetBSD 1.6. diff_options appeared in
NetBSD 2.0; prior to that, traditional-format (context free) diffs were
generated.
BSD February 5, 2010 BSD
