Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SECURITY.CONF(5)	    BSD	File Formats Manual	      SECURITY.CONF(5)

     security.conf -- daily security check configuration file

     The security.conf file specifies which of the standard /etc/security ser-
     vices are performed.  The /etc/security script is run, by default,	every
     night from	/etc/daily, on a NetBSD	system,	if configured do to so from

     The variables described below can be set to "NO" to disable the test:

     check_passwd		This checks the	/etc/master.passwd file	for

     check_group		This checks the	/etc/group file	for inconsis-

     check_rootdotfiles		This checks the	root users startup files for
				sane settings of $PATH and umask.  This	test
				is not fail safe and any warning generated
				from this should be checked for	correctness.

     check_ftpusers		This checks that the correct users are in the
				/etc/ftpusers file.

     check_aliases		This checks for	security problems in the
				/etc/mail/aliases file.	 For backward compati-
				bility,	/etc/aliases will be checked as	well
				if exists.

     check_rhosts		This checks for	system and user	rhosts files
				with "+" in them.

     check_homes		This checks that home directories are owned by
				the correct user, and have appropriate permis-

     check_varmail		This checks that the correct user owns mail in
				/var/mail, and that the	mail box has the right

     check_nfs			This checks that the /etc/exports file does
				not export filesystems to the world.

     check_devices		This checks for	changes	to devices and setuid

     check_mtree		This runs mtree(8) to ensure that the system
				is installed correctly.	 The following config-
				uration	files are checked:

				      Default files to check.

				      Local site additions and overrides.

				      Specification for	the directory DIR.

     check_disklabels		Backup text copies of the disklabels of	avail-
				able disk drives into
				/var/backups/work/disklabel.XXX, and display
				any differences	in those and the previous
				copies as per check_changelist below.  If
				fdisk(8) is available on the current platform,
				the output of /sbin/fdisk for each available
				disk drive is stored in
				/var/backups/work/fdisk.XXX, and any differ-
				ences displayed	as per the disklabels.

     check_pkgs			This stores a list of all installed pkgs into
				/var/backups/work/pkgs and checks it for any

     check_changelist		This determines	a list of files	from the con-
				tents of /etc/changelist, and the output of
				mtree -D for /etc/mtree/special	and
				/etc/mtree/special.local.  For each file in
				the list it compares the files with their
				backups	in /var/backups/file.current and
				/var/backups/file.backup, and displays any
				differences found.  The	following mtree(8)
				tags modify how	files are determined from
				/etc/mtree/special and

				      exclude  The entry is ignored; no	back-
					       ups are made and	the differ-
					       ences are not displayed.	 This
					       includes	dynamic	or binary
					       files such as /var/run/utmp.

				      nodiff   The entry is backed up but the
					       differences are not displayed
					       because the contents of the
					       file are	sensitive.  This in-
					       cludes files such as

     check_pkg_vulnerabilities	Checks the currently installed packages
				against	a database of known vulnerabilities
				and reports those that are vulnerable.	Check
				the fetch_pkg_vulnerabilities setting in
				daily.conf(5) to keep the database up to date.

     check_pkg_signatures	Checks the digital signature of	all files in-
				stalled	by packages against the	expected val-
				ues stored in the packages database.

     The variables described below can be set to modify	the tests:

		    During the check_homes phase, allow	the checked files to
		    be group-writable if the group name	is the same as the

		    Lists filesystem types to ignore during the	check_devices
		    phase.  Prefixing the type with a `!' inverts the match.
		    For	example, `procfs !local' will ignore `procfs' type
		    filesystems	and filesystems	that are not `local'.

		    Lists pathnames to ignore during the check_devices phase.
		    Prefixing the path with a `!' inverts the match.  For ex-
		    ample, `/tftp' will	ignore paths under /tftp while
		    `!/home' will ignore paths that are	not under /home.

		    During the check_mtree phase, instruct mtree to follow
		    symbolic links.  Please note, this may cause the
		    check_mtree	phase to report	errors for entries for these
		    symbolic links (i.e. of type=link in the mtree specifica-
		    tion) as they will always appear to	be plain files for the
		    purposes of	the check.  /etc/mtree/special.local may be
		    used to override the checks	for the	affected links.

		    If check_passwd is enabled,	most warnings will be sup-
		    pressed for	entries	whose shells are listed	in this	space-
		    separated list.  This is of	particular value when those
		    shells are not in /etc/shells.

		    If check_passwd is enabled,	suppress warnings for these

		    If check_passwd is enabled,	do not warn about login	names
		    which use non-alphanumeric characters.

		    If check_passwd is enabled,	do not warn about password
		    fields set to "*".	Note that the use of password fields
		    such as "*ssh" is encouraged, instead.

     max_grouplen   If check_group is enabled, this determines the maximum
		    permitted length of	group names.

     max_loginlen   If check_passwd is enabled,	this determines	the maximum
		    permitted length of	login names.

     backup_dir	    Change the backup directory	from /var/backup.

     diff_options   Specify the	options	passed to diff(1) when it is invoked
		    to show changes made to system files.  Defaults to "-u",
		    for	unified-format context-diffs.

     pkgdb_dir	    DEPRECATED.	 Please	set PKGDB_DIR in pkg_install.conf(5)

		    If defined,	points to the location of the packages data-
		    base.  Defaults to /var/db/pkg.

		    Use	rcs(1) for maintaining backup copies of	files noted in
		    check_devices, check_disklabels, check_pkgs, and
		    check_changelist instead of	just keeping a current copy
		    and	a backup copy.

     /etc/defaults/security.conf  defaults for /etc/security.conf
     /etc/security		  daily	security check script
     /etc/security.conf		  daily	security check configuration
     /etc/security.local	  local	site additions to /etc/security


     The security.conf file appeared in	NetBSD 1.3.  The check_disklabels
     functionality was added in	NetBSD 1.4.  The backup_uses_rcs and
     check_pkgs	features were added in NetBSD 1.6.  diff_options appeared in
     NetBSD 2.0; prior to that,	traditional-format (context free) diffs	were

BSD			       February	5, 2010				   BSD


Want to link to this manual page? Use this URL:

home | help