SECURITY(8) FreeBSD System Manager's Manual SECURITY(8)
NAME
security - periodic system security check
DESCRIPTION
security is a command script that examines the system for some signs of
security weaknesses. It is only a security aid and does not offer
complete protection. security is run by daily(8), which mails any output
to root on a daily basis.
The security script carries out the following list of simple checks:
o Check the master.passwd(5) and group(5) files for syntax, empty
passwords, partially closed accounts, suspicious UIDs, suspicious
GIDs, and duplicate entries.
o Check root's home directory and login environment for insecure
permissions, suspicious paths, and umask commands in the dotfiles.
o Check for suspicious commands in /etc/mail/aliases.
o Check for insecurities in /etc/hosts.lpd.
o Check user .rhosts and .shosts files for open access.
o Check user home directory permissions.
o Check many user dotfile permissions.
o Check user mailbox permissions.
o Check NFS exports(5) file for global export entries.
o Check for changes in setuid/setgid files and devices.
o Check disk ownership and permissions.
o Check for changes in the device file list.
o Check for permission changes in special files and system binaries
listed in /etc/mtree/special. security also provides hooks for
administrators to create their own lists. These lists should be kept
in /etc/mtree/ and filenames must have the suffix ".secure". The
following example shows how to create such a list, to protect the
programs in /bin:
# mtree -cx -p /bin -K sha256digest,type > /etc/mtree/bin.secure
# chown root:wheel /etc/mtree/bin.secure
# chmod 600 /etc/mtree/bin.secure
Note: These checks do not provide complete protection against Trojan
horse binaries, as the miscreant can modify the tree specification to
match the replaced binary. For details on really protecting yourself
against modified binaries, see mtree(8).
o Check for changes in files listed in /etc/changelist. Files being
created or deleted, as well as content change in the files
themselves, are reported. See changelist(5) for further details.
o Check for changes to the disklabels and partition tables of mounted
disks.
o Report on the installation or removal of any system package(5).
o Check hostname.if(5) file permissions.
The intent of the security script is to point out some obvious holes to
the system administrator.
ENVIRONMENT
The following variables can be set in /etc/daily.local:
PASSWDSKIP A whitespace-separated list of name:shell pairs allowed to
have empty passwords. For example, a machine running both
CVS and gotd for anonymous access might set:
PASSWDSKIP="anoncvs:/usr/local/bin/anoncvssh
anonymous:/usr/local/bin/gotsh"
SUIDSKIP A whitespace-separated list of absolute paths to be skipped
in setuid/setgid file checks and in device special file
checks. Avoid trailing slashes.
FILES
/etc/changelist
/etc/daily
/etc/mtree
/usr/libexec/security
/var/backups
SEE ALSO
changelist(5), daily(8), mtree(8)
HISTORY
A security shell script appeared in 4.3BSD-Reno, but most functionality
only came with 4.4BSD.
AUTHORS
The present manual was written by David Leonard for OpenBSD 2.9. Andrew
Fresh <
[email protected]> and Ingo Schwarze <
[email protected]>
rewrote security from scratch in perl(1) for OpenBSD 5.0.
BUGS
The name of this script may provide a false sense of security.
There are perhaps an infinite number of ways the system can be
compromised without this script noticing.
FreeBSD 14.1-RELEASE-p8 March 31, 2025 FreeBSD 14.1-RELEASE-p8