The
security.conf file specifies which of the standard
/etc/security services are performed. The
/etc/security script is run, by default, every night from
/etc/daily, on a
NetBSD system, if configured do to so from
/etc/daily.conf.
The variables described below can be set to "NO" to disable the test:
check_passwd
This checks the /etc/master.passwd file for inconsistencies.
check_group
This checks the /etc/group file for inconsistencies.
check_rootdotfiles
This checks the root users startup files for sane settings of $PATH and umask. This test is not fail safe and any warning generated from this should be checked for correctness.
check_ftpusers
This checks that the correct users are in the /etc/ftpusers file.
check_aliases
This checks for security problems in the /etc/mail/aliases file. For backward compatibility, /etc/aliases will be checked as well if exists.
check_rhosts
This checks for system and user rhosts files with "+" in them.
check_homes
This checks that home directories are owned by the correct user, and have appropriate permissions.
check_varmail
This checks that the correct user owns mail in /var/mail, and that the mail box has the right permissions.
check_nfs
This checks that the /etc/exports file does not export filesystems to the world.
check_devices
This checks for changes to devices and setuid files.
check_mtree
This runs
mtree(8) to ensure that the system is installed correctly. The following configuration files are checked:
/etc/mtree/special
Default files to check.
/etc/mtree/special.local
Local site additions and overrides.
/etc/mtree/DIR.secure
Specification for the directory DIR.
check_disklabels
Backup text copies of the disklabels of available disk drives into
/var/backups/work/disklabel.XXX, and display any differences in those and the previous copies as per
check_changelist below. If
fdisk(8) is available on the current platform, the output of
/sbin/fdisk for each available disk drive is stored in
/var/backups/work/fdisk.XXX, and any differences displayed as per the disklabels.
check_pkgs
This stores a list of all installed pkgs into /var/backups/work/pkgs and checks it for any changes.
check_changelist
This determines a list of files from the contents of
/etc/changelist, and the output of
mtree -D for
/etc/mtree/special and
/etc/mtree/special.local. For each file in the list it compares the files with their backups in
/var/backups/file.current and
/var/backups/file.backup, and displays any differences found. The following
mtree(8) tags modify how files are determined from
/etc/mtree/special and
/etc/mtree/special.local:
exclude
The entry is ignored; no backups are made and the differences are not displayed. This includes dynamic or binary files such as /var/run/utmp.
nodiff
The entry is backed up but the differences are not displayed because the contents of the file are sensitive. This includes files such as /etc/master.passwd.
check_pkg_vulnerabilities
Checks the currently installed packages against a database of known vulnerabilities and reports those that are vulnerable. Check the
fetch_pkg_vulnerabilities setting in
daily.conf(5) to keep the database up to date.
check_pkg_signatures
Checks the digital signature of all files installed by packages against the expected values stored in the packages database.
The variables described below can be set to modify the tests:
check_homes_permit_usergroups
During the check_homes phase, allow the checked files to be group-writable if the group name is the same as the username.
check_devices_ignore_fstypes
Lists filesystem types to ignore during the check_devices phase. Prefixing the type with a ‘!' inverts the match. For example, ‘procfs !local' will ignore ‘procfs' type filesystems and filesystems that are not ‘local'.
check_devices_ignore_paths
Lists pathnames to ignore during the check_devices phase. Prefixing the path with a ‘!' inverts the match. For example, ‘/tftp' will ignore paths under /tftp while ‘!/home' will ignore paths that are not under /home.
check_mtree_follow_symlinks
During the check_mtree phase, instruct mtree to follow symbolic links. Please note, this may cause the check_mtree phase to report errors for entries for these symbolic links (i.e. of type=link in the mtree specification) as they will always appear to be plain files for the purposes of the check. /etc/mtree/special.local may be used to override the checks for the affected links.
check_passwd_nowarn_shells
If check_passwd is enabled, most warnings will be suppressed for entries whose shells are listed in this space-separated list. This is of particular value when those shells are not in /etc/shells.
check_passwd_nowarn_users
If check_passwd is enabled, suppress warnings for these users.
check_passwd_permit_nonalpha
If check_passwd is enabled, do not warn about login names which use non-alphanumeric characters.
check_passwd_permit_star
If check_passwd is enabled, do not warn about password fields set to “*”. Note that the use of password fields such as “*ssh” is encouraged, instead.
max_grouplen
If check_group is enabled, this determines the maximum permitted length of group names.
max_loginlen
If check_passwd is enabled, this determines the maximum permitted length of login names.
backup_dir
Change the backup directory from /var/backup.
diff_options
Specify the options passed to
diff(1) when it is invoked to show changes made to system files. Defaults to “-u”, for unified-format context-diffs.
pkgdb_dir
DEPRECATED. Please set
PKGDB_DIR in
pkg_install.conf(5) instead.
If defined, points to the location of the packages database. Defaults to
/var/db/pkg.
backup_uses_rcs
Use
rcs(1) for maintaining backup copies of files noted in
check_devices,
check_disklabels,
check_pkgs, and
check_changelist instead of just keeping a current copy and a backup copy.