diff options
Diffstat (limited to 'share/man/man8')
| -rw-r--r-- | share/man/man8/Makefile | 4 | ||||
| -rw-r--r-- | share/man/man8/security.8 | 99 |
2 files changed, 101 insertions, 2 deletions
diff --git a/share/man/man8/Makefile b/share/man/man8/Makefile index d947fc0d3ea..e2e71f418af 100644 --- a/share/man/man8/Makefile +++ b/share/man/man8/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.31 2000/11/09 03:57:33 deraadt Exp $ +# $OpenBSD: Makefile,v 1.32 2001/01/28 03:52:43 d Exp $ # $NetBSD: Makefile,v 1.13 1996/03/28 21:36:40 mark Exp $ # @(#)Makefile 8.1 (Berkeley) 6/5/93 @@ -6,7 +6,7 @@ MAN= afterboot.8 compat_bsdos.8 compat_freebsd.8 compat_ibcs2.8 \ compat_linux.8 compat_sunos.8 \ compat_svr4.8 compat_ultrix.8 crash.8 dhcp.8 diskless.8 intro.8 rc.8 \ rc.conf.8 rc.shutdown.8 ssl.8 sticky.8 update.8 yp.8 boot_config.8 \ - vpn.8 release.8 + vpn.8 release.8 security.8 SUBDIR= man8.alpha man8.amiga man8.hp300 man8.i386 man8.mac68k man8.mvme68k \ man8.powerpc man8.sparc man8.sun3 man8.vax diff --git a/share/man/man8/security.8 b/share/man/man8/security.8 new file mode 100644 index 00000000000..156cc8b7ca7 --- /dev/null +++ b/share/man/man8/security.8 @@ -0,0 +1,99 @@ +.\" $OpenBSD: security.8,v 1.1 2001/01/28 03:52:44 d Exp $ +.Dd July 1, 2000 +.Dt SECURITY 8 +.Os +.Sh NAME +.Nm security +.Nd periodic system security check +.Sh SYNOPSIS +.Nm /etc/security +.Sh DESCRIPTION +.Nm security +is a command script that examines the system for some signs of security +weaknesses. +It is only a security aid and does not offer complete protection. +The +.Nm security +script is normally run from the +.Pa /etc/daily +script, which sends mails to root on a daily basis. +.Pp +The +.Nm security +script carries out the following list of simple checks: +.Bl -bullet +.It +Check the master +.Xr passwd 5 +and +.Xr group 5 +files for +syntax, empty passwords, partially closed accounts, +suspicious UIDs, GIDs and duplicate entries +.It +Check root's home directory and login environment for +insecure permissions, suspicious paths and umask commands in the +dotfiles +.It +Check that root and uucp are in +.Pa /etc/ftpusers +.It +Check for suspicious commands in +.Pa /etc/mail/aliases +.It +Check for insecurities in various trust files such as +.Pa /etc/hosts.equiv , /etc/shosts.equiv , +and +.Pa /etc/hosts.lpd +.It +Check user +.Pa .rhosts , .shosts +files for open access +.It +Check user home directory permissions +.It +Check many user dotfile permissions +.It +Check user mailbox permissions +.It +Check NFS +.Xr exports 5 +file for global export entries +.It +Check for changes in setuid/setgid files and devices +.It +Check disk ownership and permissions +.It +Check for changes in the device file list +.It +Check for permssion changes in special files and system binaries listed in +.Pa /etc/mtree/special +and +.Pa "/etc/mtree/*.secure" . +.Sy Note: +This is not complete protection against Trojan horsed binaries, as +the miscreant can modify the tree specification to match the replaced binary. +For details on really protecting yourself against modified binaries, see +.Xr mtree 8 . +.It +Check for content changes in those files specified by +.Pa /etc/changelist +.El +.Pp +The intent of the +.Nm security +script is to point out some obvious holes to the system administrator. +.Sh BUGS +The name of this script may provide a false sense of +.Nm security . +.\" Well, I thought it was amusing. +.Pp +There are perhaps an infinite number of ways the system can be compromised +without this script noticing. +.Sh FILES +.Pa /etc/daily , +.Pa /etc/mtree , +.Pa /etc/changelist , +.Pa /var/backups +.Sh SEE ALSO +.Xr mtree 8 |