DESCRIPTION
 The 
security.conf file specifies which of the standard 
/etc/security services are performed. The 
/etc/security script is run, by default, every night from 
/etc/daily, on a 
NetBSD system, if configured do to so from 
/etc/daily.conf.
The variables described below can be set to "NO" to disable the test:
- 
check_passwd
- 
This checks the /etc/master.passwd file for inconsistencies.
- 
check_group
- 
This checks the /etc/group file for inconsistencies.
- 
check_rootdotfiles
- 
This checks the root users startup files for sane settings of $PATH and umask. This test is not fail safe and any warning generated from this should be checked for correctness.
- 
check_ftpusers
- 
This checks that the correct users are in the /etc/ftpusers file.
- 
check_aliases
- 
This checks for security problems in the /etc/mail/aliases file. For backward compatibility, /etc/aliases will be checked as well if exists.
- 
check_rhosts
- 
This checks for system and user rhosts files with "+" in them.
- 
check_homes
- 
This checks that home directories are owned by the correct user, and have appropriate permissions.
- 
check_varmail
- 
This checks that the correct user owns mail in /var/mail, and that the mail box has the right permissions.
- 
check_nfs
- 
This checks that the /etc/exports file does not export filesystems to the world.
- 
check_devices
- 
This checks for changes to devices and setuid files.
- 
check_mtree
- 
This runs mtree(8) to ensure that the system is installed correctly. The following configuration files are checked:
- 
/etc/mtree/special
- 
Default files to check.
- 
/etc/mtree/special.local
- 
Local site additions and overrides.
- 
/etc/mtree/DIR.secure
- 
Specification for the directory DIR.
 
- 
check_disklabels
- 
Backup text copies of the disklabels of available disk drives into /var/backups/work/disklabel.XXX, and display any differences in those and the previous copies as per check_changelist below. If fdisk(8) is available on the current platform, the output of /sbin/fdisk for each available disk drive is stored in /var/backups/work/fdisk.XXX, and any differences displayed as per the disklabels.
- 
check_pkgs
- 
This stores a list of all installed pkgs into /var/backups/work/pkgs and checks it for any changes.
- 
check_changelist
- 
This determines a list of files from the contents of /etc/changelist, and the output of mtree -D for /etc/mtree/special and /etc/mtree/special.local. For each file in the list it compares the files with their backups in /var/backups/file.current and /var/backups/file.backup, and displays any differences found. The following mtree(8) tags modify how files are determined from /etc/mtree/special and /etc/mtree/special.local:
- 
exclude
- 
The entry is ignored; no backups are made and the differences are not displayed. This includes dynamic or binary files such as /var/run/utmp.
- 
nodiff
- 
The entry is backed up but the differences are not displayed because the contents of the file are sensitive. This includes files such as /etc/master.passwd.
 
- 
check_pkg_vulnerabilities
- 
Checks the currently installed packages against a database of known vulnerabilities and reports those that are vulnerable. Check the fetch_pkg_vulnerabilities setting in daily.conf(5) to keep the database up to date.
- 
check_pkg_signatures
- 
Checks the digital signature of all files installed by packages against the expected values stored in the packages database.
The variables described below can be set to modify the tests:
- 
check_homes_permit_usergroups
- 
During the check_homes phase, allow the checked files to be group-writable if the group name is the same as the username.
- 
check_homes_permit_other_owner
- 
During the check_homes phase, allow the home directory and files of the listed users to be owned by a different user.
- 
check_devices_ignore_fstypes
- 
Lists filesystem types to ignore during the check_devices phase. Prefixing the type with a ‘!’ inverts the match. For example, ‘procfs !local’ will ignore ‘procfs’ type filesystems and filesystems that are not ‘local’.
- 
check_devices_ignore_paths
- 
Lists pathnames to ignore during the check_devices phase. Prefixing the path with a ‘!’ inverts the match. For example, ‘/tftp’ will ignore paths under /tftp while ‘!/home’ will ignore paths that are not under /home.
- 
check_mtree_follow_symlinks
- 
During the check_mtree phase, instruct mtree to follow symbolic links. Please note, this may cause the check_mtree phase to report errors for entries for these symbolic links (i.e. of type=link in the mtree specification) as they will always appear to be plain files for the purposes of the check. /etc/mtree/special.local may be used to override the checks for the affected links.
- 
check_passwd_nowarn_shells
- 
If check_passwd is enabled, most warnings will be suppressed for entries whose shells are listed in this space-separated list. This is of particular value when those shells are not in /etc/shells.
- 
check_passwd_nowarn_users
- 
If check_passwd is enabled, suppress warnings for these users.
- 
check_passwd_permit_dups
- 
If check_passwd is enabled, do not warn about duplicate uids for the listed login names.
- 
check_passwd_permit_nonalpha
- 
If check_passwd is enabled, do not warn about login names which use non-alphanumeric characters.
- 
check_passwd_permit_star
- 
If check_passwd is enabled, do not warn about password fields set to “*”. Note that the use of password fields such as “*ssh” is encouraged, instead.
- 
max_grouplen
- 
If check_group is enabled, this determines the maximum permitted length of group names.
- 
max_loginlen
- 
If check_passwd is enabled, this determines the maximum permitted length of login names.
- 
backup_dir
- 
Change the backup directory from /var/backup.
- 
diff_options
- 
Specify the options passed to diff(1) when it is invoked to show changes made to system files. Defaults to “-u”, for unified-format context-diffs.
- 
pkgdb_dir
- 
DEPRECATED. Please set PKGDB_DIR in pkg_install.conf(5) instead.
If defined, points to the location of the packages database. Defaults to /var/db/pkg. 
- 
backup_uses_rcs
- 
Use rcs(1) for maintaining backup copies of files noted in check_devices, check_disklabels, check_pkgs, and check_changelist instead of just keeping a current copy and a backup copy.