1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#
# This is the check-setuid script configuration file contained
# in the checksecurity package.
#
# These configuration variables may be set:
#
# CHECKSECURITY_FILTER
# CHECKSECURITY_NOFINDERRORS
# CHECKSECURITY_NONFSAFS
# CHECKSECURITY_DEVICEFILTER
# CHECKSECURITY_PATHFILTER
# LOGDIR
#
# Each is described in its own section below -- search for ####
# as a section divider.
#
####
#
# The CHECKSECURITY_FILTER variable is used as an argument to
# "grep -vE" to filter lines from the output of the "mount" command.
#
# The default is not check the following file systems:
#
# type proc
# type bind
# type msdos
# type iso9660
# type ncpfs
# type smbfs
# type nfs
# type afs
# type auto (They'll typically be picked up on the nfs branch)
# type ntfs
# type coda (similar to afs)
# type usbdevfs
# type none (--bind mounts)
# type fuse
#
# floppies (i.e. /dev/fd<whatever>)
# anything on /mnt or /amd
#
# Note that behaviour for nfs/afs has changed as of release -45. We
# no longer run find across nfs/afs disks; instead we simply report
# afs/nfs disks that are mounted insecurely (without -onosuid|noexec,nodev).
# You can disable this report by going setting the CHECKSECURITY_NONFSAFS
# variable below.
#
# Use temp variables to build up CHECKSECURITY_FILTER, to make it
# a little more readable.
#
CS_NFSAFS='(type (nfs|afs|coda|mfs|nnpfs)|^(arla .* type xfs))'
# Uncomment the next line to get the old behaviour.
#CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)'
#
CS_TYPES='( type (auto|proc|sysfs|bind|msdos|fat|vfat|iso9660|usbdevfs|ncpfs|smbfs|cifs|ntfs|devpts|binfmt_misc|shfs|lufs|none|fuse))|'$CS_NFSAFS
#
CS_OPTS='\(.*(nosuid|noexec).*\)'
#
CS_DEVS='^/dev/fd'
#
# Do not traverse /mnt (external mounts) or /vicep (AFS fileserver mounts)
#
CS_DIRS='on (/mnt|/vicep)'
#
CHECKSECURITY_FILTER="$CS_TYPES|$CS_OPTS|$CS_DEVS|$CS_DIRS"
#
# Note: You can also disable the check-setuid check entirely if
#
# CHECKSECURITY_PATHFILTER="-path /*"
#
# Clear the temporary variables.
#
unset CS_NFSAFS CS_TYPES CS_DIRS CS_OPTS
#
####
#
# The CHECKSECURITY_NOFINDERRORS, if set to "TRUE" (case sensitive),
# redirects any errors from the find command used in checksecurity
# to /dev/null.
#
CHECKSECURITY_NOFINDERRORS="FALSE"
####
#
# The CHECKSECURITY_NONFSAFS, if set to "TRUE" (case sensitive),
# disables the message about insecurely mounted nfs/afs disks.
#
CHECKSECURITY_NONFSAFS="FALSE"
####
#
# The CHECKSECURITY_DEVICEFILTER lets you tell find not to report
# devices in those directories (if you choose the daily Emails,
# devices like /dev/pts/?, /dev/tty?, or /dev/urandom will change
# often and clutter your mailbox) Note that these directories are
# still searched for suid executables. Also note that *something* must
# be defined, which is why the default is "-false".
# Examples:
#CHECKSECURITY_DEVICEFILTER="-path /dev/*"
#CHECKSECURITY_DEVICEFILTER="-path /dev/* -o -path /home/ftp/dev/*"
CHECKSECURITY_DEVICEFILTER="-false"
####
# The CHECKSECURITY_PATHFILTER variable lets you set a pattern of
# pathnames that you don't want to check at all. You hopefully know
# what you're doing if you do this :-).
# Example:
# CHECKSECURITY_PATHFILTER="-path /dev/rd* -o -path /var/home/ftp*"
CHECKSECURITY_PATHFILTER="-false"
####
#
# Location of setuid file databases.
#
LOGDIR=/var/log/setuid
|
