File: checksecurity.8

package info (click to toggle)
cron 3.0pl1-57.3
  • links: PTS
  • area: main
  • in suites: potato
  • size: 348 kB
  • ctags: 350
  • sloc: ansic: 3,321; sh: 189; makefile: 91
file content (103 lines) | stat: -rw-r--r-- 2,413 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 
.\" -*- nroff -*-
.TH CHECKSECURITY 8 "2 February 1997" "Debian Linux"
.SH NAME
checksecurity \- check for changes to setuid programs
.SH SYNOPSIS
.B checksecurity
.SH DESCRIPTION
The
.B checksecurity
command scans the mounted files systems (subject to the filter defined
in /etc/checksecurity.conf) and compares the list of setuid programs to the
list created on the previous run. Any changes are printed to standard
output. Also, it generates a list of 
.I nfs
and 
.I afs
filesystems that are mounted insecurely (i.e. they are missing the 
.I nodev 
and either the
.I noexec
or
.I nosuid 
flags).
.PP
.B checksecurity
is run by 
.B cron
on a daily basis, and the output stored in /var/log/setuid.changes.
.SH CONFIGURATION
The
.B checksecurity.conf
file defines four configuration variables:
.BR CHECKSECURITY_FILTER ,
.BR CHECKSECURITY_NOFINDERRORS ,
.BR CHECKSECURITY_DISABLE ,
and
.BR CHECKSECURITY_NONFSAFS .
.PP
The 
.B CHECKSECURITY_FILTER
environment variable which is the argument of 'grep -vE' applied to
the output of the  
.B mount
command. In other words, the value of
.B CHECKSECURITY_FILTER
is a regular expression that removes matching lines from those
file systems that will be scanned. The default value removes
all file systems of type 
.I proc, msdos, iso9660, ncpfs, nfs, afs,
and
.I smbfs
file systems, 
anything mounted on /dev/fd*, and anything mounted
on /mnt or /amd.
.PP
The
.B checksecurity.conf
file is sourced from 
.B checksecurity,
so you could do some fairly tricky things to define 
.BR CHECKSECURITY_FILTER .
.PP
The 
.B CHECKSECURITY_NOFINDERRORS 
environment variable, if set to the literal "TRUE", disables
find errors from checksecurity (actually, it re-routes them to 
.B /dev/null
).
.PP
The
.B CHECKSECURITY_DISABLE  
environment variable, if set to the literal "TRUE", disables
checksecurity entirely, as a sop to those who think it's safe to allow
random mounting of NFS and AFS disks without the nosuid or noexec flags.
.PP
The
.B CHECKSECURITY_NONFSAFS
environment variable, if set to the literal "TRUE", disables the message about 
.I nfs
and
.I afs
file systems that are mounted without the
.I nodev 
and either the
.I noexec
or
.I nosuid 
options.
.SH FILES
.TP
.I /etc/checksecurity.conf
checksecurity configuration file
.TP
.I /var/log/setuid.today
setuid files from the most recent run
.TP
.I /var/log/setuid.yesterday
setuid files from the previous run