version 1, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
perry |
1 |
CHECKSECURITY |
| |
|
2 |
!!!CHECKSECURITY |
| |
|
3 |
NAME |
| |
|
4 |
SYNOPSIS |
| |
|
5 |
DESCRIPTION |
| |
|
6 |
CONFIGURATION |
| |
|
7 |
FILES |
| |
|
8 |
---- |
| |
|
9 |
!!NAME |
| |
|
10 |
|
| |
|
11 |
|
| |
|
12 |
checksecurity - check for changes to setuid programs |
| |
|
13 |
!!SYNOPSIS |
| |
|
14 |
|
| |
|
15 |
|
| |
|
16 |
__checksecurity__ |
| |
|
17 |
!!DESCRIPTION |
| |
|
18 |
|
| |
|
19 |
|
| |
|
20 |
The __checksecurity__ command scans the mounted files |
| |
|
21 |
systems (subject to the filter defined in |
| |
|
22 |
/etc/checksecurity.conf) and compares the list of setuid |
| |
|
23 |
programs to the list created on the previous run. Any |
| |
|
24 |
changes are printed to standard output. Also, it generates a |
| |
|
25 |
list of ''nfs'' and ''afs'' filesystems that are |
| |
|
26 |
mounted insecurely (i.e. they are missing the ''nodev'' |
| |
|
27 |
and either the ''noexec'' or ''nosuid'' |
| |
|
28 |
flags). |
| |
|
29 |
|
| |
|
30 |
|
| |
|
31 |
__checksecurity__ is run by __cron__ on a daily basis, |
| |
|
32 |
and the output stored in |
| |
|
33 |
/var/log/setuid.changes. |
| |
|
34 |
!!CONFIGURATION |
| |
|
35 |
|
| |
|
36 |
|
| |
|
37 |
The __checksecurity.conf__ file defines several |
| |
|
38 |
configuration variables: __CHECKSECURITY_FILTER__, |
| |
|
39 |
__CHECKSECURITY_NOFINDERRORS__, |
| |
|
40 |
__CHECKSECURITY_DISABLE__, __CHECKSECURITY_NONFSAFS__, |
| |
|
41 |
__CHECKSECURITY_EMAIL__, |
| |
|
42 |
__CHECKSECURITY_DEVICEFILTER__, |
| |
|
43 |
__CHECKSECURITY_PATHFILTER__, and __LOGDIR__. Each is |
| |
|
44 |
described below. |
| |
|
45 |
|
| |
|
46 |
|
| |
|
47 |
The __CHECKSECURITY_FILTER__ environment variable which |
| |
|
48 |
is the argument of 'grep -vE' applied to the output of the |
| |
|
49 |
__mount__ command. In other words, the value of |
| |
|
50 |
__CHECKSECURITY_FILTER__ is a regular expression that |
| |
|
51 |
removes matching lines from those file systems that will be |
| |
|
52 |
scanned. The default value removes all file systems of type |
| |
|
53 |
''proc, msdos, iso9660, ncpfs, nfs, afs, smbfs, auto, ntfs, |
| |
|
54 |
coda'' file systems, anything mounted on /dev/fd*, |
| |
|
55 |
anything mounted on /mnt or /amd, and anything mounted with |
| |
|
56 |
option nosuid or noexec. |
| |
|
57 |
|
| |
|
58 |
|
| |
|
59 |
The __checksecurity.conf__ file is sourced from |
| |
|
60 |
__checksecurity,__ so you could do some fairly tricky |
| |
|
61 |
things to define __CHECKSECURITY_FILTER__. |
| |
|
62 |
|
| |
|
63 |
|
| |
|
64 |
The __CHECKSECURITY_NOFINDERRORS__ environment variable, |
| |
|
65 |
if set to the literal |
| |
|
66 |
__/dev/null__ ). |
| |
|
67 |
|
| |
|
68 |
|
| |
|
69 |
The __CHECKSECURITY_DISABLE__ environment variable, if |
| |
|
70 |
set to the literal |
| |
|
71 |
__ |
| |
|
72 |
|
| |
|
73 |
|
| |
|
74 |
The __CHECKSECURITY_NONFSAFS__ environment variable, if |
| |
|
75 |
set to the literal |
| |
|
76 |
__nfs'' and ''afs'' file systems that are |
| |
|
77 |
mounted without the ''nodev'' and either the |
| |
|
78 |
''noexec'' or ''nosuid'' options. |
| |
|
79 |
|
| |
|
80 |
|
| |
|
81 |
If set, the __CHECKSECURITY_EMAIL__ variable defines who |
| |
|
82 |
is sent a copy of the setuid.changes file. |
| |
|
83 |
|
| |
|
84 |
|
| |
|
85 |
The __CHECKSECURITY_DEVICEFILTER__ variable specifies a |
| |
|
86 |
__find__ clause for which matching block and character |
| |
|
87 |
device files will not be monitored for changing owners and |
| |
|
88 |
permissions. For example, if you didn't want to check for |
| |
|
89 |
permission changes on tty device files beneath /dev, you |
| |
|
90 |
could set the following: |
| |
|
91 |
|
| |
|
92 |
|
| |
|
93 |
CHECKSECURITY_DEVICEFILTER='-path /dev/tty*' |
| |
|
94 |
|
| |
|
95 |
|
| |
|
96 |
Note that any added or modified suid programs under that |
| |
|
97 |
path would still be detected. If you want to specify |
| |
|
98 |
multiple expressions, separate them with '-o', but there is |
| |
|
99 |
no need to surround the whole clause with parentheses. To |
| |
|
100 |
disable this filter, specify it as |
| |
|
101 |
|
| |
|
102 |
|
| |
|
103 |
The __CHECKSECURITY_PATHFILTER__ variable specifies a |
| |
|
104 |
__find__ clause which will be pruned from the search |
| |
|
105 |
path. __This means that the entire subtree will be |
| |
|
106 |
completely skipped.__ Thus, specifying |
| |
|
107 |
|
| |
|
108 |
|
| |
|
109 |
CHECKSECURITY_PATHFILTER='-path /var/ftp' |
| |
|
110 |
|
| |
|
111 |
|
| |
|
112 |
then the entire /var/ftp tree will be skipped. To disable |
| |
|
113 |
this filter, specify it as '-false' (which is the |
| |
|
114 |
default). |
| |
|
115 |
|
| |
|
116 |
|
| |
|
117 |
__LOGDIR__ sets the name of the directory which stores |
| |
|
118 |
the files which track the permission and ownership changes. |
| |
|
119 |
By default, they are in __/var/log__. |
| |
|
120 |
!!FILES |
| |
|
121 |
|
| |
|
122 |
|
| |
|
123 |
''/etc/checksecurity.conf'' |
| |
|
124 |
|
| |
|
125 |
|
| |
|
126 |
checksecurity configuration file |
| |
|
127 |
|
| |
|
128 |
|
| |
|
129 |
''/var/log/setuid.today'' |
| |
|
130 |
|
| |
|
131 |
|
| |
|
132 |
setuid files from the most recent run |
| |
|
133 |
|
| |
|
134 |
|
| |
|
135 |
''/var/log/setuid.yesterday'' |
| |
|
136 |
|
| |
|
137 |
|
| |
|
138 |
setuid files from the previous run |
| |
|
139 |
---- |
