*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->Linux man pages -> checksecurity (8)              



NAME    [Toc]    [Back]

       checksecurity - check for changes to setuid programs

SYNOPSIS    [Toc]    [Back]


DESCRIPTION    [Toc]    [Back]

       The  checksecurity  command scans the mounted files systems (subject to
       the filter defined in /etc/checksecurity.conf) and compares the list of
       setuid  programs  to  the list created on the previous run. Any changes
       are printed to standard output. Also, it generates a list  of  nfs  and
       afs  filesystems that are mounted insecurely (i.e. they are missing the
       nodev and either the noexec or nosuid flags).

       checksecurity is run by cron on a daily basis, and the output stored in

CONFIGURATION    [Toc]    [Back]

       The  checksecurity.conf	file  defines several configuration variables:
       described below.

       The  CHECKSECURITY_FILTER environment variable which is the argument of
       'grep -vE' applied to the output of the mount command. In other	words,
       the  value of CHECKSECURITY_FILTER is a regular expression that removes
       matching lines from those  file	systems  that  will  be  scanned.  The
       default	value  removes	all file systems of type proc, msdos, iso9660,
       ncpfs, nfs, afs, smbfs, auto, ntfs, coda file systems, anything mounted
       on  /dev/fd*,  anything	mounted  on /mnt or /amd, and anything mounted
       with option nosuid or noexec.

       The checksecurity.conf file is sourced from checksecurity, so you could
       do some fairly tricky things to define CHECKSECURITY_FILTER.

       The CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal
 "TRUE", disables find errors from checksecurity (actually, it  reroutes
 them to /dev/null ).

       The  CHECKSECURITY_DISABLE  environment variable, if set to the literal
       "TRUE", disables checksecurity entirely, as a sop to  those  who  think
       it's  safe  to  allow  random mounting of NFS and AFS disks without the
       nosuid or noexec flags.

       The CHECKSECURITY_NONFSAFS environment variable, if set to the  literal
       "TRUE",	disables  the  message about nfs and afs file systems that are
       mounted without the nodev and either the noexec or nosuid options.

       If set, the CHECKSECURITY_EMAIL variable defines who is sent a copy  of
       the setuid.changes file.

       The  CHECKSECURITY_DEVICEFILTER	variable  specifies  a find clause for
       which matching block and character device files will not  be  monitored
       for changing owners and permissions. For example, if you didn't want to
       check for permission changes on tty  device  files  beneath  /dev,  you
       could set the following:

	      CHECKSECURITY_DEVICEFILTER='-path /dev/tty*'

       Note  that  any	added  or modified suid programs under that path would
       still be detected. If you want to specify multiple  expressions,  separate
  them with '-o', but there is no need to surround the whole clause
       with parentheses. To disable this filter, specify it as

       The CHECKSECURITY_PATHFILTER variable specifies	a  find  clause  which
       will  be  pruned from the search path.  This means that the entire sub-
       tree will be completely skipped.  Thus, specifying

	      CHECKSECURITY_PATHFILTER='-path /var/ftp'

       then the entire /var/ftp tree will be skipped. To disable this  filter,
       specify it as '-false' (which is the default).

       LOGDIR  sets  the  name	of  the directory which stores the files which
       track the permission and ownership changes. By  default,  they  are  in

FILES    [Toc]    [Back]

	      checksecurity configuration file

	      setuid files from the most recent run

	      setuid files from the previous run

Debian Linux			2 February 1997 	      CHECKSECURITY(8)
[ Back ]
 Similar pages
Name OS Title
gnome-pty-helper Linux Helper setuid application
issetugid OpenBSD is current executable running setuid or setgid
SuidCells OpenBSD lists AFS cells for which afsd will honor the setuid bit
secure_sid_scripts HP-UX controls whether setuid and setgid bits on scripts are honored
glresources IRIX X resources used by GL programs
whereis FreeBSD locate programs
whereis OpenBSD locate programs
sffinger HP-UX utility programs for TCP Wrappers
run-parts Linux run scripts or programs in a directory
tryfrom HP-UX utility programs for TCP Wrappers
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service