checksecurity - check for changes to setuid programs
The checksecurity command scans the mounted files systems (subject to
the filter defined in /etc/checksecurity.conf) and compares the list of
setuid programs to the list created on the previous run. Any changes
are printed to standard output. Also, it generates a list of nfs and
afs filesystems that are mounted insecurely (i.e. they are missing the
nodev and either the noexec or nosuid flags).
checksecurity is run by cron on a daily basis, and the output stored in
The checksecurity.conf file defines several configuration variables:
CHECKSECURITY_FILTER, CHECKSECURITY_NOFINDERRORS, CHECKSECURITY_DIS-
ABLE, CHECKSECURITY_NONFSAFS, CHECKSECURITY_EMAIL, CHECKSECU-
RITY_DEVICEFILTER, CHECKSECURITY_PATHFILTER, and LOGDIR. Each is
The CHECKSECURITY_FILTER environment variable which is the argument of
'grep -vE' applied to the output of the mount command. In other words,
the value of CHECKSECURITY_FILTER is a regular expression that removes
matching lines from those file systems that will be scanned. The
default value removes all file systems of type proc, msdos, iso9660,
ncpfs, nfs, afs, smbfs, auto, ntfs, coda file systems, anything mounted
on /dev/fd*, anything mounted on /mnt or /amd, and anything mounted
with option nosuid or noexec.
The checksecurity.conf file is sourced from checksecurity, so you could
do some fairly tricky things to define CHECKSECURITY_FILTER.
The CHECKSECURITY_NOFINDERRORS environment variable, if set to the literal
"TRUE", disables find errors from checksecurity (actually, it reroutes
them to /dev/null ).
The CHECKSECURITY_DISABLE environment variable, if set to the literal
"TRUE", disables checksecurity entirely, as a sop to those who think
it's safe to allow random mounting of NFS and AFS disks without the
nosuid or noexec flags.
The CHECKSECURITY_NONFSAFS environment variable, if set to the literal
"TRUE", disables the message about nfs and afs file systems that are
mounted without the nodev and either the noexec or nosuid options.
If set, the CHECKSECURITY_EMAIL variable defines who is sent a copy of
the setuid.changes file.
The CHECKSECURITY_DEVICEFILTER variable specifies a find clause for
which matching block and character device files will not be monitored
for changing owners and permissions. For example, if you didn't want to
check for permission changes on tty device files beneath /dev, you
could set the following:
Note that any added or modified suid programs under that path would
still be detected. If you want to specify multiple expressions, separate
them with '-o', but there is no need to surround the whole clause
with parentheses. To disable this filter, specify it as
The CHECKSECURITY_PATHFILTER variable specifies a find clause which
will be pruned from the search path. This means that the entire sub-
tree will be completely skipped. Thus, specifying
then the entire /var/ftp tree will be skipped. To disable this filter,
specify it as '-false' (which is the default).
LOGDIR sets the name of the directory which stores the files which
track the permission and ownership changes. By default, they are in
checksecurity configuration file
setuid files from the most recent run
setuid files from the previous run
Debian Linux 2 February 1997 CHECKSECURITY(8)
[ Back ]