Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.

SECURITY.CONF(5)              File Formats Manual             SECURITY.CONF(5)

     security.conf - daily security check configuration file

     The security.conf file specifies which of the standard /etc/security
     services are performed.  The /etc/security script is run, by default,
     every night from /etc/daily, on a NetBSD system, if configured do to so
     from /etc/daily.conf.

     The variables described below can be set to "NO" to disable the test:

     check_entropy              This checks whether the system has enough
                                entropy (see entropy(7)).

     check_passwd               This checks the /etc/master.passwd file for

     check_group                This checks the /etc/group file for

     check_rootdotfiles         This checks the root users startup files for
                                sane settings of $PATH and umask.  This test
                                is not fail safe and any warning generated
                                from this should be checked for correctness.

     check_ftpusers             This checks that the correct users are in the
                                /etc/ftpusers file.

     check_aliases              This checks for security problems in the
                                /etc/mail/aliases file.  For backward
                                compatibility, /etc/aliases will be checked as
                                well if exists.

     check_rhosts               This checks for system and user rhosts files
                                with "+" in them.

     check_homes                This checks that home directories are owned by
                                the correct user, and have appropriate

     check_varmail              This checks that the correct user owns mail in
                                /var/mail, and that the mail box has the right

     check_nfs                  This checks that the /etc/exports file does
                                not export filesystems to the world.

     check_devices              This checks for changes to devices and setuid

     check_mtree                This runs mtree(8) to ensure that the system
                                is installed correctly.  The following
                                configuration files are checked:

                                      Default files to check.

                                      Local site additions and overrides.

                                      Specification for the directory DIR.

     check_disklabels           Backup text copies of the disklabels of
                                available disk drives into
                                /var/backups/work/disklabel.XXX, and display
                                any differences in those and the previous
                                copies as per check_changelist below.  If
                                fdisk(8) is available on the current platform,
                                the output of /sbin/fdisk for each available
                                disk drive is stored in
                                /var/backups/work/fdisk.XXX, and any
                                differences displayed as per the disklabels.

     check_pkgs                 This stores a list of all installed pkgs into
                                /var/backups/work/pkgs and checks it for any

     check_changelist           This determines a list of files from the
                                contents of /etc/changelist, and the output of
                                mtree -D for /etc/mtree/special and
                                /etc/mtree/special.local.  For each file in
                                the list it compares the files with their
                                backups in /var/backups/file.current and
                                /var/backups/file.backup, and displays any
                                differences found.  The following mtree(8)
                                tags modify how files are determined from
                                /etc/mtree/special and

                                      exclude  The entry is ignored; no
                                               backups are made and the
                                               differences are not displayed.
                                               This includes dynamic or binary
                                               files such as /var/run/utmp.

                                      nodiff   The entry is backed up but the
                                               differences are not displayed
                                               because the contents of the
                                               file are sensitive.  This
                                               includes files such as

     check_pkg_vulnerabilities  Checks the currently installed packages
                                against a database of known vulnerabilities
                                and reports those that are vulnerable.  Check
                                the fetch_pkg_vulnerabilities setting in
                                daily.conf(5) to keep the database up to date.

     check_pkg_signatures       Checks the digital signature of all files
                                installed by packages against the expected
                                values stored in the packages database.

     The variables described below can be set to modify the tests:

                    During the check_homes phase, allow the checked files to
                    be group-writable if the group name is the same as the

                    During the check_homes phase, allow the home directory and
                    files of the listed users to be owned by a different user.

                    Lists filesystem types to ignore during the check_devices
                    phase.  Prefixing the type with a `!' inverts the match.
                    For example, `procfs !local' will ignore `procfs' type
                    filesystems and filesystems that are not `local'.

                    Lists pathnames to ignore during the check_devices phase.
                    Prefixing the path with a `!' inverts the match.  For
                    example, `/tftp' will ignore paths under /tftp while
                    `!/home' will ignore paths that are not under /home.

                    During the check_mtree phase, instruct mtree to follow
                    symbolic links.  Please note, this may cause the
                    check_mtree phase to report errors for entries for these
                    symbolic links (i.e. of type=link in the mtree
                    specification) as they will always appear to be plain
                    files for the purposes of the check.
                    /etc/mtree/special.local may be used to override the
                    checks for the affected links.

                    If check_passwd is enabled, most warnings will be
                    suppressed for entries whose shells are listed in this
                    space-separated list.  This is of particular value when
                    those shells are not in /etc/shells.

                    If check_passwd is enabled, suppress warnings for these

                    If check_passwd is enabled, do not warn about duplicate
                    uids for the listed login names.

                    If check_passwd is enabled, do not warn about login names
                    which use non-alphanumeric characters.

                    If check_passwd is enabled, do not warn about password
                    fields set to "*".  Note that the use of password fields
                    such as "*ssh" is encouraged, instead.

     max_grouplen   If check_group is enabled, this determines the maximum
                    permitted length of group names.

     max_loginlen   If check_passwd is enabled, this determines the maximum
                    permitted length of login names.

     backup_dir     Change the backup directory from /var/backup.

     diff_options   Specify the options passed to diff(1) when it is invoked
                    to show changes made to system files.  Defaults to "-u",
                    for unified-format context-diffs.

     pkgdb_dir      DEPRECATED.  Please set PKGDB_DIR in pkg_install.conf(5)

                    If defined, points to the location of the packages
                    database.  Defaults to /usr/pkg/pkgdb.

                    Use rcs(1) for maintaining backup copies of files noted in
                    check_devices, check_disklabels, check_pkgs, and
                    check_changelist instead of just keeping a current copy
                    and a backup copy.

     random_file    Name of the entropy seed file used at boot.  Default is
                    /var/db/entropy-file as used by /etc/rc.d/random_seed.
                    Set random_file to empty to disable saving a seed every
                    time /etc/security runs.

     /etc/defaults/security.conf  defaults for /etc/security.conf
     /etc/security                daily security check script
     /etc/security.conf           daily security check configuration
     /etc/security.local          local site additions to /etc/security


     The security.conf file appeared in NetBSD 1.3.  The check_disklabels
     functionality was added in NetBSD 1.4.  The backup_uses_rcs and
     check_pkgs features were added in NetBSD 1.6.  diff_options appeared in
     NetBSD 2.0; prior to that, traditional-format (context free) diffs were

NetBSD 10.99                   December 2, 2020                   NetBSD 10.99