security.conf —
daily security check configuration file
The security.conf file specifies which of the standard
  /etc/security services are performed. The
  /etc/security script is run, by default, every night
  from /etc/daily, on a NetBSD
  system, if configured do to so from /etc/daily.conf.
The variables described below can be set to "NO" to
    disable the test:
  - check_passwd
- This checks the /etc/master.passwd file for
      inconsistencies.
- check_group
- This checks the /etc/group file for
      inconsistencies.
- check_rootdotfiles
- This checks the root users startup files for sane settings of $PATH and
      umask. This test is not fail safe and any warning generated from this
      should be checked for correctness.
- check_ftpusers
- This checks that the correct users are in the
      /etc/ftpusers file.
- check_aliases
- This checks for security problems in the
      /etc/mail/aliases file. For backward
      compatibility, /etc/aliases will be checked as
      well if exists.
- check_rhosts
- This checks for system and user rhosts files with "+" in
    them.
- check_homes
- This checks that home directories are owned by the correct user, and have
      appropriate permissions.
- check_varmail
- This checks that the correct user owns mail in
      /var/mail, and that the mail box has the right
      permissions.
- check_nfs
- This checks that the /etc/exports file does not
      export filesystems to the world.
- check_devices
- This checks for changes to devices and setuid files.
- check_mtree
- This runs mtree(8) to ensure
      that the system is installed correctly. The following configuration files
      are checked:
    
      - /etc/mtree/special
- Default files to check.
- /etc/mtree/special.local
- Local site additions and overrides.
- /etc/mtree/DIR.secure
- Specification for the directory DIR.
 
- check_disklabels
- Backup text copies of the disklabels of available disk drives into
      /var/backups/work/disklabel.XXX, and display any
      differences in those and the previous copies as per
      check_changelist below. If
      fdisk(8) is available on the
      current platform, the output of /sbin/fdisk for
      each available disk drive is stored in
      /var/backups/work/fdisk.XXX, and any differences
      displayed as per the disklabels.
- check_pkgs
- This stores a list of all installed pkgs into
      /var/backups/work/pkgs and checks it for any
      changes.
- check_changelist
- This determines a list of files from the contents of
      /etc/changelist, and the output of
      mtree -Dfor
      /etc/mtree/special and
      /etc/mtree/special.local. For each file in the
      list it compares the files with their backups in
      /var/backups/file.current and
      /var/backups/file.backup, and displays any
      differences found. The following
      mtree(8)
      tags modify how files are determined from
      /etc/mtree/special and
      /etc/mtree/special.local:
    
      - exclude
- The entry is ignored; no backups are made and the differences are not
          displayed. This includes dynamic or binary files such as
          /var/run/utmp.
- nodiff
- The entry is backed up but the differences are not displayed because
          the contents of the file are sensitive. This includes files such as
          /etc/master.passwd.
 
 
- check_pkg_vulnerabilities
- Checks the currently installed packages against a database of known
      vulnerabilities and reports those that are vulnerable. Check the
      fetch_pkg_vulnerabilities setting in
      daily.conf(5) to keep
      the database up to date.
- check_pkg_signatures
- Checks the digital signature of all files installed by packages against
      the expected values stored in the packages database.
The variables described below can be set to modify the tests:
  - check_homes_permit_usergroups
- During the check_homes phase, allow the checked files to
      be group-writable if the group name is the same as the username.
- check_homes_permit_other_owner
- During the check_homes phase, allow the home directory
      and files of the listed users to be owned by a different user.
- check_devices_ignore_fstypes
- Lists filesystem types to ignore during the
      check_devices phase. Prefixing the type with a
      ‘!’ inverts the match. For example,
      ‘procfs !local’ will ignore
      ‘procfs’ type filesystems and
      filesystems that are not
    ‘local’.
- check_devices_ignore_paths
- Lists pathnames to ignore during the check_devices
      phase. Prefixing the path with a ‘!’ inverts the match. For
      example, ‘/tftp’ will ignore paths
      under /tftp while
      ‘!/home’ will ignore paths that are
      not under /home.
- check_mtree_follow_symlinks
- During the check_mtree phase, instruct mtree to follow
      symbolic links. Please note, this may cause the
      check_mtree phase to report errors for entries for these
      symbolic links (i.e. of type=link in the mtree specification) as they will
      always appear to be plain files for the purposes of the check.
      /etc/mtree/special.local may be used to override
      the checks for the affected links.
- check_passwd_nowarn_shells
- If check_passwd is enabled, most warnings will be
      suppressed for entries whose shells are listed in this space-separated
      list. This is of particular value when those shells are not in
      /etc/shells.
- check_passwd_nowarn_users
- If check_passwd is enabled, suppress warnings for these
      users.
- check_passwd_permit_dups
- If check_passwd is enabled, do not warn about duplicate
      uids for the listed login names.
- check_passwd_permit_nonalpha
- If check_passwd is enabled, do not warn about login
      names which use non-alphanumeric characters.
- check_passwd_permit_star
- If check_passwd is enabled, do not warn about password
      fields set to “*”. Note that the use of password fields such
      as “*ssh” is encouraged, instead.
- max_grouplen
- If check_group is enabled, this determines the maximum
      permitted length of group names.
- max_loginlen
- If check_passwd is enabled, this determines the maximum
      permitted length of login names.
- backup_dir
- Change the backup directory from /var/backup.
- diff_options
- Specify the options passed to
      diff(1) when it is invoked to
      show changes made to system files. Defaults to “-u”, for
      unified-format context-diffs.
- pkgdb_dir
- DEPRECATED. Please set PKGDB_DIRin
      pkg_install.conf(5)
      instead.If defined, points to the location of the packages database.
        Defaults to /var/db/pkg. 
- backup_uses_rcs
- Use rcs(1) for maintaining
      backup copies of files noted in check_devices,
      check_disklabels, check_pkgs, and
      check_changelist instead of just keeping a current copy
      and a backup copy.
  - /etc/defaults/security.conf
- defaults for /etc/security.conf
- /etc/security
- daily security check script
- /etc/security.conf
- daily security check configuration
- /etc/security.local
- local site additions to /etc/security
Thesecurity.conf file appeared in
  NetBSD 1.3. The check_disklabels
  functionality was added in NetBSD 1.4. The
  backup_uses_rcs and check_pkgs features
  were added in NetBSD 1.6.
  diff_options appeared in NetBSD 2.0;
  prior to that, traditional-format (context free) diffs were generated.