Man Linux: Main Page and Category List


       checksecurity - check for changes to setuid programs




       The  checksecurity  command scans the mounted files systems (subject to
       the filter defined in /etc/checksecurity.conf) and compares the list of
       setuid  programs  to  the list created on the previous run. Any changes
       are printed to standard output. Also, it generates a list  of  nfs  and
       afs  filesystems that are mounted insecurely (i.e. they are missing the
       nodev and either the noexec or nosuid flags).

       checksecurity is run by cron on a daily basis, and the output stored in


       The  checksecurity.conf  file  defines several configuration variables:
       CHECKSECURITY_NONFSAFS,                            CHECKSECURITY_EMAIL,
       is described below.

       The  CHECKSECURITY_FILTER environment variable which is the argument of
       ’grep -vE’ applied to the output of the mount command. In other  words,
       the  value of CHECKSECURITY_FILTER is a regular expression that removes
       matching lines from those  file  systems  that  will  be  scanned.  The
       default  value  removes  all  file  systems  of type proc, bind, msdos,
       iso9660, ncpfs,  nfs,  afs,  smbfs,  auto,  ntfs,  coda  file  systems,
       anything  mounted  on  /dev/fd*,  anything mounted on /mnt or /amd, and
       anything mounted with option nosuid or noexec.

       The checksecurity.conf file is sourced from checksecurity, so you could
       do some fairly tricky things to define CHECKSECURITY_FILTER.

       The  CHECKSECURITY_NOFINDERRORS  environment  variable,  if  set to the
       literal "TRUE", disables find errors from checksecurity  (actually,  it
       re-routes them to /dev/null ).

       The  CHECKSECURITY_NONFSAFS environment variable, if set to the literal
       "TRUE", disables the message about nfs and afs file  systems  that  are
       mounted without the nodev and either the noexec or nosuid options.

       If  set, the CHECKSECURITY_EMAIL variable defines who is sent a copy of
       the setuid.changes file.

       The CHECKSECURITY_DEVICEFILTER variable specifies  a  find  clause  for
       which  matching  block and character device files will not be monitored
       for changing owners and permissions. For example, if you don’t want  to
       check  for  permission  changes  on  tty device files beneath /dev, you
       could set the following:

              CHECKSECURITY_DEVICEFILTER=’-path /dev/tty*’

       Note that any added or modified suid programs  under  that  path  would
       still  be  detected.  If  you  want  to  specify  multiple expressions,
       separate them with ’-o’, but there is no need  to  surround  the  whole
       clause with parentheses. To disable this filter, specify it as ’-false’
       (which is the default).

       Note that if the system gets restarted often checksecurity will  report
       a lot of changes in the /dev/ subdirectory due to timestamp changes. In
       this case you might want to change it to:

              CHECKSECURITY_DEVICEFILTER=’-path /dev/’

       The CHECKSECURITY_PATHFILTER variable specifies  a  find  clause  which
       will  be  pruned  from  the  search  path.   This means that the entire
       subtree will be completely skipped.  Thus, specifying

              CHECKSECURITY_PATHFILTER=’-path /var/ftp’

       then the entire /var/ftp tree will be skipped. To disable this  filter,
       specify it as ’-false’ (which is the default).

       LOGDIR  sets  the  name  of  the directory which stores the files which
       track the permission and ownership changes. By  default,  they  are  in


              checksecurity configuration file

              setuid files from the most recent run

              setuid files from the previous run