Unix/Linux Go Back    

Linux 2.6 - man page for check-setuid (linux section 8)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


       checksecurity - check for changes to setuid programs


       The  checksecurity  command scans the mounted files systems (subject to the filter defined
       in /etc/checksecurity.conf) and compares the list of setuid programs to the  list  created
       on the previous run. Any changes are printed to standard output. Also, it generates a list
       of nfs and afs filesystems that are mounted insecurely (i.e. they are  missing  the  nodev
       and either the noexec or nosuid flags).

       checksecurity   is   run   by   cron   on   a  daily  basis,  and  the  output  stored  in

       The checksecurity.conf file defines several configuration variables: CHECKSECURITY_FILTER,

       The CHECKSECURITY_FILTER environment variable which is the argument of 'grep -vE'  applied
       to the output of the mount command. In other words, the value of CHECKSECURITY_FILTER is a
       regular expression that removes matching lines  from  those  file  systems  that  will  be
       scanned.  The  default  value removes all file systems of type proc, bind, msdos, iso9660,
       ncpfs, nfs, afs, smbfs, auto, ntfs, coda file systems, anything mounted on /dev/fd*,  any-
       thing mounted on /mnt or /amd, and anything mounted with option nosuid or noexec.

       The  checksecurity.conf	file  is  sourced from checksecurity, so you could do some fairly
       tricky things to define CHECKSECURITY_FILTER.

       The CHECKSECURITY_NOFINDERRORS environment variable, if set to the  literal  "TRUE",  dis-
       ables find errors from checksecurity (actually, it re-routes them to /dev/null ).

       The  CHECKSECURITY_NONFSAFS  environment  variable, if set to the literal "TRUE", disables
       the message about nfs and afs file systems that are mounted without the nodev  and  either
       the noexec or nosuid options.

       If  set, the CHECKSECURITY_EMAIL variable defines who is sent a copy of the setuid.changes

       The CHECKSECURITY_DEVICEFILTER variable specifies a find clause for which  matching  block
       and  character device files will not be monitored for changing owners and permissions. For
       example, if you don't want to check for permission changes on  tty  device  files  beneath
       /dev, you could set the following:

	      CHECKSECURITY_DEVICEFILTER='-path /dev/tty*'

       Note  that any added or modified suid programs under that path would still be detected. If
       you want to specify multiple expressions, separate them with '-o', but there is no need to
       surround the whole clause with parentheses. To disable this filter, specify it as '-false'
       (which is the default).

       Note that if the system gets restarted often checksecurity will report a lot of changes in
       the  /dev/ subdirectory due to timestamp changes. In this case you might want to change it


       The CHECKSECURITY_PATHFILTER variable specifies a find clause which will  be  pruned  from
       the  search  path.   This means that the entire subtree will be completely skipped.  Thus,

	      CHECKSECURITY_PATHFILTER='-path /var/ftp'

       then the entire /var/ftp tree will be skipped. To  disable  this  filter,  specify  it  as
       '-false' (which is the default).

       LOGDIR  sets  the  name of the directory which stores the files which track the permission
       and ownership changes. By default, they are in /var/log/setuid.

	      checksecurity configuration file

	      setuid files from the most recent run

	      setuid files from the previous run

Debian Linux				 2 February 1997			 CHECKSECURITY(8)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums

All times are GMT -4. The time now is 11:44 AM.