 @@ -1,1098 +1,1105 @@
 #!/bin/sh -
+#
-#	$NetBSD: security,v 1.125 2019/09/18 22:27:55 uwe Exp $
+#	$NetBSD: security,v 1.126 2019/12/06 14:43:30 riastradh Exp $
 #	from: @(#)security	8.1 (Berkeley) 6/9/93
+#
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 rcvar_manpage='security.conf(5)'
 if [ -f /etc/rc.subr ]; then
 	. /etc/rc.subr
 else
 	echo "Can't read /etc/rc.subr; aborting."
 	exit 1;
 fi
 umask 077
 TZ=UTC; export TZ
 if [ -s /etc/security.conf ]; then
 	. /etc/security.conf
 fi
 if [ -s /etc/pkgpath.conf ]; then
 	. /etc/pkgpath.conf
 fi
 # Set reasonable defaults (if they're not set in security.conf)
+#
 backup_dir=${backup_dir:-/var/backups}
 max_loginlen=${max_loginlen:-8}
 max_grouplen=${max_grouplen:-8}
 pkg_admin=${pkg_admin:-/usr/sbin/pkg_admin}
 pkg_info=${pkg_info:-/usr/sbin/pkg_info}
 # Other configurable variables
+#
 special_files="/etc/mtree/special /etc/mtree/special.local"
 MP=/etc/master.passwd
 CHANGELIST=""
 work_dir=$backup_dir/work
 if [ ! -d "$work_dir" ]; then
 	mkdir -p "$work_dir"
 fi
 SECUREDIR=$(mktemp -d -t _securedir) || exit 1
 trap "/bin/rm -rf $SECUREDIR ; exit 0" EXIT INT QUIT PIPE
 if ! cd "$SECUREDIR"; then
 	echo "Can not cd to $SECUREDIR".
 	exit 1
 fi
 ERR=err.$$
 TMP1=tmp1.$$
 TMP2=tmp2.$$
 MPBYUID=mpbyuid.$$
 MPBYPATH=mpbypath.$$
 LIST=list.$$
 OUTPUT=output.$$
 LABELS=labels.$$
 LVM_LABELS=lvm.$$
 PKGS=pkgs.$$
 CHANGEFILES=changefiles.$$
 SPECIALSPEC=specialspec.$$
 if [ -n "${pkgdb_dir}" ]; then
 	echo "WARNING: Setting pkgdb_dir in security.conf(5) is deprecated"
 	echo "WARNING: Please define PKG_DBDIR in pkg_install.conf(5) instead"
 	_compat_K_flag="-K ${pkgdb_dir}"
 fi
 have_pkgs() {
 	$pkg_info ${_compat_K_flag} -q -E '*'
+}
 # migrate_file old new
 #	Determine if the "${old}" path name needs to be migrated to the
 #	"${new}" path. Also checks if "${old}.current" needs migrating,
 #	and if so, migrate it and possibly "${old}.current,v" and
 #	"${old}.backup".
+#
 migrate_file()
+{
 	_old=$1
 	_new=$2
 	if [ -z "$_old" ] || [ -z "$_new" ]; then
 		err 3 "USAGE: migrate_file old new"
 	fi
 	if [ ! -d "${_new%/*}" ]; then
 		mkdir -p "${_new%/*}"
 	fi
 	if [ -f "${_old}" ] && ! [ -f "${_new}" ]; then
 		echo "==> migrating ${_old}"
 		echo "           to ${_new}"
 		mv "${_old}" "${_new}"
 	fi
 	if [ -f "${_old}.current" ] && ! [ -f "${_new}.current" ]; then
 		echo "==> migrating ${_old}.current"
 		echo "           to ${_new}.current"
 		mv "${_old}.current" "${_new}.current"
 		if [ -f "${_old}.current,v" ] &&
 		 ! [ -f "${_new}.current,v" ]; then
 			echo "==> migrating ${_old}.current,v"
 			echo "           to ${_new}.current,v"
 			mv "${_old}.current,v" "${_new}.current,v"
 		fi
 		if [ -f "${_old}.backup" ] && ! [ -f "${_new}.backup" ]; then
 			echo "==> migrating ${_old}.backup"
 			echo "           to ${_new}.backup"
 			mv "${_old}.backup" "${_new}.backup"
 		fi
 	fi
+}
 # backup_and_diff file printdiff
 #	Determine if file needs backing up, and if so, do it.
 #	If printdiff is yes, display the diffs, otherwise
 #	just print a message saying "[changes omitted]".
+#
 backup_and_diff()
+{
 	_file=$1
 	_printdiff=$2
 	if [ -z "$_file" ] || [ -z "$_printdiff" ]; then
 		err 3 "USAGE: backup_and_diff file printdiff"
 	fi
 	! checkyesno _printdiff
 	_printdiff=$?
 	_old=$backup_dir/${_file##*/}
 	case "$_file" in
 	$work_dir/*)
 		_new=$_file
 		migrate_file "$backup_dir/$_old" "$_new"
 		migrate_file "$_old" "$_new"
 		;;
 	*)
 		_new=$backup_dir/$_file
 		migrate_file "$_old" "$_new"
 		;;
 	esac
 	CUR=${_new}.current
 	BACK=${_new}.backup
 	if [ -f $_file ]; then
 		if [ -f $CUR ] ; then
 			if [ "$_printdiff" -ne 0 ]; then
 				diff ${diff_options} $CUR $_file > $OUTPUT
 			else
 				if ! cmp -s $CUR $_file; then
 					echo "[changes omitted]"
 				fi > $OUTPUT
 			fi
 			if [ -s $OUTPUT ] ; then
 				printf \
 			"\n======\n%s diffs (OLD < > NEW)\n======\n" $_file
 				cat $OUTPUT
 				backup_file update $_file $CUR $BACK
 			fi
 		else
 			printf "\n======\n%s added\n======\n" $_file
 			if [ "$_printdiff" -ne 0 ]; then
 				diff ${diff_options} /dev/null $_file
 			else
 				echo "[changes omitted]"
 			fi
 			backup_file add $_file $CUR $BACK
 		fi
 	else
 		if [ -f $CUR ]; then
 			printf "\n======\n%s removed\n======\n" $_file
 			if [ "$_printdiff" -ne 0 ]; then
 				diff ${diff_options} $CUR /dev/null
 			else
 				echo "[changes omitted]"
 			fi
 			backup_file remove $_file $CUR $BACK
 		fi
 	fi
+}
 # These are used several times.
+#
 awk -F: '!/^\+/ { print $1 " " $3 }' $MP | sort -k2n > $MPBYUID
 awk -F: '{ print $1 " " $9 }' $MP | sort -k2 > $MPBYPATH
 for file in $special_files; do
 	[ -s $file ] && cat $file
 done | mtree -CM -k all > $SPECIALSPEC || exit 1
 # Check the master password file syntax.
+#
 if checkyesno check_passwd; then
 	# XXX: the sense of permit_star is reversed; the code works as
 	# implemented, but usage needs to be negated.
 	checkyesno check_passwd_permit_star && permit_star=0 || permit_star=1
 	checkyesno check_passwd_permit_nonalpha \
 		 && permit_nonalpha=1 || permit_nonalpha=0
 	awk -v "len=$max_loginlen" \
 	    -v "nowarn_shells_list=$check_passwd_nowarn_shells" \
 	    -v "nowarn_users_list=$check_passwd_nowarn_users" \
 	    -v "permit_star=$permit_star" \
 	    -v "permit_nonalpha=$permit_nonalpha" \
+	'
 	BEGIN {
 		while ( getline < "/etc/shells" > 0 ) {
 			if ($0 ~ /^\#/ || $0 ~ /^$/ )
 				continue;
 			shells[$1]++;
+		}
 		split(nowarn_shells_list, a);
 		for (i in a) nowarn_shells[a[i]]++;
 		split(nowarn_users_list, a);
 		for (i in a) nowarn_users[a[i]]++;
 		uid0_users_list="root toor"
 		split(uid0_users_list, a);
 		for (i in a) uid0_users[a[i]]++;
 		FS=":";
+	}
+	{
 		if ($0 ~ /^[	 ]*$/) {
 			printf "Line %d is a blank line.\n", NR;
 			next;
+		}
 		# NIS compat entry?
 		compatline = $1 ~ "^[\\+-]";
 		if (compatline) {
 			if ($1 == "+" && NF == 1) {
 				next;
+			}
 			sub("^.", "", $1);
+		}
 		if (NF != 10)
 			printf "Line %d has the wrong number of fields.\n", NR;
 		if (compatline)  {
 			if ($3 == 0)
 			    printf "Line %d includes entries with uid 0.\n",
 			        NR;
 			if ($1 == "")
 			    next;
+		}
 		if (!permit_nonalpha &&
 		    $1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
 			printf "Login %s has non-alphanumeric characters.\n",
 			    $1;
 		if (length($1) > len)
 			printf "Login %s has more than "len" characters.\n",
 			    $1;
 		if ($2 == "" && !compatline && !nowarn_users[$1])
 			    printf "Login %s has no password.\n", $1;
 		if (!nowarn_shells[$10] && !nowarn_users[$1]) {
 		    if (length($2) != 13 &&
 		    	length($2) != 20 &&
 		    	$2 !~ /^\$1/ &&
 		    	$2 !~ /^\$2/ &&
 			$2 !~ /^\$sha1/ &&
 		    	$2 != "" &&
 			(permit_star || $2 != "*") &&
 		    	$2 !~ /^\*[A-z-]+$/ &&
 			$1 != "toor") {
 		    	    if ($10 == "" || shells[$10])
 				printf "Login %s is off but still has "\
 				  "a valid shell (%s)\n", $1, $10;
 		    } else if (compatline && $10 == "") {
 			    # nothing
 		    } else if (! shells[$10])
 		    	    printf "Login %s does not have a valid "\
 			    "shell (%s)\n", $1, $10;
+		}
 		if ($3 == 0 && !uid0_users[$1] && !nowarn_users[$1])
 			printf "Login %s has a user id of 0.\n", $1;
 		if ($3 != "" && $3 < 0)
 			printf "Login %s has a negative user id.\n", $1;
 		if ($4 != "" && $4 < 0)
 			printf "Login %s has a negative group id.\n", $1;
 	}' < $MP > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking the $MP file:\n"
 		cat $OUTPUT
 	fi
 	awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\n$MP has duplicate user names.\n"
 		column $OUTPUT
 	fi
 	awk -v "permit_dups_list=$check_passwd_permit_dups" \
+	'
 	BEGIN {
 		split(permit_dups_list, a);
 		for (i in a) permit_dups[a[i]]++;
+	}
+	{
 		if (!permit_dups[$1])
 			print $2;
 	}' < $MPBYUID | uniq -d > $TMP2
 	if [ -s $TMP2 ] ; then
 		printf "\n$MP has duplicate user ids.\n"
 		while read uid; do
 			grep -w $uid $MPBYUID
 		done < $TMP2 | column
 	fi
 fi
 # Check the group file syntax.
+#
 if checkyesno check_group; then
 	GRP=/etc/group
 	awk -F: -v "len=$max_grouplen" '{
 		if ($0 ~ /^[	 ]*$/) {
 			printf "Line %d is a blank line.\n", NR;
 			next;
+		}
 		if (NF != 4 && ($1 != "+" || NF != 1))
 			printf "Line %d has the wrong number of fields.\n", NR;
 		if ($1 == "+" )  {
 			next;
+		}
 		if ($1 !~ /^[_A-Za-z0-9]([-A-Za-z0-9_.]*[A-Za-z0-9])*$/)
 			printf "Group %s has non-alphanumeric characters.\n",
 			    $1;
 		if (length($1) > len)
 			printf "Group %s has more than "len" characters.\n", $1;
 		if ($3 !~ /[0-9]*/)
 			printf "Login %s has a negative group id.\n", $1;
 	}' < $GRP > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking the $GRP file:\n"
 		cat $OUTPUT
 	fi
 	awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
 	dupgroups=""
 	for group in $(cat $OUTPUT) ; do
 		gcount=$(awk -F: "/$group/ { print \$1,\$3 }" $GRP |
 			sort -u | wc -l)
 		if [ $gcount -gt 1 ]; then
 			dupgroups="$dupgroups $group"
 		fi
 	done
 	if [ ! -z $dupgroups ] ; then
 		printf "\n$GRP has duplicate group names.\n"
 		printf "$dupgroups\n"
 	fi
 fi
 # Check for root paths, umask values in startup files.
 # The check for the root paths is problematical -- it's likely to fail
 # in other environments.  Once the shells have been modified to warn
 # of '.' in the path, the path tests should go away.
+#
 if checkyesno check_rootdotfiles; then
 	rhome=~root
 	umaskset=no
 	list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
 	for i in $list ; do
 		if [ -f $i ] ; then
 			if egrep '^[ \t]*umask[ \t]+[0-7]+' $i > /dev/null ;
 			then
 				umaskset=yes
 			fi
 			# Double check the umask value itself; ensure that
 			# both the group and other write bits are set.
+			#
 			egrep '^[ \t]*umask[ \t]+[0-7]+' $i |
 			awk '{
 				if ($2 ~ /^.$/ || $2 ~! /[^2367].$/) {
 					print "\tRoot umask is group writable"
+				}
 				if ($2 ~ /[^2367]$/) {
 					print "\tRoot umask is other writable"
+			    	}
 			    }' | sort -u
 			SAVE_PATH=$PATH
 			unset PATH
 			/bin/csh -f -s << end-of-csh > /dev/null 2>&1
 				source $i
 				/bin/ls -ldgT \$path > $TMP1
 end-of-csh
 			export PATH=$SAVE_PATH
 			awk '{
 				if ($10 ~ /^\.$/) {
 					print "\tThe root path includes .";
 					next;
+				}
+			     }
 			     $1 ~ /^d....w/ \
 		{ print "\tRoot path directory " $10 " is group writable." } \
 			     $1 ~ /^d.......w/ \
 		{ print "\tRoot path directory " $10 " is other writable." }' \
 			< $TMP1
 		fi
 	done > $OUTPUT
 	if [ $umaskset = no ] || [ -s $OUTPUT ] ; then
 		printf "\nChecking root csh paths, umask values:\n$list\n\n"
 		if [ -s $OUTPUT ]; then
 			cat $OUTPUT
 		fi
 		if [ $umaskset = no ] ; then
 		    printf "\tRoot csh startup files do not set the umask.\n"
 		fi
 	fi
 	umaskset=no
 	list="/etc/profile ${rhome}/.profile"
 	for i in $list; do
 		if [ -f $i ] ; then
 			if egrep umask $i > /dev/null ; then
 				umaskset=yes
 			fi
 			egrep umask $i |
 			awk '$2 ~ /^.$/ || $2 ~ /[^2367].$/ \
 				{ print "\tRoot umask is group writable" } \
 			     $2 ~ /[^2367]$/ \
 				{ print "\tRoot umask is other writable" }'
 			SAVE_PATH=$PATH
 			unset PATH
 			/bin/sh << end-of-sh > /dev/null 2>&1
 				. $i
 				list=\$(echo \$PATH | /usr/bin/sed -e \
 				    's/^:/.:/;s/:$/:./;s/::/:.:/g;s/:/ /g')
 				/bin/ls -ldgT \$list > $TMP1
 end-of-sh
 			export PATH=$SAVE_PATH
 			awk '{
 				if ($10 ~ /^\.$/) {
 					print "\tThe root path includes .";
 					next;
+				}
+			     }
 			     $1 ~ /^d....w/ \
 		{ print "\tRoot path directory " $10 " is group writable." } \
 			     $1 ~ /^d.......w/ \
 		{ print "\tRoot path directory " $10 " is other writable." }' \
 			< $TMP1
 		fi
 	done > $OUTPUT
 	if [ $umaskset = no ] || [ -s $OUTPUT ] ; then
 		printf "\nChecking root sh paths, umask values:\n$list\n"
 		if [ -s $OUTPUT ]; then
 			cat $OUTPUT
 		fi
 		if [ $umaskset = no ] ; then
 			printf "\tRoot sh startup files do not set the umask.\n"
 		fi
 	fi
 fi
 # Root and uucp should both be in /etc/ftpusers.
+#
 if checkyesno check_ftpusers; then
 	list="uucp "$(awk '$2 == 0 { print $1 }' $MPBYUID)
 	for i in $list; do
 		if /usr/libexec/ftpd -C $i ; then
 			printf "\t$i is not denied\n"
 		fi
 	done > $OUTPUT
 	if [ -s $OUTPUT ]; then
 		printf "\nChecking the /etc/ftpusers configuration:\n"
 		cat $OUTPUT
 	fi
 fi
 # Uudecode should not be in the /etc/mail/aliases file.
+#
 if checkyesno check_aliases; then
 	for f in /etc/mail/aliases /etc/aliases; do
 		if [ -f $f ] && egrep '^[^#]*(uudecode|decode).*\|' $f; then
 			printf "\nEntry for uudecode in $f file.\n"
 		fi
 	done
 fi
 # Files that should not have + signs.
+#
 if checkyesno check_rhosts; then
 	list="/etc/hosts.equiv /etc/hosts.lpd"
 	for f in $list ; do
 		if [ -f $f ] && egrep '\+' $f > /dev/null ; then
 			printf "\nPlus sign in $f file.\n"
 		fi
 	done
 	# Check for special users with .rhosts files.  Only root and toor should
 	# have .rhosts files.  Also, .rhosts files should not have plus signs.
 	awk -F: '$1 != "root" && $1 != "toor" && \
 		($3 < 100 || $1 == "ftp" || $1 == "uucp") \
 			{ print $1 " " $9 }' $MP |
 	sort -k2 |
 	while read uid homedir; do
 		if [ -f ${homedir}/.rhosts ] ; then
 			rhost=$(ls -ldgT ${homedir}/.rhosts)
 			printf -- "$uid: $rhost\n"
 		fi
 	done > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking for special users with .rhosts files.\n"
 		cat $OUTPUT
 	fi
 	while read uid homedir; do
 		if [ -f ${homedir}/.rhosts ] &&
 		   [ -r ${homedir}/.rhosts ] &&
 		   cat -f ${homedir}/.rhosts | egrep '\+' > /dev/null
 		then
 			printf -- "$uid: + in .rhosts file.\n"
 		fi
 	done < $MPBYPATH > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking .rhosts files syntax.\n"
 		cat $OUTPUT
 	fi
 fi
 # Check home directories.  Directories should not be owned by someone else
 # or writable.
+#
 if checkyesno check_homes; then
 	checkyesno check_homes_permit_usergroups && \
 		permit_usergroups=1 || permit_usergroups=0
 	while read uid homedir; do
 		if [ -d ${homedir}/ ] ; then
 			file=$(ls -ldgT ${homedir})
 			printf -- "$uid $file\n"
 		fi
 	done < $MPBYPATH |
 	awk -v "usergroups=$permit_usergroups" \
 	    -v "permit_owners_list=$check_homes_permit_other_owner"  '
 	     BEGIN {
 		split(permit_owners_list, a);
 		for (i in a) permit_owners[a[i]]++;
+	     }
 	     $1 != $4 && $4 != "root" && !permit_owners[$1] \
 		{ print "user " $1 " home directory is owned by " $4 }
 	     $2 ~ /^d....w/ && (!usergroups || $5 != $1) \
 		{ print "user " $1 " home directory is group writable" }
 	     $2 ~ /^d.......w/ \
 		{ print "user " $1 " home directory is other writable" }' \
 	    > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking home directories.\n"
 		cat $OUTPUT
 	fi
 	# Files that should not be owned by someone else or readable.
 	list=".Xauthority .netrc .ssh/id_dsa .ssh/id_rsa .ssh/identity"
 	while read uid homedir; do
 		for f in $list ; do
 			file=${homedir}/${f}
 			if [ -f $file ] ; then
 				printf -- "$uid $f $(ls -ldgT $file)\n"
 			fi
 		done
 	done < $MPBYPATH |
 	awk -v "usergroups=$permit_usergroups" \
 	    -v "permit_owners_list=$check_homes_permit_other_owner"  '
 	     BEGIN {
 		split(permit_owners_list, a);
 		for (i in a) permit_owners[a[i]]++;
+	     }
 	     $1 != $5 && $5 != "root" && !permit_owners[$1] \
 		{ print "user " $1 " " $2 " file is owned by " $5 }
 	     $3 ~ /^-...r/ && (!usergroups || $6 != $1) \
 		{ print "user " $1 " " $2 " file is group readable" }
 	     $3 ~ /^-......r/ \
 		{ print "user " $1 " " $2 " file is other readable" }
 	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
 		{ print "user " $1 " " $2 " file is group writable" }
 	     $3 ~ /^-.......w/ \
 		{ print "user " $1 " " $2 " file is other writable" }' \
 	    > $OUTPUT
 	# Files that should not be owned by someone else or writable.
 	list=".bash_history .bash_login .bash_logout .bash_profile .bashrc \
 	      .cshrc .emacs .exrc .forward .history .k5login .klogin .login \
 	      .logout .profile .qmail .rc_history .rhosts .shosts ssh .tcshrc \
 	      .twmrc .xinitrc .xsession .ssh/authorized_keys \
 	      .ssh/authorized_keys2 .ssh/config .ssh/id_dsa.pub \
 	      .ssh/id_rsa.pub .ssh/identity.pub .ssh/known_hosts \
 	      .ssh/known_hosts2"
 	while read uid homedir; do
 		for f in $list ; do
 			file=${homedir}/${f}
 			if [ -f $file ] ; then
 				printf -- "$uid $f $(ls -ldgT $file)\n"
 			fi
 		done
 	done < $MPBYPATH |
 	awk -v "usergroups=$permit_usergroups" \
 	    -v "permit_owners_list=$check_homes_permit_other_owner"  '
 	     BEGIN {
 		split(permit_owners_list, a);
 		for (i in a) permit_owners[a[i]]++;
+	     }
 	     $1 != $5 && $5 != "root" && !permit_owners[$1] \
 		{ print "user " $1 " " $2 " file is owned by " $5 }
 	     $3 ~ /^-....w/ && (!usergroups || $6 != $1) \
 		{ print "user " $1 " " $2 " file is group writable" }
 	     $3 ~ /^-.......w/ \
 		{ print "user " $1 " " $2 " file is other writable" }' \
 	    >> $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking dot files.\n"
 		cat $OUTPUT
 	fi
 fi
 # Mailboxes should be owned by user and unreadable.
+#
 if checkyesno check_varmail; then
 	ls -lA /var/mail | \
 	awk '	NR == 1 { next; }
 		$9 ~ /^\./ {next; }
 	    	$3 != $9 {
 			print "user " $9 " mailbox is owned by " $3
+		}
 		$1 != "-rw-------" {
 			print "user " $9 " mailbox is " $1 ", group " $4
 		}' > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking mailbox ownership.\n"
 		cat $OUTPUT
 	fi
 fi
 # NFS exports shouldn't be globally exported
+#
 if checkyesno check_nfs && [ -f /etc/exports ]; then
 	awk '{
 		# ignore comments and blank lines
 		if ($0 ~ /^\#/ || $0 ~ /^$/ )
 			next;
 		# manage line continuation
 		while ($NF ~ /^\\$/) {
 			$NF = "";
 			line = $0 "";
 			getline;
 			$0 = line $0 "";
+		}
 		delete dir;
 		readonly = ndir = 0;
 		for (i = 1; i <= NF; ++i) {
 			if ($i ~ /^\//) dir[ndir++] = $i;
 			else if ($i ~ /^-/) {
 				if ($i ~ /^-(ro|o)$/) readonly = 1;
 				if ($i ~ /^-network/) next;
+			}
 			else next;
+		}
 		if (readonly)
 			for (item in dir)
 				rodir[nrodir++] = dir[item];
 		else
 			for (item in dir)
 				rwdir[nrwdir++] = dir[item];
+	}
 	END {
 		if (nrodir) {
 			printf("Globally exported file system%s, read-only:\n",
 				nrodir > 1 ? "s" : "");
 			for (item in rodir)
 				printf("\t%s\n", rodir[item]);
+		}
 		if (nrwdir) {
 			printf("Globally exported file system%s, read-write:\n",
 				nrwdir > 1 ? "s" : "");
 			for (item in rwdir)
 				printf("\t%s\n", rwdir[item]);
+		}
 	}' < /etc/exports > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking for globally exported file systems.\n"
 		cat $OUTPUT
 	fi
 fi
 # Display any changes in setuid files and devices.
+#
 if checkyesno check_devices; then
 	> $ERR
+	(
 	# Convert check_devices_ignore_fstypes="foo !bar bax"
 	#    into "-fstype foo -o ! -fstype bar -o -fstype bax"
 	# and check_devices_ignore_paths="/foo !/bar /bax"
 	#    into " -path /foo -o ! -path /bar -o -path /bax"
+	#
 	ignexpr=$(\
 	    echo $check_devices_ignore_fstypes | \
 		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -fstype \2/g' ; \
 	    echo $check_devices_ignore_paths | \
 		sed -e's/\(!*\)\([^[:space:]]\{1,\}\)/-o \1 -path \2/g' \
+	)
 	# Massage the expression into ( $ignexpr ) -a -prune -o
 	if [ -n "${ignexpr}" ]; then
 		ignexpr=$(\
 			echo $ignexpr | \
 			    sed -e 's/^-o /( /' \
 				-e 's/$/ ) -a -prune -o/' \
+		)
 	fi
 	find / $ignexpr \
 	    \( \( -perm -u+s -a ! -type d \) -o \
 	       \( -perm -g+s -a ! -type d \) -o \
 	       -type b -o -type c \) -print0 | \
 	xargs -0 ls -ldgTq | sort +9 > $LIST
 	) 2> $OUTPUT
 	# Display any errors that occurred during system file walk.
 	if [ -s $OUTPUT ] ; then
 		printf "Setuid/device find errors:\n" >> $ERR
 		cat $OUTPUT >> $ERR
 		printf "\n" >> $ERR
 	fi
 	# Display any changes in the setuid file list.
 	egrep -v '^[bc]' $LIST > $TMP1
 	if [ -s $TMP1 ] ; then
 		# Check to make sure uudecode isn't setuid.
 		if grep -w uudecode $TMP1 > /dev/null ; then
 			printf "\nUudecode is setuid.\n" >> $ERR
 		fi
 		file=$work_dir/setuid
 		migrate_file "$backup_dir/setuid" "$file"
 		CUR=${file}.current
 		BACK=${file}.backup
 		if [ -s $CUR ] ; then
 			if cmp -s $CUR $TMP1 ; then
+				:
 			else
 				> $TMP2
 				join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 					printf "Setuid additions:\n" >> $ERR
 					tee -a $TMP2 < $OUTPUT >> $ERR
 					printf "\n" >> $ERR
 				fi
 				join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 					printf "Setuid deletions:\n" >> $ERR
 					tee -a $TMP2 < $OUTPUT >> $ERR
 					printf "\n" >> $ERR
 				fi
 				sort -k10 $TMP2 $CUR $TMP1 | \
 				    sed -e 's/[	 ][	 ]*/ /g' | \
 				    uniq -u > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 					printf "Setuid changes:\n" >> $ERR
 					column -t $OUTPUT >> $ERR
 					printf "\n" >> $ERR
 				fi
 				backup_file update $TMP1 $CUR $BACK
 			fi
 		else
 			printf "Setuid additions:\n" >> $ERR
 			column -t $TMP1 >> $ERR
 			printf "\n" >> $ERR
 			backup_file add $TMP1 $CUR $BACK
 		fi
 	fi
 	# Check for block and character disk devices that are readable or
 	# writable or not owned by root.operator.
 	>$TMP1
 	DISKLIST="ccd ch hk hp ld md ra raid rb rd rl rx \
 	    sd se ss uk up vnd wd xd xy"
 #	DISKLIST="$DISKLIST ct mt st wt"
 	for i in $DISKLIST; do
 		egrep "^b.*/${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
 		egrep "^c.*/r${i}[0-9][0-9]*[a-p]$"  $LIST >> $TMP1
 	done
 	awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
 		{ printf "Disk %s is user %s, group %s, permissions %s.\n", \
 		    $11, $3, $4, $1; }' < $TMP1 > $OUTPUT
 	if [ -s $OUTPUT ] ; then
 		printf "\nChecking disk ownership and permissions.\n" >> $ERR
 		cat $OUTPUT >> $ERR
 		printf "\n" >> $ERR
 	fi
 	# Display any changes in the device file list.
 	egrep '^[bc]' $LIST | sort -k11 > $TMP1
 	if [ -s $TMP1 ] ; then
 		file=$work_dir/device
 		migrate_file "$backup_dir/device" "$file"
 		CUR=${file}.current
 		BACK=${file}.backup
 		if [ -s $CUR ] ; then
 			if cmp -s $CUR $TMP1 ; then
+				:
 			else
 				> $TMP2
 				join -111 -211 -v2 $CUR $TMP1 > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 					printf "Device additions:\n" >> $ERR
 					tee -a $TMP2 < $OUTPUT >> $ERR
 					printf "\n" >> $ERR
 				fi
 				join -111 -211 -v1 $CUR $TMP1 > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 					printf "Device deletions:\n" >> $ERR
 					tee -a $TMP2 < $OUTPUT >> $ERR
 					printf "\n" >> $ERR
 				fi
 				# Report any block device change. Ignore
 				# character devices, only the name is
 				# significant.
 				cat $TMP2 $CUR $TMP1 | \
 				    sed -e '/^c/d' | \
 				    sort -k11 | \
 				    sed -e 's/[	 ][	 ]*/ /g' | \
 				    uniq -u > $OUTPUT
 				if [ -s $OUTPUT ] ; then
 					printf "Block device changes:\n" >> $ERR
 					column -t $OUTPUT >> $ERR
 					printf "\n" >> $ERR
 				fi
 				backup_file update $TMP1 $CUR $BACK
 			fi
 		else
 			printf "Device additions:\n" >> $ERR
 			column -t $TMP1 >> $ERR
 			printf "\n" >> $ERR
 			backup_file add $TMP1 $CUR $BACK >> $ERR
 		fi
 	fi
 	if [ -s $ERR ] ; then
 		printf "\nChecking setuid files and devices:\n"
 		cat $ERR
 		printf "\n"
 	fi
 fi
 # Check special files.
 # Check system binaries.
+#
 # Create the mtree tree specifications using:
 #	mtree -cx -pDIR -kmd5,uid,gid,mode,nlink,size,link,time > DIR.secure
 #	chown root:wheel DIR.secure
 #	chmod u+r,go= DIR.secure
+#
 # Note, this is not complete protection against Trojan horsed binaries, as
 # the hacker can modify the tree specification to match the replaced binary.
 # For details on really protecting yourself against modified binaries, see
 # the mtree(8) manual page.
+#
 if checkyesno check_mtree; then
 	if checkyesno check_mtree_follow_symlinks; then
 		check_mtree_flags="-L"
 	else
 		check_mtree_flags=""
 	fi
 	mtree -e -l -p / $check_mtree_flags -f $SPECIALSPEC 3>&1 >$OUTPUT 2>&3 |
 		grep -v '^mtree: dev/tty: Device not configured$' >&2
 	if [ -s $OUTPUT ]; then
 		printf "\nChecking special files and directories.\n"
 		cat $OUTPUT
 	fi
 	for file in /etc/mtree/*.secure; do
 		[ $file = '/etc/mtree/*.secure' ] && continue
 		tree=$(sed -n -e '3s/.* //p' -e 3q $file)
 		mtree $check_mtree_flags -f $file -p $tree > $TMP1
 		if [ -s $TMP1 ]; then
 			printf "\nChecking $tree:\n"
 			cat $TMP1
 		fi
 	done > $OUTPUT
 	if [ -s $OUTPUT ]; then
 		printf "\nChecking system binaries:\n"
 		cat $OUTPUT
 	fi
 fi
 # Backup disklabels of available disks
+#
 if checkyesno check_disklabels; then
 		# migrate old disklabels
 	for file in $(ls -1d $backup_dir/$backup_dir/disklabel.* \
 	    $backup_dir/disklabel.* 2>/dev/null); do
 		migrate_file "$file" "$work_dir/${file##*/}"
 	done
 		# generate list of old disklabels, fdisks & wedges,
 		# and remove them
 	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* \
 >/dev/null |
 	    egrep -v '\.(backup|current)(,v)?$' > $LABELS
 	xargs rm < $LABELS
 	disks="$(/sbin/sysctl -n hw.iostatnames)"
 		# generate disklabels of all disks excluding:	cd fd md dk st
 		# nfs and "device" (the header of iostat)
 	for i in $disks; do
 		case $i in
 		[cfm]d[0-9]*|dk[0-9]*|st[0-9]*|nfs[0-9]*)
 			;;
 		*)
 			if disklabel $i > /dev/null 2>&1; then
 				disklabel $i > "$work_dir/disklabel.$i"
 			fi
 			;;
 		esac
 	done
 		# if fdisk is available, generate fdisks for:	ed ld sd wd
 	if [ -x /sbin/fdisk ]; then
 		for i in $disks; do
 			case $i in
 			[elsw]d[0-9]*)
 				/sbin/fdisk $i > "$work_dir/fdisk.$i" \
 >/dev/null
 				;;
 			esac
 		done
 	fi
 		# if dkctl is available, generate dkctl listwedges
 		# for:	ed ld sd wd cgd ofdisk ra rl raid
 	if [ -x /sbin/dkctl ]; then
 		for i in $disks; do
 			case $i in
 			[elsw]d[0-9]*|cgd[0-9]*|ofdisk[0-9]*|r[al][0-9]*|raid[0-9]*)
 				if /sbin/dkctl $i listwedges |
 				     grep -qe '[0-9] wedges:'; then
 					/sbin/dkctl $i listwedges \
 					    > "$work_dir/wedges.$i" 2>/dev/null
 				fi
 				;;
 			esac
 		done
 	fi
 		# if raidctl is available, generate raidctls for:	raid
 	if [ -x /sbin/raidctl ]; then
 		disks=$(iostat -x | awk 'NR > 1 && $1 ~ /^raid/ { print $1; }')
 		for i in $disks; do
 			/sbin/raidctl -G $i > "$work_dir/raidconf.$i" \
 >/dev/null
 		done
 	fi
 		# append list of new disklabels, fdisks and wedges
 	ls -1d $work_dir/disklabel.* $work_dir/fdisk.* $work_dir/wedges.* \
 	    $work_dir/raidconf.* 2>/dev/null |
 	    egrep -v '\.(backup|current)(,v)?$' >> $LABELS
 	CHANGELIST="$LABELS $CHANGELIST"
 fi
 if checkyesno check_lvm; then
 		# generate list of existing LVM elements Physical Volumes,
 		# Volume Groups and Logical Volumes.
 	if [ -x /sbin/lvm ]; then
 		lvm pvdisplay -m >"$work_dir/lvm.pv" 2>/dev/null
 		lvm vgdisplay -m >"$work_dir/lvm.vg" 2>/dev/null
 		lvm lvdisplay -m >"$work_dir/lvm.lv" 2>/dev/null
 	fi
 	ls -1d $work_dir/lvm.* 2>/dev/null |
 	    egrep -v '\.(backup|current)(,v)?$'>> $LVM_LABELS
 	CHANGELIST="$CHANGELIST $LVM_LABELS"
 fi
 # Check for changes in the list of installed pkgs
+#
 if checkyesno check_pkgs && have_pkgs; then
 	pkgs=$work_dir/pkgs
 	migrate_file "$backup_dir/pkgs" "$pkgs"
 	pkg_dbdir=$(${pkg_admin} config-var PKG_DBDIR)
 	: ${pkg_dbdir:=/var/db/pkg}
 	(	cd $pkg_dbdir
 		$pkg_info | sort
 		echo ""
 		find . \( -name +REQUIRED_BY -o -name +CONTENTS \) -print0 |
 			xargs -0 ls -ldgTq | sort -t. +1 | sed -e 's, \./, ,'
 	 ) > $pkgs
 	echo "$pkgs" > $PKGS
 	CHANGELIST="$PKGS $CHANGELIST"
 fi
 # List of files that get backed up and checked for any modifications.
 # Any changes cause the files to rotate.
+#
 if checkyesno check_changelist ; then
 	mtree -D -k type -f $SPECIALSPEC -E exclude |
 	    sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
+	(
 		# Add other files which might dynamically exist:
 		#	/etc/ifconfig.*
 		#	/etc/raid*.conf
 		#	/etc/rc.d/*
 		#	/etc/rc.conf.d/*
+		#
 		echo "/etc/ifconfig.*"
 		echo "/etc/raid*.conf"
 		echo "/etc/rc.d/*"
 		echo "/etc/rc.conf.d/*"
 		echo "/etc/lvm/backup/*"
 		echo "/etc/lvm/archive/*"
 		# Add /etc/changelist
+		#
 		if [ -s /etc/changelist ]; then
 			grep -v '^#' /etc/changelist
 		fi
 	) | while read file; do
 		case "$file" in
 		*[\*\?\[]*)	# If changelist line is a glob ...
 				# ... expand possible backup files
+				#
 			ls -1d $backup_dir/${file}.current 2>/dev/null \
 			    | sed "s,^$backup_dir/,, ; s,\.current$,,"
 				# ... expand possible files
+				#
 			ls -1d $file 2>/dev/null
 			;;
 		*)
 				# Otherwise, just print the filename
 			echo $file
 			;;
 		esac
 	done >> $CHANGEFILES
 	CHANGELIST="$CHANGEFILES $CHANGELIST"
 fi
 # Save entropy to ${random_file} if defined, like
 # /etc/rc.d/random_seed.
+#
 if [ -n "${random_file:-}" ]; then
 	rndctl -S "$random_file"
 fi
 # Special case backups, including the master password file and
 # ssh private host keys. The normal backup mechanisms for
 # $check_changelist (see below) also print out the actual file
 # differences and we don't want to do that for these files
+#
 echo $MP > $TMP1			# always add /etc/master.passwd
 mtree -D -k type -f $SPECIALSPEC -I nodiff |
     sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
 grep -v '^$' $TMP1 | sort -u > $TMP2
 while read file; do
 	backup_and_diff "$file" no
 done < $TMP2
 if [ -n "$CHANGELIST" ]; then
 	grep -h -v '^$' $CHANGELIST | sort -u > $TMP1
 	comm -23 $TMP1 $TMP2 | while read file; do
 		backup_and_diff "$file" yes
 	done
 fi
 if have_pkgs; then
 	if checkyesno check_pkg_vulnerabilities; then
 		${pkg_admin} ${_compat_K_flag} audit >${OUTPUT} 2>&1
 		if [ -s ${OUTPUT} ]; then
 			printf "\nInstalled vulnerable packages:\n"
 			cat ${OUTPUT}
 		fi
 	fi
 	if checkyesno check_pkg_signatures; then
 		${pkg_admin} ${_compat_K_flag} check >${OUTPUT} 2>&1
 		if [ $? -ne 0 ]; then
 			printf "\nFiles with invalid signatures:\n"
 			cat ${OUTPUT}
 		fi
 	fi
 fi
 if [ -f /etc/security.local ]; then
 	. /etc/security.local > $OUTPUT 2>&1
 	if [ -s $OUTPUT ] ; then
 		printf "\nRunning /etc/security.local:\n"
 		cat $OUTPUT
 	fi
 fi

 @@ -1,48 +1,50 @@
-#	$NetBSD: security.conf,v 1.26 2013/11/06 19:37:05 spz Exp $
+#	$NetBSD: security.conf,v 1.27 2019/12/06 14:43:29 riastradh Exp $
+#
 # /etc/defaults/security.conf --
 #	default configuration of /etc/security.conf
+#
 # see security.conf(5) for more information.
+#
 # DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
 # EDIT /etc/security.conf INSTEAD.
+#
 check_passwd=YES
 check_group=YES
 check_rootdotfiles=YES
 check_ftpusers=YES
 check_aliases=YES
 check_rhosts=YES
 check_homes=YES
 check_varmail=YES
 check_nfs=YES
 check_devices=YES
 check_mtree=YES
 check_disklabels=YES
 check_pkgs=YES
 check_changelist=YES
 check_lvm=NO
 check_pkg_vulnerabilities=YES
 check_pkg_signatures=YES
 backup_dir=/var/backups
 backup_uses_rcs=YES
 diff_options=-u
 check_homes_permit_usergroups=NO
 check_homes_permit_other_owner=""
 check_devices_ignore_fstypes="!local fdesc kernfs null procfs ptyfs ntfs msdos"
 check_devices_ignore_paths=""
 check_mtree_follow_symlinks=NO
 check_passwd_nowarn_shells="/sbin/nologin"
 check_passwd_nowarn_users=""
 check_passwd_permit_dups="toor"
 check_passwd_permit_star=NO
 check_passwd_permit_nonalpha=NO
 max_loginlen=16
 max_grouplen=16
 random_file=/var/db/entropy-file

 @@ -1,318 +1,329 @@
-.\"	$NetBSD: security.conf.5,v 1.40 2013/11/06 19:37:06 spz Exp $
+.\"	$NetBSD: security.conf.5,v 1.41 2019/12/06 14:43:30 riastradh Exp $
 .\"
 .\" Copyright (c) 1996 Matthew R. Green
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notice, this list of conditions and the following disclaimer.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 .\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 .\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 .\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
 .Dd April 5, 2012
 .Dt SECURITY.CONF 5
 .Os
 .Sh NAME
 .Nm security.conf
 .Nd daily security check configuration file
 .Sh DESCRIPTION
 The
 .Nm
 file specifies which of the standard
 .Pa /etc/security
 services are performed.
 The
 .Pa /etc/security
 script is run, by default, every night from
 .Pa /etc/daily ,
 on a
 .Nx
 system, if configured do to so from
 .Pa /etc/daily.conf .
 .Pp
 The variables described below can be set to "NO" to disable the test:
 .Bl -tag -width check_pkg_vulnerabilities
 .It Sy check_passwd
 This checks the
 .Pa /etc/master.passwd
 file for inconsistencies.
 .It Sy check_group
 This checks the
 .Pa /etc/group
 file for inconsistencies.
 .It Sy check_rootdotfiles
 This checks the root users startup files for sane settings of $PATH
 and umask.
 This test is not fail safe and any warning generated from
 this should be checked for correctness.
 .It Sy check_ftpusers
 This checks that the correct users are in the
 .Pa /etc/ftpusers
 file.
 .It Sy check_aliases
 This checks for security problems in the
 .Pa /etc/mail/aliases
 file.
 For backward compatibility,
 .Pa /etc/aliases
 will be checked as well if exists.
 .It Sy check_rhosts
 This checks for system and user rhosts files with "+" in them.
 .It Sy check_homes
 This checks that home directories are owned by the correct user,
 and have appropriate permissions.
 .It Sy check_varmail
 This checks that the correct user owns mail in
 .Pa /var/mail ,
 and that the mail box has the right permissions.
 .It Sy check_nfs
 This checks that the
 .Pa /etc/exports
 file does not export filesystems to the world.
 .It Sy check_devices
 This checks for changes to devices and setuid files.
 .It Sy check_mtree
 This runs
 .Xr mtree 8
 to ensure that the system is installed correctly.
 The following configuration files are checked:
 .Bl -tag -width 4n
 .It Pa /etc/mtree/special
 Default files to check.
 .It Pa /etc/mtree/special.local
 Local site additions and overrides.
 .It Pa /etc/mtree/DIR.secure
 Specification for the directory
 .Pa DIR .
 .El
 .It Sy check_disklabels
 Backup text copies of the disklabels of available disk drives into
 .Pa /var/backups/work/disklabel.XXX ,
 and display any differences in those and the previous copies
 as per
 .Sy check_changelist
 below.
 If
 .Xr fdisk 8
 is available on the current platform, the output of
 .Pa /sbin/fdisk
 for each available disk drive is stored in
 .Pa /var/backups/work/fdisk.XXX ,
 and any differences displayed as per the disklabels.
 .It Sy check_pkgs
 This stores a list of all installed pkgs into
 .Pa /var/backups/work/pkgs
 and checks it for any changes.
 .It Sy check_changelist
 This determines a list of files from the contents of
 .Pa /etc/changelist ,
 and the output of
 .Ic mtree -D
 for
 .Pa /etc/mtree/special
 and
 .Pa /etc/mtree/special.local .
 For each file in the list it compares the files with their backups in
 .Pa /var/backups/file.current
 and
 .Pa /var/backups/file.backup ,
 and displays any differences found.
 The following
 .Xr mtree 8
 .Sy tags
 modify how files are determined from
 .Pa /etc/mtree/special
 and
 .Pa /etc/mtree/special.local :
 .Bl -tag -width exclude -offset indent
 .It exclude
 The entry is ignored; no backups are made and the differences are not
 displayed.
 This includes dynamic or binary files such as
 .Pa /var/run/utmp .
 .It nodiff
 The entry is backed up but the differences are not displayed because
 the contents of the file are sensitive.
 This includes files such as
 .Pa /etc/master.passwd .
 .El
 .It Sy check_pkg_vulnerabilities
 Checks the currently installed packages against a database of known
 vulnerabilities and reports those that are vulnerable.
 Check the
 .Sy fetch_pkg_vulnerabilities
 setting in
 .Xr daily.conf 5
 to keep the database up to date.
 .It Sy check_pkg_signatures
 Checks the digital signature of all files installed by packages against
 the expected values stored in the packages database.
 .El
 .Pp
 The variables described below can be set to modify the tests:
 .Bl -tag -width check_network
 .It Sy check_homes_permit_usergroups
 During the
 .Sy check_homes
 phase, allow the checked files to be group-writable if the group name is
 the same as the username.
 .It Sy check_homes_permit_other_owner
 During the
 .Sy check_homes
 phase, allow the home directory and files of the listed users to be owned
 by a different user.
 .It Sy check_devices_ignore_fstypes
 Lists filesystem types to ignore during the
 .Sy check_devices
 phase.
 Prefixing the type with a
 .Sq \&!
 inverts the match.
 For example,
 .Ql procfs !local
 will ignore
 .Ql procfs
 type filesystems and filesystems that are not
 .Ql local .
 .It Sy check_devices_ignore_paths
 Lists pathnames to ignore during the
 .Sy check_devices
 phase.
 Prefixing the path with a
 .Sq \&!
 inverts the match.
 For example,
 .Ql /tftp
 will ignore paths under
 .Pa /tftp
 while
 .Ql !/home
 will ignore paths that are not under
 .Pa /home .
 .It Sy check_mtree_follow_symlinks
 During the
 .Sy check_mtree
 phase, instruct mtree to follow symbolic links.
 Please note, this may cause the
 .Sy check_mtree
 phase to report errors for entries for these symbolic links (i.e. of
 type=link in the mtree specification) as they will always appear to be plain
 files for the purposes of the check.
 .Pa /etc/mtree/special.local
 may be used to override the checks for the affected links.
 .It Sy check_passwd_nowarn_shells
 If
 .Sy check_passwd
 is enabled, most warnings will be suppressed for entries whose shells
 are listed in this space-separated list.
 This is of particular value when those shells are not in
 .Pa /etc/shells .
 .It Sy check_passwd_nowarn_users
 If
 .Sy check_passwd
 is enabled, suppress warnings for these users.
 .It Sy check_passwd_permit_dups
 If
 .Sy check_passwd
 is enabled, do not warn about duplicate uids for the listed login names.
 .It Sy check_passwd_permit_nonalpha
 If
 .Sy check_passwd
 is enabled, do not warn about login names which use non-alphanumeric
 characters.
 .It Sy check_passwd_permit_star
 If
 .Sy check_passwd
 is enabled, do not warn about password fields set to
 .Dq * .
 Note that the use of password fields such as
 .Dq *ssh
 is encouraged, instead.
 .It Sy max_grouplen
 If
 .Sy check_group
 is enabled, this determines the maximum permitted length of group names.
 .It Sy max_loginlen
 If
 .Sy check_passwd
 is enabled, this determines the maximum permitted length of login names.
 .It Sy backup_dir
 Change the backup directory from
 .Pa /var/backup .
 .It Sy diff_options
 Specify the options passed to
 .Xr diff 1
 when it is invoked to show changes made to system files.
 Defaults to
 .Dq -u ,
 for unified-format context-diffs.
 .It Sy pkgdb_dir
 .Em DEPRECATED .
 Please set
 .Dv PKGDB_DIR
 in
 .Xr pkg_install.conf 5
 instead.
 .Pp
 If defined, points to the location of the packages database.
 Defaults to
 .Pa /var/db/pkg .
 .It Sy backup_uses_rcs
 Use
 .Xr rcs 1
 for maintaining backup copies of files noted in
 .Sy check_devices ,
 .Sy check_disklabels ,
 .Sy check_pkgs ,
 and
 .Sy check_changelist
 instead of just keeping a current copy and a backup copy.
 .It Sy random_file
 Name of the entropy seed file used at boot.
 Default is
 .Pa /var/db/entropy-file
 as used by
 .Pa /etc/rc.d/random_seed .
 Set
 .Sy random_file
 to empty to disable saving a seed every time
 .Pa /etc/security
 runs.
 .El
 .Sh FILES
 .Bl -tag -width /etc/defaults/security.conf -compact
 .It Pa /etc/defaults/security.conf
 defaults for /etc/security.conf
 .It Pa /etc/security
 daily security check script
 .It Pa /etc/security.conf
 daily security check configuration
 .It Pa /etc/security.local
 local site additions to
 .Pa /etc/security
 .El
 .Sh SEE ALSO
 .Xr daily.conf 5
 .Sh HISTORY
 The
 .Nm
 file appeared in
 .Nx 1.3 .
 The
 .Sy check_disklabels
 functionality was added in
 .Nx 1.4 .
 The
 .Sy backup_uses_rcs
 and
 .Sy check_pkgs
 features were added in
 .Nx 1.6 .
 .Sy diff_options
 appeared in
 .Nx 2.0 ;
 prior to that, traditional-format (context free) diffs were generated.