# # This is the checksecurity script configuration file # # These configuration variables mabye set: # # CHECKSECURITY_FILTER # CHECKSECURITY_NOFINDERRORS # CHECKSECURITY_DISABLE # CHECKSECURITY_NONFSAFS # # Each is described in it's own section below -- search for #### # as a section divider. # #### # # The CHECKSECURITY_FILTER variable is used as an argument to # "grep -vE" to filter lines from the output of the "mount" # command. # # The default is not check the following file systems: # # type proc # type msdos # type iso9660 # type ncpfs # type smbfs # type nfs # type afs # type auto (They'll typically be picked up on the nfs branch) # type ntfs # type coda (similar to afs) # # floppies (i.e. /dev/fd) # anything on /mnt # # Note that behaviour for nfs/afs has changed as of release -45. We # no longer run find across nfs/afs disks; instead we simply report # afs/nfs disks that are mounted insecurely (without -onosuid|noexec,nodev). # You can disable this report by going setting the CHECKSECURITY_NONFSAFS # variable below. # # Use temp variables to build up CHECKSECURITY_FILTER, to make it # a little more readable. # CS_NFSAFS='(nfs|afs|xfs|coda)' # Uncomment the next line to get the old behaviour. #CS_NFSAFS='(nfs|afs) \(.*(nosuid|noexec).*nodev.*\)' # CS_TYPES=' type (auto|proc|msdos|fat|vfat|iso9660|ncpfs|smbfs|ntfs|'$CS_NFSAFS')' # CS_DEVS='^/dev/fd' # CS_DIRS='on /mnt' # CHECKSECURITY_FILTER="$CS_TYPES|$CS_DEVS|$CS_DIRS" # # Clear the temporary variables # unset CS_NFSAFS CS_TYPES CS_DIRS # #### # # The CHECKSECURITY_NOFINDERRORS, if set to "TRUE" (case sensitive), # redirects any errors from the find command used in checksecurity # to /dev/null. # CHECKSECURITY_NOFINDERRORS="FALSE" #### # # The CHECKSECURITY_DISABLE, if set to "TRUE" (case sensitive), # disables the running of checksecurity # CHECKSECURITY_DISABLE="FALSE" #### # # The CHECKSECURITY_NONFSAFS, if set to "TRUE" (case sensitive), # disables the message about insecurely mounted nfs/afs disks # CHECKSECURITY_NONFSAFS="FALSE" #### # # Location of setuid file databases. Probably should # be in /var/lib/cron, but I don't want to move them now. After # the release, maybe. # LOGDIR=/var/log