NAME

       jk_check - a utility that will check a jail for security problems

SYNOPSIS

       jk_check jail

       jk_check -v -c configfile jail

DESCRIPTION

       jk_check will run several tests on all files and directories in a jail. The tests are:

       -test for setuid (set user id) or setgid (set group id) files

       -test  for  file modifications, using an MD5 checksum on the file in the jail and the same
       file in the real root

       -test for group writable or world writable directories

       -test for matching user information in the jail and on the real system

       It will test directories based on the config file /etc/jailkit/jk_check.ini but also based
       on jail patterns (dir/./dir) found in the home directories in /etc/passwd

EXAMPLE

   Minimal configfile
       The most minimal configuration looks like:

       [/home/testchroot]

       This will include all the files and directories in /home/testchroot for testing.

   More extended configfile
       Often  you  want  to ignore some tests on some directories, the following configfile shows
       some examples:

       [/home/testchroot]
       ignorepatheverywhere =
       ignorepathoncompare = /home/testchroot/home, /home/testchroot/etc
       ignorewritableforgroup = /home/testchroot/home
       ignorewritableforothers = /home/testchroot/home/tmp
       ignoresetuidexecuteforuser = /home/testchroot/usr/bin/smbmnt
       ignoresetuidexecuteforgroup = /home/testchroot/usr/bin/smbmnt
       ignoresetuidexecuteforothers =

       ignorepatheverywhere
              no single test is performed in these directories. You should not  use  this  option
              unless you what you are doing.
       ignorepathoncompare
              files  in  listed  directories  are  not compared with their non-jail counterparts.
              Useful for directories like /etc/ and /home/ where you know you'll  have  different
              files inside the jail and outside the jail
       ignorewritableforgroup
              listed directories that are writable for the group are not reported
       ignorewritableforothers
              listed directories that are writable for others are not reported
       ignoresetuidexecuteforuser
              ignore  the  setuid  bit  on  a  file  that  is  executable for a user, a file with
              -rws------ permissions that is. Use with care! Remember that user  root  can  break
              out  of a jail, therefore any program running with root privileges is theoretically
              capable of breaking out of the jail!
       ignoresetuidexecuteforgroup
              ignore the setuid bit for a file that is executable for  the  group,  a  file  with
              -rws--x--- permissions that is.
       ignoresetuidexecuteforothers
              ignore  the  setuid  bit  for  a  file  that  is executable for others, a file with
              -rws--x--x permissions that is

OPTIONS

       -v     Will give verbose output

       -c configfile
              Use alternative configfile

       -h     The help screen

FILES

       /etc/jailkit/jk_check.ini

SEE ALSO

       jailkit(8) jk_chrootlaunch(8) jk_chrootsh(8) jk_cp(8) jk_init(8) jk_jailuser(8) jk_list(8)
       jk_lsh(8) jk_procmailwrapper(8) jk_socketd(8) jk_uchroot(8) jk_update(8) chroot(2)

COPYRIGHT

       Copyright (C) 2003, 2004, 2005, 2006, 2007, Olivier Sessink

       Copying  and distribution of this file, with or without modification, are permitted in any
       medium without royalty provided the copyright notice and this notice are preserved.