I have a cople of questions about the daily insecurity output. I have an
anoncvs server, and as detailed in the docs, I set it up without a
password. Every day, I get an email telling me:
Checking the /etc/master.passwd file:
Login anoncvs has no password.
This is of course correct operation, and I appreciate the strong and valid
argument that it is a good thing that I am told this. Certainly I would want to
know if there were any other accounts with no password. However, as this is the
only output from the security checks, it means that if I could block the output
for the null-password check, for just this one account, then I would not
normally get an insecurity report. This would mean that when I *did* get an
insecurity report, it would mean that some other issue had arisen, and I should
pay attention.
As such, I ask is there a correct way to tell the system, for this one account,
yes, I know, I'm okay with that, so that it will only email me if some other
issue arises. If not, I will prefer to just keep having to read the same email
every day, rather than reduce safety in some way.
My other question is very similar. On a different server, every day I get a
similar message:
Checking the /etc/master.passwd file:
Login si1entdave is off but still has a valid shell and alternate access files
in
home directory are still readable.
Again, this is correct operation, and the system is as I would wish it. I have
used vipw to stick a ! in my password hash field, so that the only ssh-enabled
account can only be accessed using an ssh key, for better security. Once again,
I would like to be able to specify in some way that yes, I know, only bother me
when something I actually care about happens. As a workaround, is there a
string I can put in the hash field that looks like a password hash, but cannot
match any password?
In both these things, I am looking to improve the Signal-to-Noise ratio of
these emails, but I would rather keep the Noise than risk losing some Signal :-)
Ta all,
Si1entDave
