sectool

Section: Linux System Administration (8)
Updated: 15 November 2007
Page Index
 

NAME

sectool - a security checking tool  

SYNOPSIS

sectool [OPTION] ACTION [ARGUMENTS]  

DESCRIPTION

sectool is a utility that can scan your system for various security flaws or misconfigurations. sectool contains a collection of individual tests, each of which is able to check for a specific vulnerability.

 

OPTIONS

-d, --debug
turn on debug mode
-n, --hint
if available, show hints for warnings, errors and failures
-c, --config CONFIG
specify a different config file. By default, sectool reads /etc/sectool/sectool.conf
-m, --mail ADDRESS
send a report with results of this run to ADDRESS. See the documentation on sectool.conf for more details.
-f, --diff
if a result of a previous run exists, print only a diff against that run
--include [TESTS]
This option is only valid together with -L/--level. All tests that are specified will be run in addition to the tests in that level even thought they might not be defined in that level. These tests will run with default settings.
--exclude [TESTS]
Exclude tests from running in a level. This option is only valid together with -L/--level.
--use-dbus
This option enables using DBus. DBus is useful with installed PolicyKit and improves authorization process.

 

ACTIONS

-v, --version
print version info
-h, --help
print help message and exit
-l, --list [TEST]
list all known tests
-i, --info TEST
print info about a specific test(s)
-L --level [LEVEL]
run all known tests on a certain level.
-r, --run TEST
run a specific test(s). This option can be used together with --level to specify the level at which the test run.
-a, --auto
run tests or level as specified in the config file
--clean
remove any records of the last run
--refresh-test
removes any data owned by a test and runs it just to recreate them

 

GLOBING AND PATHS

Some actions (namely --run , --refresh-test , --info and --list) support shell-like globbing. An asterisk (*) can be substituted for a series of characters. For example, to list all tests that contain "home", you can run

# sectool --list \*home\*

The tests are loaded from a directory specified in the config files. Alternatively, if the argument contains a path separator (/), sectool treats the argument as a path to a test.

 

LEVELS

sectool has a concept of levels that define how strict the checks should be. The levels range from 1 (low security) to 5 (paranoid). The default level is 3 (a typical computer connected directly to the Internet). The levels could be either specified by integer or the level name. The name for different levels are as follows:
level name
----- -----
1 Naive
2 Desktop
3 Network
4 Server
5 Paranoid

 

CONFIGURATION

The configuration file is stored in /etc/sectool/sectool.conf.

 

EXAMPLES


 list all tests 


        sectool --list


 list tests that contain a certain string 


        sectool --list tring


 print information about a test named path 


        sectool --info path


 check your system on level 4 


        sectool --level 4


 run all tests in level 3, but not path 


        sectool --level 3 --exclude path


 run all tests in level 1, and also suid and netserv with default settings


        sectool --level 1 --include suid netserv


 run all tests that start with home 


        sectool --run home\*


 run all tests that start with home at level 3


        sectool --run home\* --level 3


 run a test located by path rather that in the shared repository 


        sectool --run ../my_tests/test.dsc


 see if there has been any changes since last time a test was run


        sectool --run suid --diff


 send an email report about a run


        sectool --level 5 --mail admin@mydomain.com

 

FILES

/etc/sectool/sectool.conf
Configuration file
/etc/sectool/tests
Test directory with description files ( .dsc files )
/etc/share/sectool/tests
Test directory with source files
/var/log/sectool.log
Log file, where sectool stores output from tests
 

BUGS

Of course there are no bugs. If you still believe you have found one, please include a session with debug information turned on (option --debug).

 

AUTHORS

Maros Barabas, Jakub Hrozek, Dan Kopecek, Michel Samia, Peter Vrabec


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
ACTIONS
GLOBING AND PATHS
LEVELS
CONFIGURATION
EXAMPLES
FILES
BUGS
AUTHORS
LinuxReviews : manual page archive : man8