sectool

Section: Linux System Administration (8)
Updated: 15 November 2007
Page Index

NAME

sectool - a security checking tool

SYNOPSIS

sectool [OPTION] ACTION [ARGUMENTS]

DESCRIPTION

sectool is a utility that can scan your system for various security flaws or misconfigurations. sectool contains a collection of individual tests, each of which is able to check for a specific vulnerability.

OPTIONS

-d, --debug: turn on debug mode
-n, --hint: if available, show hints for warnings, errors and failures
-c, --config CONFIG: specify a different config file. By default, sectool reads /etc/sectool/sectool.conf
-m, --mail ADDRESS: send a report with results of this run to ADDRESS. See the documentation on sectool.conf for more details.
-f, --diff: if a result of a previous run exists, print only a diff against that run
--include [TESTS]: This option is only valid together with -L/--level. All tests that are specified will be run in addition to the tests in that level even thought they might not be defined in that level. These tests will run with default settings.
--exclude [TESTS]: Exclude tests from running in a level. This option is only valid together with -L/--level.
--use-dbus: This option enables using DBus. DBus is useful with installed PolicyKit and improves authorization process.

ACTIONS

-v, --version: print version info
-h, --help: print help message and exit
-l, --list [TEST]: list all known tests
-i, --info TEST: print info about a specific test(s)
-L --level [LEVEL]: run all known tests on a certain level.
-r, --run TEST: run a specific test(s). This option can be used together with --level to specify the level at which the test run.
-a, --auto: run tests or level as specified in the config file
--clean: remove any records of the last run
--refresh-test: removes any data owned by a test and runs it just to recreate them

GLOBING AND PATHS

Some actions (namely --run , --refresh-test , --info and --list) support shell-like globbing. An asterisk (*) can be substituted for a series of characters. For example, to list all tests that contain "home", you can run

: # sectool --list \*home\*

The tests are loaded from a directory specified in the config files. Alternatively, if the argument contains a path separator (/), sectool treats the argument as a path to a test.

LEVELS

sectool has a concept of levels that define how strict the checks should be. The levels range from 1 (low security) to 5 (paranoid). The default level is 3 (a typical computer connected directly to the Internet). The levels could be either specified by integer or the level name. The name for different levels are as follows:

: level name
----- -----
1 Naive
2 Desktop
3 Network
4 Server
5 Paranoid

CONFIGURATION

The configuration file is stored in /etc/sectool/sectool.conf.

EXAMPLES

list all tests

sectool --list

list tests that contain a certain string

sectool --list tring

print information about a test named path

sectool --info path

check your system on level 4

sectool --level 4

run all tests in level 3, but not path

sectool --level 3 --exclude path

run all tests in level 1, and also suid and netserv with default settings

sectool --level 1 --include suid netserv

run all tests that start with home

sectool --run home\*

run all tests that start with home at level 3

sectool --run home\* --level 3

run a test located by path rather that in the shared repository

sectool --run ../my_tests/test.dsc

see if there has been any changes since last time a test was run

sectool --run suid --diff

send an email report about a run

sectool --level 5 --mail admin@mydomain.com

FILES

/etc/sectool/sectool.conf: Configuration file
/etc/sectool/tests: Test directory with description files ( .dsc files )
/etc/share/sectool/tests: Test directory with source files
/var/log/sectool.log: Log file, where sectool stores output from tests

BUGS

Of course there are no bugs. If you still believe you have found one, please include a session with debug information turned on (option --debug).

AUTHORS

Maros Barabas, Jakub Hrozek, Dan Kopecek, Michel Samia, Peter Vrabec