sectool(8)

1
2sectool(8)                Linux System Administration               sectool(8)
3
4
5

NAME

7       sectool - a security checking tool
8

SYNOPSIS

10       sectool [OPTION] ACTION [ARGUMENTS]
11

DESCRIPTION

13       sectool  is  a  utility  that can scan your system for various security
14       flaws or misconfigurations.  sectool contains a collection of  individ‐
15       ual tests, each of which is able to check for a specific vulnerability.
16
17

OPTIONS

19       -d, --debug
20              turn on debug mode
21
22       -n, --hint
23              if available, show hints for warnings, errors and failures
24
25       -c, --config CONFIG
26              specify  a  different  config  file.  By  default, sectool reads
27              /etc/sectool/sectool.conf
28
29       -m, --mail ADDRESS
30              send a report with results of this run to ADDRESS. See the docu‐
31              mentation on sectool.conf for more details.
32
33       -f, --diff
34              if  a result of a previous run exists, print only a diff against
35              that run
36
37       --include [TESTS]
38              This option is only valid together with  -L/--level.  All  tests
39              that  are specified will be run in addition to the tests in that
40              level even thought they might not  be  defined  in  that  level.
41              These tests will run with default settings.
42
43       --exclude [TESTS]
44              Exclude tests from running in a level. This option is only valid
45              together with -L/--level.
46
47       --use-dbus
48              This option enables using DBus. DBus is  useful  with  installed
49              PolicyKit and improves authorization process.
50
51

ACTIONS

53       -v, --version
54              print version info
55
56       -h, --help
57              print help message and exit
58
59       -l, --list [TEST]
60              list all known tests
61
62       -i, --info TEST
63              print info about a specific test(s)
64
65       -L --level [LEVEL]
66              run all known tests on a certain level.
67
68       -r, --run TEST
69              run  a  specific  test(s). This option can be used together with
70              --level to specify the level at which the test run.
71
72       -a, --auto
73              run tests or level as specified in the config file
74
75       --clean
76              remove any records of the last run
77
78       --refresh-test
79              removes any data owned by a test and runs it  just  to  recreate
80              them
81
82

GLOBING AND PATHS

84       Some  actions  (namely --run , --refresh-test , --info and --list) sup‐
85       port shell-like globbing. An asterisk (*)  can  be  substituted  for  a
86       series  of  characters.  For  example,  to  list all tests that contain
87       "home", you can run
88
89              # sectool --list \*home\*
90
91       The tests are loaded from a directory specified in  the  config  files.
92       Alternatively,  if  the argument contains a path separator (/), sectool
93       treats the argument as a path to a test.
94
95

LEVELS

97       sectool has a concept of levels  that  define  how  strict  the  checks
98       should  be. The levels range from 1 (low security) to 5 (paranoid). The
99       default level is 3 (a typical computer connected directly to the Inter‐
100       net).  The  levels  could  be  either specified by integer or the level
101       name. The name for different levels are as follows:
102
103              level   name
104              -----   -----
105              1       Naive
106              2       Desktop
107              3       Network
108              4       Server
109              5       Paranoid
110
111

CONFIGURATION

113       The configuration file is stored in /etc/sectool/sectool.conf.
114
115

EXAMPLES

117        list all tests
118
119               sectool --list
120
121        list tests that contain a certain string
122
123               sectool --list tring
124
125        print information about a test named path
126
127               sectool --info path
128
129        check your system on level 4
130
131               sectool --level 4
132
133        run all tests in level 3, but not path
134
135               sectool --level 3 --exclude path
136
137        run all tests in level 1, and also suid and netserv with default  set‐
138       tings
139
140               sectool --level 1 --include suid netserv
141
142        run all tests that start with home
143
144               sectool --run home\*
145
146        run all tests that start with home at level 3
147
148               sectool --run home\* --level 3
149
150        run a test located by path rather that in the shared repository
151
152               sectool --run ../my_tests/test.dsc
153
154        see if there has been any changes since last time a test was run
155
156               sectool --run suid --diff
157
158        send an email report about a run
159
160               sectool --level 5 --mail admin@mydomain.com
161
162

FILES

164       /etc/sectool/sectool.conf
165              Configuration file
166
167       /etc/sectool/tests
168              Test directory with description files ( .dsc files )
169
170       /etc/share/sectool/tests
171              Test directory with source files
172
173       /var/log/sectool.log
174              Log file, where sectool stores output from tests
175

BUGS

177       Of  course  there are no bugs. If you still believe you have found one,
178       please include a session  with  debug  information  turned  on  (option
179       --debug).
180
181

AUTHORS

183       Maros Barabas, Jakub Hrozek, Dan Kopecek, Michel Samia, Peter Vrabec
184
185
186
187
188Version 0.8.6                  15 November 2007                     sectool(8)