Last modified 9 years ago Last modified on 08/21/08 13:47:55


As we already mentioned, sectool is security tool that can be used both as a security audit as well as part of an intrusion detection system. It consist of the set of tests that perform host audit. The tests are sorted into 5 security levels, each level targeting different type of system and security awareness.

Security levels:

  1. Naive - pretty basic and short set of tests
  2. Desktop - set of tests prepared to run on box not connected to internet
  3. Network - standard client machine connected to internet
  4. Server - network server
  5. Paranoid - bunch of tests for paranoid admins

The tests print several type of messages during their execution. "Warning" and "Error" messages are used to inform about discovered security risks.

  • warning - something that admin should know about
  • error - issues that should be fixed

Then there are another two messages: "Hint" and "Info". These two are not print by default, so they need to be turned on.

  • hint - helps to find a way how to resolve discovered issue
  • info - provides information what does the test do at the moment

Every test run is finished with one of these results:

  • PASS - Everything went OK, no security risks were discovered
  • WARNING - only warning messages were print
  • ERROR - at least one security issue was discovered
  • FAIL - internal test problem appears, test can't be run


selinux ->
    Warning: Selinux is in Permissive mode.
    Info: Starting booleans change test
    selinux: WARNING

Sectool provides two user friendly front-ends:

  • sectool - text user interface
  • sectool-gui - graphical user interface

Command line usage


Get the help at the beginning.

# sectool --help

You want to list tests and security levels in which they run by default.

# sectool --list

Detailed test description.

# sectool --info home_dirs

Run security level "1" set of test.

# sectool --level 1

Run security level "1" set + "netserv" - "home_files" and "path"

# sectool --level 1 --include netserv --exclude home_files path

You can run just some specific tests in their default setting.

# sectool --run firewall home_files

If you combine "--run" and "--level" option, only selected tests will be run in their specific security level setting.

# sectool --level 3 --run disc_usage


There are tests that watch changes in your configuration. The first time they run only the current state is saved and following the warning is printed: "This is a first run of the test. Some parts of audit are skipped". Next time they run the new state is compared with the old one and differences are reported. Example: routing - check changes in routing table; selinux - check changes in selinux booleans setting. If you consider new state OK, you can refresh the test date by calling:

# sectool --refresh-test selinux


Some tests also provide hint messages to certain errors and warning they have reported.

# sectool --run home_dirs --hint


The results of the audit can be emailed.

# sectool --level 1 --mail


If you have already run some tests before and you only want to be informed about changes in results next time, use "-diff" option.

# sectool --run selinux --diff

Erase the results stored in the last run.

# sectool --clean


If you run sectool regularly(cron), you can configure it in /etc/sectool.conf and run only

# sectool --auto

Configuration file

There is a sectool.conf configuration file, which consist of five section: action, paths, results, environment and mail.


This section specifies, which tests should be performed upon #sectool --auto. You can use:

LEVEL="number of the security level"


Specify default paths to the tests and place for their persistant and temporary data.

DSC_DIR=/etc/sectool/tests #paths to desciption files
TESTS_DIRS=/usr/share/sectool/tests #paths to tests
TDATA_DIR=/var/lib/sectool #place for persistant data
TEMP_DIR=/tmp #place for temporary data


The name of the xml file in which the results are stored. This file is usually used to generate diffs against previous run.



Pass environment variables to all tests.



Setting the email support. What is in the body, what is in the attachement, which smtp to use.

# SEND_BODY=(full | diff | none)
# SEND_ATTACHMENT =  (full | diff | none)
# TARGET=(local | smtp)
# username or None for no authentication
# SMTP_USER = (username | None)
# password or None for no authentication
# SMTP_PASSWD = ( password | None )

# smtp server to send emails via
# SMTP_SERVER = localhost