wiki:UserDocumentation
Last modified 6 years ago Last modified on 08/21/08 13:47:55

Introduction

As we already mentioned, sectool is security tool that can be used both as a security audit as well as part of an intrusion detection system. It consist of the set of tests that perform host audit. The tests are sorted into 5 security levels, each level targeting different type of system and security awareness.

Security levels:

  1. Naive - pretty basic and short set of tests
  2. Desktop - set of tests prepared to run on box not connected to internet
  3. Network - standard client machine connected to internet
  4. Server - network server
  5. Paranoid - bunch of tests for paranoid admins

The tests print several type of messages during their execution. "Warning" and "Error" messages are used to inform about discovered security risks.

  • warning - something that admin should know about
  • error - issues that should be fixed

Then there are another two messages: "Hint" and "Info". These two are not print by default, so they need to be turned on.

  • hint - helps to find a way how to resolve discovered issue
  • info - provides information what does the test do at the moment

Every test run is finished with one of these results:

  • PASS - Everything went OK, no security risks were discovered
  • WARNING - only warning messages were print
  • ERROR - at least one security issue was discovered
  • FAIL - internal test problem appears, test can't be run

Example:

selinux ->
    Warning: Selinux is in Permissive mode.
    Info: Starting booleans change test
    selinux: WARNING

Sectool provides two user friendly front-ends:

  • sectool - text user interface
  • sectool-gui - graphical user interface

Command line usage

Basics

Get the help at the beginning.

# sectool --help

You want to list tests and security levels in which they run by default.

# sectool --list

Detailed test description.

# sectool --info home_dirs

Run security level "1" set of test.

# sectool --level 1

Run security level "1" set + "netserv" - "home_files" and "path"

# sectool --level 1 --include netserv --exclude home_files path

You can run just some specific tests in their default setting.

# sectool --run firewall home_files

If you combine "--run" and "--level" option, only selected tests will be run in their specific security level setting.

# sectool --level 3 --run disc_usage

Changes

There are tests that watch changes in your configuration. The first time they run only the current state is saved and following the warning is printed: "This is a first run of the test. Some parts of audit are skipped". Next time they run the new state is compared with the old one and differences are reported. Example: routing - check changes in routing table; selinux - check changes in selinux booleans setting. If you consider new state OK, you can refresh the test date by calling:

# sectool --refresh-test selinux

Hints

Some tests also provide hint messages to certain errors and warning they have reported.

# sectool --run home_dirs --hint

Email

The results of the audit can be emailed.

# sectool --level 1 --mail some.body@redhat.com

Diff

If you have already run some tests before and you only want to be informed about changes in results next time, use "-diff" option.

# sectool --run selinux --diff

Erase the results stored in the last run.

# sectool --clean

Auto

If you run sectool regularly(cron), you can configure it in /etc/sectool.conf and run only

# sectool --auto

Configuration file

There is a sectool.conf configuration file, which consist of five section: action, paths, results, environment and mail.

ACTION

This section specifies, which tests should be performed upon #sectool --auto. You can use:

LEVEL="number of the security level"

PATHS

Specify default paths to the tests and place for their persistant and temporary data.

DSC_DIR=/etc/sectool/tests #paths to desciption files
TESTS_DIRS=/usr/share/sectool/tests #paths to tests
TDATA_DIR=/var/lib/sectool #place for persistant data
TEMP_DIR=/tmp #place for temporary data

RESULTS

The name of the xml file in which the results are stored. This file is usually used to generate diffs against previous run.

RESULT_FILE=results.xml

ENVIRONMENT

Pass environment variables to all tests.

PATH=/sbin:/bin:/usr/sbin:/usr/bin

MAIL

Setting the email support. What is in the body, what is in the attachement, which smtp to use.

# SEND_BODY=(full | diff | none)
SEND_BODY=diff
# SEND_ATTACHMENT =  (full | diff | none)
SEND_ATTACHMENT = full
# TARGET=(local | smtp)
TARGET=local
# username or None for no authentication
# SMTP_USER = (username | None)
# password or None for no authentication
# SMTP_PASSWD = ( password | None )

# smtp server to send emails via
# SMTP_SERVER = localhost