As we already mentioned, sectool is security tool that can be used both as a security audit as well as part of an intrusion detection system. It consist of the set of tests that perform host audit. The tests are sorted into 5 security levels, each level targeting different type of system and security awareness.
- Naive - pretty basic and short set of tests
- Desktop - set of tests prepared to run on box not connected to internet
- Network - standard client machine connected to internet
- Server - network server
- Paranoid - bunch of tests for paranoid admins
The tests print several type of messages during their execution. "Warning" and "Error" messages are used to inform about discovered security risks.
- warning - something that admin should know about
- error - issues that should be fixed
Then there are another two messages: "Hint" and "Info". These two are not print by default, so they need to be turned on.
- hint - helps to find a way how to resolve discovered issue
- info - provides information what does the test do at the moment
Every test run is finished with one of these results:
- PASS - Everything went OK, no security risks were discovered
- WARNING - only warning messages were print
- ERROR - at least one security issue was discovered
- FAIL - internal test problem appears, test can't be run
selinux -> Warning: Selinux is in Permissive mode. Info: Starting booleans change test selinux: WARNING
Sectool provides two user friendly front-ends:
- sectool - text user interface
- sectool-gui - graphical user interface
Command line usage
Get the help at the beginning.
# sectool --help
You want to list tests and security levels in which they run by default.
# sectool --list
Detailed test description.
# sectool --info home_dirs
Run security level "1" set of test.
# sectool --level 1
Run security level "1" set + "netserv" - "home_files" and "path"
# sectool --level 1 --include netserv --exclude home_files path
You can run just some specific tests in their default setting.
# sectool --run firewall home_files
If you combine "--run" and "--level" option, only selected tests will be run in their specific security level setting.
# sectool --level 3 --run disc_usage
There are tests that watch changes in your configuration. The first time they run only the current state is saved and following the warning is printed: "This is a first run of the test. Some parts of audit are skipped". Next time they run the new state is compared with the old one and differences are reported. Example: routing - check changes in routing table; selinux - check changes in selinux booleans setting. If you consider new state OK, you can refresh the test date by calling:
# sectool --refresh-test selinux
Some tests also provide hint messages to certain errors and warning they have reported.
# sectool --run home_dirs --hint
The results of the audit can be emailed.
# sectool --level 1 --mail email@example.com
If you have already run some tests before and you only want to be informed about changes in results next time, use "-diff" option.
# sectool --run selinux --diff
Erase the results stored in the last run.
# sectool --clean
If you run sectool regularly(cron), you can configure it in /etc/sectool.conf and run only
# sectool --auto
There is a sectool.conf configuration file, which consist of five section: action, paths, results, environment and mail.
This section specifies, which tests should be performed upon #sectool --auto. You can use:
LEVEL="number of the security level"
Specify default paths to the tests and place for their persistant and temporary data.
DSC_DIR=/etc/sectool/tests #paths to desciption files TESTS_DIRS=/usr/share/sectool/tests #paths to tests TDATA_DIR=/var/lib/sectool #place for persistant data TEMP_DIR=/tmp #place for temporary data
The name of the xml file in which the results are stored. This file is usually used to generate diffs against previous run.
Pass environment variables to all tests.
Setting the email support. What is in the body, what is in the attachement, which smtp to use.
# SEND_BODY=(full | diff | none) SEND_BODY=diff # SEND_ATTACHMENT = (full | diff | none) SEND_ATTACHMENT = full # TARGET=(local | smtp) TARGET=local # username or None for no authentication # SMTP_USER = (username | None) # password or None for no authentication # SMTP_PASSWD = ( password | None ) # smtp server to send emails via # SMTP_SERVER = localhost