Langue: en

Autres versions - même langue

Version: 15 November 2007 (fedora - 01/12/10)

Section: 8 (Commandes administrateur)


sectool - a security checking tool




sectool is a utility that can scan your system for various security flaws or misconfigurations. sectool contains a collection of individual tests, each of which is able to check for a specific vulnerability.


-d, --debug
turn on debug mode
-n, --hint
if available, show hints for warnings, errors and failures
-c, --config CONFIG
specify a different config file. By default, sectool reads /etc/sectool/sectool.conf
-m, --mail ADDRESS
send a report with results of this run to ADDRESS. See the documentation on sectool.conf for more details.
-f, --diff
if a result of a previous run exists, print only a diff against that run
--include [TESTS]
This option is only valid together with -L/--level. All tests that are specified will be run in addition to the tests in that level even thought they might not be defined in that level. These tests will run with default settings.
--exclude [TESTS]
Exclude tests from running in a level. This option is only valid together with -L/--level.
This option enables using DBus. DBus is useful with installed PolicyKit and improves authorization process.


-v, --version
print version info
-h, --help
print help message and exit
-l, --list [TEST]
list all known tests
-i, --info TEST
print info about a specific test(s)
-L --level [LEVEL]
run all known tests on a certain level.
-r, --run TEST
run a specific test(s). This option can be used together with --level to specify the level at which the test run.
-a, --auto
run tests or level as specified in the config file
remove any records of the last run
removes any data owned by a test and runs it just to recreate them


Some actions (namely --run , --refresh-test , --info and --list) support shell-like globbing. An asterisk (*) can be substituted for a series of characters. For example, to list all tests that contain "home", you can run
# sectool --list \*home\*

The tests are loaded from a directory specified in the config files. Alternatively, if the argument contains a path separator (/), sectool treats the argument as a path to a test.


sectool has a concept of levels that define how strict the checks should be. The levels range from 1 (low security) to 5 (paranoid). The default level is 3 (a typical computer connected directly to the Internet). The levels could be either specified by integer or the level name. The name for different levels are as follows:
level name
----- -----
1 Naive
2 Desktop
3 Network
4 Server
5 Paranoid


The configuration file is stored in /etc/sectool/sectool.conf.


 list all tests 

        sectool --list

 list tests that contain a certain string 

        sectool --list tring

 print information about a test named path 

        sectool --info path

 check your system on level 4 

        sectool --level 4

 run all tests in level 3, but not path 

        sectool --level 3 --exclude path

 run all tests in level 1, and also suid and netserv with default settings

        sectool --level 1 --include suid netserv

 run all tests that start with home 

        sectool --run home\*

 run all tests that start with home at level 3

        sectool --run home\* --level 3

 run a test located by path rather that in the shared repository 

        sectool --run ../my_tests/test.dsc

 see if there has been any changes since last time a test was run

        sectool --run suid --diff

 send an email report about a run

        sectool --level 5 --mail


Configuration file
Test directory with description files ( .dsc files )
Test directory with source files
Log file, where sectool stores output from tests


Of course there are no bugs. If you still believe you have found one, please include a session with debug information turned on (option --debug).


Maros Barabas, Jakub Hrozek, Dan Kopecek, Michel Samia, Peter Vrabec