SECCHECK

[ /home ] [ /etc/motd ] [ /bin ] [ /etc ] [ /var ] [ /sbin ]
[ /usr/bin/find ] [ Members ]

Introduction

On reviewing the excellent security benchmarks available over at CI Security, I wanted to automate the security checks of my Solaris 10 servers and produce a highly detailed report listing all security warnings, together with recommendations for their resolution. The solution was seccheck - a modular host-security scanning utility. Easily expandable and feature rich, although at the moment only available for Solaris 10.

This doesn't cover 100% of the checks recommended by CI Security, but has 99% of them - the ones that I consider important. For example, I don't check X configuration because I always ensure my servers don't run X.

Installation

The source distribution should be unpacked to a suitable location. I suggest doing something like the following:

    
# mkdir /usr/local/seccheck
# chown root:root /usr/local/seccheck
# chmod 700 /usr/local/seccheck
# cd /usr/local/seccheck
# mkdir bin output
# cd /wherever/you/downloaded/seccheck
# gzip -dc ./seccheck-0.7.6.tar.gz | tar xf -
# cd seccheck-0.7.6
# mv modules.d seccheck.sh /usr/local/seccheck/bin
    
    

Everything is implemented as bash shell scripts, so there are no really strict installation guidelines, place the files wherever you wish. You can specify an alternate location for the modules directory with the -m option anyway.

Using seccheck

By default, seccheck.sh will search for a modules.d directory in the same directory in which the seccheck.sh script is located. If your modules are not located there, you can use the -m option to specify an alternate module location, for example:

       
# ./seccheck.sh -m /security/seccheck/mymodules       
       
    

seccheck will then scan through the modules.d for valid seccheck modules (determined by filename). A seccheck module filename should be of the following format:

seccheck_nn_somename.sh

Where nn is a two digit integer that determines the order in which modules should be executed. For example, included with the current seccheck distribution you'll find the following files in modules.d:

       
# ls -1 modules.d
seccheck_00_services.sh
seccheck_01_users.sh
seccheck_03_kernelcheck.sh
seccheck_05_logging.sh
seccheck_10_accessauth.sh
seccheck_99_perms.sh
seccheck_NN_template.sh.NOT
       
    

You can see that seccheck_00_services.sh will be processed before seccheck_01_users.sh, and so on. You can disable a module by renaming it something other than the convention, for example, by appending a .NOT suffix to the module filename.

A template is provided so that you can write your own seccheck modules.

By default, seccheck will write everything out to STDOUT and STDERR. If you want to redirect to an output file, just use the -o option and specify an output directory. After running the script, you'll be left with a file such as:

${OUTPUT_DIR}/seccheck-<hostname>-YYYYMMDD-hhmm.log

containing the output of your modules.

Download

You can download the latest seccheck distribution, including all current modules, below:

seccheck-0.7.6.tar.gz

User Contributed Modules

Please feel free to submit your own seccheck modules - send them through to kevin@zazzybob.com. Bear in mind that any scripts submitted will be distributed freely under the terms of the GPL. Also please note that these are user contributed modules, and as such are unsupported by me!