sysechk - assess your computer security
System Security Checker is a bundle of small shell scripts to assess your computer security.
All scripts run in read-only mode and will never modify any file on your system. They rather print actions that should be done to improve system security. You always have the last word (see DISCLAIMER below).
Test scripts come from various sources:
files named CCE-<ID>.sh (<ID> is the official CCE's ID)
files named NSA-<ID>.sh (<ID> is the section number in the PDF)
files named SSC-<ID>.sh (<ID> is an incremental counter)
Do not attempt to implement any of the recommendations without first testing in a non-production environment.
This software containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this software does not address site-specific configuration concerns.
Skip all tests where root privileges are required (overrides
Skipped tests will be printed on stderr.
The default behaviour is to ask interactively for each test if the user wants to execute it.
Execute all tests where root privileges are required.
Force the program to run even with root privileges.
This implies the
Without this flag, sysechk will refuse to run under the root user.
Test to exclude.
test is the name of the test file without its extension, e.g.
This option can be repeated to exclude several tests.
If given, the list of failed tests will be outputted into file. This can be useful to be used with other scripts.
Minimal severity to report.
Severity levels are
By default, this is set to
trivial and thus will report all detected problems.
Be verbose. sysechk will output more informational messages.
Display a short usage message and exit.
Show sysechk version and exit.
Run sysechk interactively:
Run sysechk excluding tests which require root privileges:
$ sysechk --skip-root
Run sysechk excluding the specified two tests:
$ sysechk -x CCE-3561-8 -x NSA-2-1-2-3-1
Run sysechk as
root outputing failing tests into
$ sysechk -f -e -o list
Run sysechk reporting only critical tests failing:
$ sysechk -m critical
The primarily targeted Linux distributions are Fedora, CentOS & Debian. Other distributions might have fewer tests. Since CentOS is fully compatible, RHEL should be too (not tested though). Tests should be applicable to all variants (Desktop & Server) of each distribution.
sysechk is written in pure Bash and has no dependencies but the standard utilities that are available on most platforms. Every script does one test but does it well - UNIX way ;).
Any issue or improvement should be reported to https://github.com/infertux/sysechk/issues. Thanks!
sysechk is copyright (C) 2011-2012. It is distributed under the terms of the AGPLv3 license http://www.gnu.org/licenses/agpl.html.