sysechk
- assess your computer security
sysechk
[OPTION]...
System Security Checker is a bundle of small shell scripts to assess your computer security.
All scripts run in read-only mode and will never modify any file on your system. They rather print actions that should be done to improve system security. You always have the last word (see DISCLAIMER below).
Test scripts come from various sources:
files named CCE-<ID>.sh (<ID> is the official CCE's ID)
files named NSA-<ID>.sh (<ID> is the section number in the PDF)
files named SSC-<ID>.sh (<ID> is an incremental counter)
Do not attempt to implement any of the recommendations without first testing in a non-production environment.
This software containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore this software does not address site-specific configuration concerns.
-s
, --skip-root
Skip all tests where root privileges are required (overrides --execute-root
).
Skipped tests will be printed on stderr.
The default behaviour is to ask interactively for each test if the user wants to execute it.
Opposite of --execute-root
.
-e
, --execute-root
Execute all tests where root privileges are required.
Opposite of --skip-root
.
-f
, --force-root
Force the program to run even with root privileges.
This implies the -e
flag.
Without this flag, sysechk will refuse to run under the root user.
-x
=test, --exclude
=testTest to exclude.
test is the name of the test file without its extension, e.g. CCE-3561-8
or NSA-2-1-2-3-1
.
This option can be repeated to exclude several tests.
-o
=file, --output-file
=fileIf given, the list of failed tests will be outputted into file. This can be useful to be used with other scripts.
-m
=minimal severity, --minimal-severity
=minimal severityMinimal severity to report.
Severity levels are trivial
, minor
, major
and critical
.
By default, this is set to trivial
and thus will report all detected problems.
-v
, --verbose
Be verbose. sysechk will output more informational messages.
-h
, --help
Display a short usage message and exit.
--version
Show sysechk version and exit.
Run sysechk interactively:
$ sysechk
Run sysechk excluding tests which require root privileges:
$ sysechk --skip-root
Run sysechk excluding the specified two tests:
$ sysechk -x CCE-3561-8 -x NSA-2-1-2-3-1
Run sysechk as root
outputing failing tests into list
:
$ sysechk -f -e -o list
Run sysechk reporting only critical tests failing:
$ sysechk -m critical
The primarily targeted Linux distributions are Fedora, CentOS & Debian. Other distributions might have fewer tests. Since CentOS is fully compatible, RHEL should be too (not tested though). Tests should be applicable to all variants (Desktop & Server) of each distribution.
sysechk is written in pure Bash and has no dependencies but the standard utilities that are available on most platforms. Every script does one test but does it well - UNIX way ;).
Any issue or improvement should be reported to https://github.com/infertux/sysechk/issues. Thanks!
sysechk is copyright (C) 2011-2012. It is distributed under the terms of the AGPLv3 license http://www.gnu.org/licenses/agpl.html.