0.7.5 GPL (GNU General Public License)    
  not rated
Seccheck is a feature rich, modular, host-level security checker for Solaris 10.




Seccheck is a feature rich, modular, host-level security checker for Solaris 10.

On reviewing the excellent security benchmarks available over at CI Security, I wanted to automate the security checks of my Solaris 10 servers and produce a highly detailed report listing all security warnings, together with recommendations for their resolution. The solution was seccheck - a modular host-security scanning utility. Easily expandable and feature rich, although at the moment only available for Solaris 10.

This doesn't cover 100% of the checks recommended by CI Security, but has 99% of them - the ones that I consider important. For example, I don't check X configuration because I always ensure my servers don't run X.


The source distribution should be unpacked to a suitable location. I suggest doing something like the following:

# mkdir /usr/local/seccheck
# chown root:root /usr/local/seccheck
# chmod 700 /usr/local/seccheck
# cd /usr/local/seccheck
# mkdir bin output
# cd /wherever/you/downloaded/seccheck
# gzip -dc ./seccheck-0.7.1.tar.gz | tar xf -
# cd seccheck-0.7.1
# mv modules.d /usr/local/seccheck/bin

Everything is implemented as bash shell scripts, so there are no really strict installation guidelines, place the files wherever you wish. You can specify an alternate location for the modules directory with the -m option anyway.
Using seccheck

By default, will search for a modules.d directory in the same directory in which the script is located. If your modules are not located there, you can use the -m option to specify an alternate module location, for example:

# ./ -m /security/seccheck/mymodules

seccheck will then scan through the modules.d for valid seccheck modules (determined by filename). A seccheck module filename should be of the following format:

Where nn is a two digit integer that determines the order in which modules should be executed. For example, included with the current seccheck distribution you'll find the following files in modules.d:

# ls -1 modules.d

You can see that will be processed before, and so on. You can disable a module by renaming it something other than the convention, for example, by appending a .NOT suffix to the module filename.

A template is provided so that you can write your own seccheck modules.

By default, seccheck will write everything out to STDOUT and STDERR. If you want to redirect to an output file, just use the -o option and specify an output directory. After running the script, you'll be left with a file such as:

${OUTPUT_DIR}/seccheck-< hostname >-YYYYMMDD-hhmm.log

containing the output of your modules.

What's New in This Release:

Bugfixes were made in shell detection logic, for a typo in SAMBA recommendations, and in the use of "printf" instead of "echo" in the authlog recommendation.
Last updated on May 22nd, 2007

0 User reviews so far.