From Fedora Project Wiki
(Created page with '= Sectool = == Summary == <!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each re...')
 
No edit summary
Line 44: Line 44:


   sectool --help
   sectool --help
This should show a help for command line user interface
   sectool --version
   sectool --version
make sure that the version string is correct  
Shows the version of package. Make sure that the version string is correct.
   sectool --list
   sectool --list
check that the level numbers are sane
Check that the level numbers are sane. Test globbing:  
test globbing: sectool --list \*home\*  
  sectool --list \*home\*  
Show information of some tests:
   sectool --info <test>  
   sectool --info <test>  
=== Running the tests ===
Test that sectool is able to run tests.
* Test running a single test in default level:
  sectool --run bootloader
* Test running a single test in non-default level:
  sectool --level 5 --run bootloader
Bootloader is a good candidate since it should stay silent in the default level and ERROR in level 5
* Test running multiple levels in default/nondefault mode:
  sectool --run bootloader home_files
  sectool --level 5 --run bootloader home_files
* Test globbing:
  sectool --run \*home\*
=== Running a level ===
* Run a level:
  sectool --level 5
Level 5 might be good if you have enough time, level 1 is probably OK for quick smoke testing.
* Run a level via its nickname:
  sectool --level Desktop
The valid levels are: Naive, Desktop, Network, Server, Paranoid.
* Exclude a test from its level:
  sectool --level 1 --exclude integrity
Check that all the tests in level 1 except for integrity ran.
* Include a test into another level:
  sectool --level 1 --include path
Check that all the tests in level 1 and 'path' ran.
=== Display filters ===
* Check that sectool display additional info when ran with --debug. A good candidate is home_files:
  sectool --run home_files --debug
* Check that sectool displays hints when ran with --hint. A good candidate is mountopt:
  sectool --run home_files --debug
=== Test auto action ===
* Running a whole level via --action. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
          [ACTION]
          LEVEL=1
Run sectool --auto, whole level 1 should run.
* Running some tests on a specific level. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
          [ACTION]
          LEVEL=5
          RUN=path bootloader
Run sectool --auto, tests path and bootloader should run on level 5.
* Running some tests on a default level. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
          [ACTION]
          RUN=path bootloader
Run sectool --auto, tests path and bootloader should run default level.
* Including and excluding tests from a level in the auto action. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
          [ACTION]
          LEVEL=1
          RUN=+bootloader -integrity
Run sectool --auto, level 1 should run excluding integrity and including bootloader.
=== Diff and sending a mail ===
* Check that sectool is able to produce a meaningful diff
  sectool --run suid; chmod a+s /bin/cp; sectool --run suid --diff; chmod a-s /bin/cp
* Sending email - vanilla config
that is ''SEND_BODY=diff SEND_ATTACHMENT=full''
make sure your sendmail is running and properly configured
  sectool --run home_files --mail jhrozek@redhat.com
* Sending email - full output in body, diff in attachment.
  Set SEND_ATTACHMENT=diff and SEND_BODY=full in /etc/sectool/sectool.conf
* Sending email via SMTP server
the default is via sendmail
configure your server, username and password in ''/etc/sectool/sectool.conf'' and change ''TARGET=smtp''
* Check the --clean action
run a test, make sure that ''results.xml'' exists
  sectool --clean should remove it
=== Overriding levels ===
* Check that level can be added/removed via config file:
  echo "path 1 2" > ~/.sectoolrc
  test a level that is not included in the dsc
* Check that disabling all levels work:
  echo "path" > ~/.sectoolrc
=== Logging ===
* See ''/var/log/sectool.log'' is created, filled and properly formated
* Check that logrotate handles ''sectool.log''


== User Experience ==
== User Experience ==

Revision as of 12:25, 24 August 2009

Sectool

Summary

The security audit tool and part of an intrusion detection system.

Owner

Current status

  • Targeted release: Fedora 12
  • Last updated: (Aug 24 2009)
  • Percentage of completion: 99,9%

Detailed Description

The security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

Benefit to Fedora

Lower the attack surface by finding possible vulnerabilities, audit the system to find common problems to improve security and performance of scanning system. Encourage users to use Fedora on server and support other distributions based on Fedora like Red Hat Enterprise Linux or CentOS

Scope

Already done:

  • Split the current program to backend mechanism and frontend pieces to separate user part and administrator part of application.
  • Dbus communication interface for backend
  • opotion for not using dbus
  • switch communication between backend and frontend to dbus and unix sockets
  • PolicyKit integration
  • Define policies for PolicyKit

Further plans:

  • Improve GUI
  • Better user authentication system

How To Test

There is no need for special hardware to test this feature.

install sectool and sectool-gui

$ yum install sectool*


Sanity testing

Test the most basic functions to make sure sectool is able to start, etc.

  sectool --help

This should show a help for command line user interface

  sectool --version

Shows the version of package. Make sure that the version string is correct.

  sectool --list

Check that the level numbers are sane. Test globbing:

  sectool --list \*home\* 

Show information of some tests:

  sectool --info <test> 


Running the tests

Test that sectool is able to run tests.

  • Test running a single test in default level:
  sectool --run bootloader
  • Test running a single test in non-default level:
  sectool --level 5 --run bootloader

Bootloader is a good candidate since it should stay silent in the default level and ERROR in level 5

  • Test running multiple levels in default/nondefault mode:
  sectool --run bootloader home_files
  sectool --level 5 --run bootloader home_files
  • Test globbing:
  sectool --run \*home\* 


Running a level

  • Run a level:
  sectool --level 5

Level 5 might be good if you have enough time, level 1 is probably OK for quick smoke testing.

  • Run a level via its nickname:
  sectool --level Desktop

The valid levels are: Naive, Desktop, Network, Server, Paranoid.

  • Exclude a test from its level:
  sectool --level 1 --exclude integrity

Check that all the tests in level 1 except for integrity ran.

  • Include a test into another level:
  sectool --level 1 --include path

Check that all the tests in level 1 and 'path' ran.

Display filters

  • Check that sectool display additional info when ran with --debug. A good candidate is home_files:
  sectool --run home_files --debug 
  • Check that sectool displays hints when ran with --hint. A good candidate is mountopt:
  sectool --run home_files --debug 


Test auto action

  • Running a whole level via --action. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
         [ACTION]
         LEVEL=1

Run sectool --auto, whole level 1 should run.

  • Running some tests on a specific level. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
         [ACTION]
         LEVEL=5
         RUN=path bootloader

Run sectool --auto, tests path and bootloader should run on level 5.

  • Running some tests on a default level. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
         [ACTION]
         RUN=path bootloader

Run sectool --auto, tests path and bootloader should run default level.

  • Including and excluding tests from a level in the auto action. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:
         [ACTION]
         LEVEL=1
         RUN=+bootloader -integrity

Run sectool --auto, level 1 should run excluding integrity and including bootloader.


Diff and sending a mail

  • Check that sectool is able to produce a meaningful diff
  sectool --run suid; chmod a+s /bin/cp; sectool --run suid --diff; chmod a-s /bin/cp 
  • Sending email - vanilla config

that is SEND_BODY=diff SEND_ATTACHMENT=full make sure your sendmail is running and properly configured

  sectool --run home_files --mail jhrozek@redhat.com 
  • Sending email - full output in body, diff in attachment.
  Set SEND_ATTACHMENT=diff and SEND_BODY=full in /etc/sectool/sectool.conf 
  • Sending email via SMTP server

the default is via sendmail configure your server, username and password in /etc/sectool/sectool.conf and change TARGET=smtp

  • Check the --clean action

run a test, make sure that results.xml exists

 sectool --clean should remove it 


Overriding levels

  • Check that level can be added/removed via config file:
 echo "path 1 2" > ~/.sectoolrc
 test a level that is not included in the dsc 
  • Check that disabling all levels work:
 echo "path" > ~/.sectoolrc 


Logging

  • See /var/log/sectool.log is created, filled and properly formated
  • Check that logrotate handles sectool.log


User Experience

Users will have option to audit their system to improve security and performance. Users can choose between command line testing through dbus (or without dbus) and GUI testing tool. The whole system will be less vulnerable to attack.

Dependencies

  • sectool-gui

Contingency Plan

This feature is not critical. Revert to previous release in case that could not be complete by the final feature freeze.

Documentation

Filed Bugs

Release Notes

  • Sectool is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.
  • Sectool is now using PolicyKit and dbus for better security in authentication actions.

Comments and Discussion