Seccheck

Seccheck is a very simple security checker for suse and Red Hat. It consists three monolythic bash scripts and one driver script. Seccheck is installed, it automatically adds a crontab, /etc/cron.d/seccheck, to run daily, weekly and monthly security checks.

# rpm -ql seccheck
/etc/cron.d/seccheck
/usr/lib/secchk
/usr/lib/secchk/checkneverlogin
/usr/lib/secchk/security-control.sh
/usr/lib/secchk/security-daily.sh
/usr/lib/secchk/security-monthly.sh
/usr/lib/secchk/security-weekly.sh
/usr/share/doc/packages/seccheck
/usr/share/doc/packages/seccheck/CHANGES
/usr/share/doc/packages/seccheck/LICENCE
/usr/share/doc/packages/seccheck/README
/usr/share/doc/packages/seccheck/TODO
/var/adm/fillup-templates/sysconfig.seccheck
/var/lib/secchk
/var/lib/secchk/data

The Seccheck daily, run at midnight, checks for user security vulnerabilities, system abnormalities, modules changes and port changes. It also checks for changes in user and group information and for common weaknesses that may indicate an intrusion. The changes from the last daily Seccheck run are then mailed to root.

Check	Explanation
/etc/passwd check	Length/number/contents of fields, accounts with same uid accounts with uid/gid of 0 or 1 beside root and bin
/etc/shadow check	Length/number/contents of fields, accounts with no password
/etc/group check	Length/number/contents of fields
User root checks	Secure umask and PATH
/etc/ftpusers	Checks if important system users are put there
/etc/aliases	Checks for mail aliases which execute programs
.rhosts check	Checks if users' .rhosts file contain + signs
Home directory	Checks if home directories are writable or owned by someone else
dot-files check	Checks many dot-files in the home directories if they are writable or owned by someone else
Mailbox check	Checks if user mailboxes are owned by user and unreadable
NFS export check	Exports should not be exported globally
NFS import check	NFS mounts should have the "nosuid" option set
Promisc check	Checks if network cards are in promiscuous mode
list modules	Lists loaded modules
list sockets	Lists open ports

The weekly security check is a more exhaustive user and file system check, checks that are important but too intensive to run daily. The weekly scripts are run every Monday at 1:00am. They include checks for weak passwords, changes in the system files, files and executables that are group or world writable and all system devices. Again, only the differences from the previous weekly security scan are mailed to root. See Table 3 for a list of checks in the weekly scan.

Check	Explanation
Password check	Runs john to crack the password file, user will get an email notice to change his password
rpm md5 check	Checks for changed files via rpm's md5 checksum feature
suid/sgid check	Lists all suid and sgid files
exec group write	Lists all executables which are group/world writable
Writable check	Lists all files which are world writable (incl. Above)
Device check	Lists all devices

The monthly security check is run on the first day of every month at 4:00am, and it sends a complete set of information in both daily and weekly checks to root. One pitfall of using Seccheck is that one has to pay attention to when changes are reported. Since only changes to the system from the last Seccheck analysis are e-mailed, anomalies appear only once. If you miss a change, you may not catch suspicious activity for a week or even a month.

Seccheck is a good set of security auditing tools that monitor many of the user-related vulnerabilities. It is surprising that is it not enabled by default.

Even though Seccheck has a filesystem integrity check, it is always better to install a separate system integrity checker with control of the file signature database.

Copyright © 1996-2009 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose
In no way this site is associated with or endorse cybersquatters using the term "softpanorama" with other main or country domains (e.g. softpanorama.com) with bad faith intent to profit from the goodwill belonging to someone else.

Last modified: February 19, 2009