Features/Sectool

= Sectool =

Summary
The security audit tool and part of an intrusion detection system.

Owner

 * Name: Peter Vrabec  Maros Barabas
 * email: pvrabec AT redhat DOT com, mbarabas AT redhat DOT com

Current status

 * Targeted release: Fedora 12
 * Last updated: (Aug 24 2009)
 * Percentage of completion: 99,9%

Detailed Description
The security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

Benefit to Fedora
Lower the attack surface by finding possible vulnerabilities, audit the system to find common problems to improve security and performance of scanning system. Encourage users to use Fedora on server and support other distributions based on Fedora like Red Hat Enterprise Linux or CentOS

Scope
Already done:
 * Split the current program to backend mechanism and frontend pieces to separate user part and administrator part of application.
 * Dbus communication interface for backend
 * opotion for not using dbus
 * switch communication between backend and frontend to dbus and unix sockets
 * PolicyKit integration
 * Define policies for PolicyKit

Further plans:
 * Improve GUI
 * Better user authentication system

How To Test
There is no need for special hardware to test this feature.

install sectool and sectool-gui
$ yum install sectool*

Sanity testing
Test the most basic functions to make sure sectool is able to start, etc.

sectool --help This should show a help for command line user interface sectool --version Shows the version of package. Make sure that the version string is correct. sectool --list Check that the level numbers are sane. Test globbing: sectool --list \*home\* Show information of some tests: sectool --info

Running the tests
Test that sectool is able to run tests.

sectool --run bootloader
 * Test running a single test in default level:

sectool --level 5 --run bootloader
 * Test running a single test in non-default level:

Bootloader is a good candidate since it should stay silent in the default level and ERROR in level 5

sectool --run bootloader home_files sectool --level 5 --run bootloader home_files
 * Test running multiple levels in default/nondefault mode:

sectool --run \*home\*
 * Test globbing:

Running a level
sectool --level 5 Level 5 might be good if you have enough time, level 1 is probably OK for quick smoke testing.
 * Run a level:

sectool --level Desktop
 * Run a level via its nickname:

The valid levels are: Naive, Desktop, Network, Server, Paranoid.

sectool --level 1 --exclude integrity
 * Exclude a test from its level:

Check that all the tests in level 1 except for integrity ran.

sectool --level 1 --include path
 * Include a test into another level:

Check that all the tests in level 1 and 'path' ran.

Display filters
sectool --run home_files --debug
 * Check that sectool display additional info when ran with --debug. A good candidate is home_files:

sectool --run mountopt --hint
 * Check that sectool displays hints when ran with --hint. A good candidate is mountopt:

Test auto action
[ACTION] LEVEL=1 Run sectool --auto, whole level 1 should run.
 * Running a whole level via --action. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:

[ACTION] LEVEL=5 RUN=path bootloader Run sectool --auto, tests path and bootloader should run on level 5.
 * Running some tests on a specific level. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:

[ACTION] RUN=path bootloader Run sectool --auto, tests path and bootloader should run default level.
 * Running some tests on a default level. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:

[ACTION] LEVEL=1 RUN=+bootloader -integrity Run sectool --auto, level 1 should run excluding integrity and including bootloader.
 * Including and excluding tests from a level in the auto action. Set the [ACTION] section of /etc/sectool/sectool.conf as follows:

Diff and sending a mail

 * Check that sectool is able to produce a meaningful diff

sectool --run suid; chmod a+s /bin/cp; sectool --run suid --diff; chmod a-s /bin/cp

that is SEND_BODY=diff SEND_ATTACHMENT=full make sure your sendmail is running and properly configured
 * Sending email - vanilla config

sectool --run home_files --mail jhrozek@redhat.com


 * Sending email - full output in body, diff in attachment.

Set SEND_ATTACHMENT=diff and SEND_BODY=full in /etc/sectool/sectool.conf

the default is via sendmail configure your server, username and password in /etc/sectool/sectool.conf and change TARGET=smtp
 * Sending email via SMTP server

run a test, make sure that results.xml exists sectool --clean should remove it
 * Check the --clean action

Overriding levels
echo "path 1 2" > ~/.sectoolrc test a level that is not included in the dsc
 * Check that level can be added/removed via config file:

echo "path" > ~/.sectoolrc
 * Check that disabling all levels work:

Logging

 * See /var/log/sectool.log is created, filled and properly formated
 * Check that logrotate handles sectool.log

DBus testing
sectool -r vsftpd sectool --use-dbus -r vsftpd Should end with no authorization message sectool --use-dbus --list Should show the list of tests
 * Test non-dbus communication by running sectool, e.g.:
 * Test dbus sectool by running with option --use-dbus:

GUI testing
GUI tool should react swiftly without delay, stoping tests should be with approximately 2s delay by stopping all threads.
 * Test PolicyKit authentification by running sectool-gui
 * Test sectool-gui tool by:
 * running tests
 * running level
 * clear cache data
 * stop performing tests

User Experience
Users will have option to audit their system to improve security and performance. Users can choose between command line testing through dbus (or without dbus) and GUI testing tool. The whole system will be less vulnerable to attack.

Dependencies

 * sectool-gui

Contingency Plan
This feature is not critical. Revert to previous release in case that could not be complete by the final feature freeze.

Documentation

 * 

Filed Bugs

 * Switch to using PolicyKit https://bugzilla.redhat.com/show_bug.cgi?id=502733
 * Sectool and file capabilities https://bugzilla.redhat.com/show_bug.cgi?id=449990
 * Arch dependent files in /usr/share https://bugzilla.redhat.com/show_bug.cgi?id=501825
 * Bug in netserv test https://bugzilla.redhat.com/show_bug.cgi?id=503207
 * Spurious warnings in filesystem test in mock chroots https://bugzilla.redhat.com/show_bug.cgi?id=503209
 * FTBFS sectool-0.9.3-1.fc12 https://bugzilla.redhat.com/show_bug.cgi?id=511473

Release Notes

 * Sectool is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.
 * Sectool is now using PolicyKit and dbus for better security in authentication actions.

Comments and Discussion

 * See Talk:Features/Sectool
 * Sectool Homepage:
 * Testing New Release of Sectool: