Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
openSUSE Leap Documentation › Security and Hardening Guide › Local Security › Automatic Security Checks with seccheck
ContentsContents
Security and Hardening Guide
  1. About This Guide
  2. 1 Security and Confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting Up Authentication Clients Using YaST
    4. 6 LDAP—A Directory Service
    5. 7 Network Authentication with Kerberos
    6. 8 Active Directory Support
    7. 9 Setting Up a FreeRADIUS Server
  5. II Local Security
    1. 10 Physical Security
    2. 11 Automatic Security Checks with seccheck
    3. 12 Software Management
    4. 13 File Management
    5. 14 Encrypting Partitions and Files
    6. 15 Storage Encryption for Hosted Applications with cryptctl
    7. 16 User Management
    8. 17 Spectre/Meltdown Checker
    9. 18 Configuring Security Settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access Control Lists in Linux
    12. 21 Certificate Store
    13. 22 Intrusion Detection with AIDE
  6. III Network Security
    1. 23 X Window System and X Authentication
    2. 24 SSH: Secure Network Operations
    3. 25 Masquerading and Firewalls
    4. 26 Configuring a VPN Server
  7. IV Confining Privileges with AppArmor
    1. 27 Introducing AppArmor
    2. 28 Getting Started
    3. 29 Immunizing Programs
    4. 30 Profile Components and Syntax
    5. 31 AppArmor Profile Repositories
    6. 32 Building and Managing Profiles with YaST
    7. 33 Building Profiles from the Command Line
    8. 34 Profiling Your Web Applications Using ChangeHat
    9. 35 Confining Users with pam_apparmor
    10. 36 Managing Profiled Applications
    11. 37 Support
    12. 38 AppArmor Glossary
  8. V SELinux
    1. 39 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 40 Understanding Linux Audit
    2. 41 Setting Up the Linux Audit Framework
    3. 42 Introducing an Audit Rule Set
    4. 43 Useful Resources
  10. A GNU Licenses
Navigation
openSUSE Leap Documentation › Security and Hardening Guide › Local Security › Automatic Security Checks with seccheck
Top
Applies to openSUSE Leap 15.2

11 Automatic Security Checks with seccheck Edit source

11.1 Seccheck Timers
11.2 Enabling Seccheck Timers
11.3 Daily, Weekly, and Monthly Checks
11.4 Automatic Logout

The seccheck SUSE Security Checker is a set of shell scripts designed to automatically check the local security of a system on a regular schedule, and emails reports to the root user, or any user as configured by the administrator.

If seccheck is not installed on your system, install it with sudo zypper in seccheck. These scripts are controlled by systemd timers, which are not enabled by default, but must be enabled by the administrator.

11.1 Seccheck Timers Edit source

There are four seccheck timers:

  • /usr/lib/systemd/system/seccheck-daily.timer

  • /usr/lib/systemd/system/seccheck-monthly.timer

  • /usr/lib/systemd/system/seccheck-weekly.timer

  • /usr/lib/systemd/system/seccheck-autologout.timer

seccheck-daily.timer, seccheck-monthly.timer, and seccheck-weekly.timer run multiple checks as described in Section 11.3, “Daily, Weekly, and Monthly Checks”. seccheck-autologout.timer logs out inactive users, see Section 11.4, “Automatic Logout”.

You can change the recipient of the seccheck mails from root to any user in /etc/sysconfig/seccheck. The following example changes it to an admin user named firewall: 

SECCHK_USER="firewall"

11.2 Enabling Seccheck Timers Edit source

Manage your timers with systemctl, just like any other systemd timer. The following example enables and starts seccheck-daily.timer: 

tux > sudo systemctl enable --now seccheck-daily.timer

List all active timers: 

tux > sudo systemctl list-timers

List all enabled timers, active and inactive: 

tux > sudo systemctl list-timers --all

11.3 Daily, Weekly, and Monthly Checks Edit source

seccheck performs the following daily checks:

/etc/passwd check

length/number/contents of fields, accounts with same UID accounts with UID/GID of 0 or 1 beside root and bin

/etc/shadow check

length/number/contents of fields, accounts with no password

/etc/group check

length/number/contents of fields

user root checks

secure umask and PATH

/etc/ftpusers

checks if important system users are put there

/etc/aliases

checks for mail aliases which execute programs

.rhosts check

checks if users' .rhosts file contain + signs

home directory

checks if home directories are writable or owned by someone else

dot-files check

checks many dot-files in the home directories if they are writable or owned by someone else

mailbox check

checks if user mailboxes are owned by user and are readable

NFS export check

exports should not be exported globally

NFS import check

NFS mounts should have the nosuid option set

promisc check

checks if network cards are in promiscuous mode

list modules

lists loaded modules

list sockets

lists open ports

The following table lists the weekly checks:

password check

runs john to crack the password file, user will receive an e-mail notice to change their password

RPM md5 check

checks for changed files via RPM's MD5 checksum feature

suid/sgid check

lists all suid and sgid files

exec group write

lists all executables which are group/world-writable

writable check

lists all files which are world-writable (including executables)

device check

lists all devices

Important
Important: Auditing Passwords with john

To enable password auditing, it is necessary to first install the package john, the John the Ripper fast password cracker. The package is available on the openSUSE Build Service at https://build.opensuse.org/package/show/security/john.

The monthly check prints a complete report, and the daily and weekly checks print diffs.

11.4 Automatic Logout Edit source

The seccheck-autologout.timer timer runs every 10 minutes, checks both remote and local terminal sessions for inactivity, and terminates them if an idle time is exceeded.

Configure your desired timeouts in /etc/security/autologout.conf file. Parameters include default idle and logout delay times, and the configuration for limiting maximum idle times specific to users, groups, TTY devices and SSH sessions. /etc/security/autologout.conf includes several configuration examples.

Chapter 12 Software ManagementChapter 10 Physical Security
Print this page

© 2020 SUSE