$ #### sectool sample run on my home Fedora 14 system (on VirtualBox): ### $ man sectool ...output omitted... $ su Password: # yum -y update ...output omitted... # sectool --hint --auto integrity -> integrity: PASS bootloader -> bootloader: PASS disc_usage -> disc_usage: PASS group -> group: PASS passwd -> Error: /etc/passwd: Line 55: User vboxadd has GID 1, but his login is not 'bin'! Hint: If there are more users with GID 1 in /etc/passwd (you should see them on next lines), delete all but the first. Then set his name to 'bin'. Error: /etc/passwd: Line 55: User vboxadd has strange shell /bin/false Hint: Set last field on this line to /bin/bash, or add the shell to /etc/shells passwd: ERROR shadow -> shadow: PASS home_dirs -> Warning: This is a first run of the test. Some parts of audit are skipped. Error: Home directory of user "mysql" is world-readable. Error: Home directory of user "mysql" is world-accessible. Error: Home directory of user "amandabackup" is world-readable. Error: Home directory of user "amandabackup" is world-accessible. Error: Home directory of user "tomcat" has wrong uid: 0. Expected uid is 91. Warning: Home directory of user "tomcat" has wrong gid: 0. Expected gid is 91. Error: Home directory of user "tomcat" is world-readable. Error: Home directory of user "tomcat" is world-accessible. Error: Home directory of user "jetty" has wrong uid: 0. Expected uid is 491. Warning: Home directory of user "jetty" has wrong gid: 0. Expected gid is 485. Error: Home directory of user "jetty" is world-readable. Error: Home directory of user "jetty" is world-accessible. Error: Home directory of user "vboxadd" has wrong uid: 0. Expected uid is 492. Warning: Home directory of user "vboxadd" has wrong gid: 0. Expected gid is 1. Error: Home directory of user "vboxadd" is world-readable. Error: Home directory of user "vboxadd" is world-accessible. Error: Home directory of user "wpollock" is world-readable. Error: Home directory of user "wpollock" is world-accessible. home_dirs: ERROR home_files -> home_files: PASS root_dirs -> Error: There should not be a "/.config" directory under "/" Error: There should not be a "/.dbus" directory under "/" Error: There should not be a "/.kde" directory under "/" Error: There should not be a "/.smolt" directory under "/" Error: There should not be a "/.automount" directory under "/" root_dirs: ERROR filesystem -> Warning: Symbolic link "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-sparc64" points to a non-existent file "RPM-GPG-KEY-fedora-14-SPARC". Warning: Symbolic link "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-sparc" points to a non-existent file "RPM-GPG-KEY-fedora-14-SPARC". Warning: Mislabeled regular file '/etc/aliases' found. Labeled as 'system_u:object_r:etc_t:s0', should be 'system_u:object_r:etc_aliases_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: File "/etc/mock/fedora-14-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-ppc64.cfg" is executable and group writable. Warning: File "/etc/mock/epel-6-i386.cfg" is executable and group writable. Warning: File "/etc/mock/epel-4-i386.cfg" is executable and group writable. Warning: File "/etc/mock/epel-4-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-arm.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-sparc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/epel-4-ppc.cfg" is executable and group writable. Warning: File "/etc/mock/epel-5-ppc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-sparc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-s390x.cfg" is executable and group writable. Warning: File "/etc/mock/site-defaults.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-arm.cfg" is executable and group writable. Warning: File "/etc/mock/epel-5-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-ppc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-i386.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-sparc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-arm.cfg" is executable and group writable. Warning: File "/etc/mock/epel-5-i386.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-ppc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-i386.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-sparc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-ppc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-14-sparc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-s390x.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-i386.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-s390.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-ppc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-14-sparc.cfg" is executable and group writable. Warning: File "/etc/mock/epel-6-ppc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-14-i386.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-ppc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-s390.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-14-ppc64.cfg" is executable and group writable. Warning: File "/etc/mock/epel-6-x86_64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-15-sparc64.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-16-sparc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-14-ppc.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-14-s390x.cfg" is executable and group writable. Warning: File "/etc/mock/fedora-rawhide-s390x.cfg" is executable and group writable. Warning: Symbolic link "/etc/extlinux.conf" points to a non-existent file "../boot/extlinux/extlinux.conf". Warning: Mislabeled regular file '/etc/rc.d/init.d/vboxadd' found. Labeled as 'unconfined_u:object_r:etc_t:s0', should be 'system_u:object_r:initrc_exec_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/rc.d/init.d/vboxadd-x11' found. Labeled as 'unconfined_u:object_r:etc_t:s0', should be 'system_u:object_r:initrc_exec_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/rc.d/init.d/gpsd' found. Labeled as 'system_u:object_r:initrc_exec_t:s0', should be 'system_u:object_r:gpsd_initrc_exec_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/rc.d/init.d/vboxadd-service' found. Labeled as 'unconfined_u:object_r:etc_t:s0', should be 'system_u:object_r:initrc_exec_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/xinetd.d/telnet' found. Labeled as 'system_u:object_r:etc_runtime_t:s0', should be 'system_u:object_r:etc_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf' found. Labeled as 'system_u:object_r:etc_runtime_t:s0', should be 'system_u:object_r:etc_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/mtab.fuselock' found. Labeled as 'unconfined_u:object_r:etc_t:s0', should be 'system_u:object_r:etc_runtime_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/etc/mtab~7583' found. Labeled as 'unconfined_u:object_r:etc_runtime_t:s0', should be 'system_u:object_r:etc_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Symbolic link "/var/lib/gdm/.pulse/97aa0cc7dab37c84e81f180000000012-runtime" points to a non-existent file "/tmp/pulse-RdEJSHuvzmXu". Warning: Mislabeled directory '/var/spool/uucp' found. Labeled as 'unconfined_u:object_r:var_spool_t:s0', should be 'system_u:object_r:uucpd_spool_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled directory '/var/www/wiki/config' found. Labeled as 'system_u:object_r:usr_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/var/www/wiki/config/index.php' found. Labeled as 'system_u:object_r:usr_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/var/www/wiki/config/index.php5' found. Labeled as 'system_u:object_r:usr_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/var/www/wiki/config/Installer.php' found. Labeled as 'system_u:object_r:usr_t:s0', should be 'system_u:object_r:httpd_sys_content_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Symbolic link "/lib/udev/devices/MAKEDEV" points to a non-existent file "/sbin/MAKEDEV". Warning: File "/usr/bin/jwhois" is executable and group writable. Warning: Symbolic link "/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/bin/appletviewer" points to a non-existent file "../../../../bin/gappletviewer". Warning: File "/usr/lib/nagios/cgi-bin/summary.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/history.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/statuswml.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/config.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/statusmap.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/outages.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/showlog.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/extinfo.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/cmd.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/tac.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/status.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/trends.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/statuswrl.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/notifications.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/histogram.cgi" is executable and group writable. Warning: File "/usr/lib/nagios/cgi-bin/avail.cgi" is executable and group writable. Warning: Mislabeled directory '/opt/VBoxGuestAdditions-4.0.12/lib' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxOGLpackspu.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxOGLpassthroughspu.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxOGLarrayspu.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled directory '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxvideo_drv_19.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxmouse_drv.o' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxmouse_drv_71.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/x11config.sh' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxmouse_drv_17.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxmouse_drv_14.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxmouse_drv_19.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxmouse_drv_18.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxadd' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxvideo_drv_16.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/mount.vboxsf' found. Labeled as 'system_u:object_r:mount_exec_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxvideo_drv.o' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxadd-x11' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:lib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxvideo_drv_14.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Mislabeled regular file '/opt/VBoxGuestAdditions-4.0.12/lib/VBoxGuestAdditions/vboxvideo_drv_15.so' found. Labeled as 'unconfined_u:object_r:usr_t:s0', should be 'system_u:object_r:textrel_shlib_t:s0'. Hint: File is not labeled as defined in configuration. See man restorecon. Warning: Limit of output messages reached, waiting till the test finishes.. filesystem: WARNING path -> path: PASS firewall -> firewall: PASS netserv -> netserv: PASS openssh -> Warning: This is a first run of the test. Some parts of audit are skipped. openssh: WARNING openvpn -> openvpn: PASS removedlibs -> removedlibs: PASS xinetd -> xinetd: PASS suid -> Warning: This is a first run of the test. Some parts of audit are skipped. Hint: Run this test periodically to get diffs of results suid: WARNING logfiles -> logfiles: PASS pam -> pam: PASS permissions -> Error: Directory /mnt has wrong permissions! The correct permissions should be 755. Hint: Please change the permissions to the recommended value. Error: Directory /var/lock has wrong permissions! The correct permissions should be 775. Hint: Please change the permissions to the recommended value. permissions: ERROR exec-shield -> exec-shield: PASS selinux -> Warning: Selinux is in Permissive mode. Hint: Using Enforing mode is highly recommended. See selinux manual page for switching to Enforcing mode. Warning: This is a first run of the test. Some parts of audit are skipped. selinux: WARNING mountopt -> Warning: The mountpoint /mnt doesn't have "nodev,nosuid,noexec" option(s) set. Hint: Edit /etc/fstab and add "nodev,nosuid,noexec" to the fourth field of line 20 mountopt: WARNING aliases -> Warning: Alias '..' contains command 'cd', which was not found Warning: Alias 'big' contains command 'figlet', which was not found Warning: Alias 'cd..' contains command 'cd', which was not found Warning: Alias 'h' contains command 'history', which was not found Warning: Alias 'pri' contains command 'cd', which was not found Warning: Alias 'rehash' contains command 'hash', which was not found Warning: Alias 'su' contains command 'LEVEL', which was not found Warning: Alias 'whereis' contains command 'command', which was not found aliases: WARNING cron -> cron: PASS vsftpd -> Warning: File '/var/log/xferlog' does not exist. (xferlog_file option) vsftpd: WARNING nfs -> nfs: PASS tcp_wrappers -> tcp_wrappers: PASS routing -> Warning: This is a first run of the test. Some parts of audit are skipped. routing: WARNING root@localhost /home/wpollock #