sectoolkit user guide

sectoolkit: a simple security toolkit

By Mauro Chiarugi && Marco Pagnanini
in collaborazione con Aldo Franco Dragoni e Paolo Puliti

What's sectoolkit?

Sectoolkit is a simple security toolkit, written in python and released under GNU/GPL, to apply automatically the Open Source Security Testing Methodology Manual (OSSTMM). The application is composed by plugins, where each plugin realize some tasks of OSSTMM. There are also some plugins that perform tasks from the Unix Security Checklist of CERT/CC available at http://www.cert.org.

Requirements

Standard Python Software
ZODB
... and of course a Linux Box

Download

You can download sources from sectoolkit website on savannah via cvs.

Installation && Configuration

Once you have succesfully downloaded source files via cvs you _must_ read the README file in the root directory and the one in the sectoolkitZODB/ directory.

Usage: a brief tutorial

Make a 'cd' in the sources root directory of sectoolkit. You should find an executable file named sectoolkit.py: this is the main sectoolkit file, the entry point of the entire application.
Start the application by spawning sectoolkit.py (or ./sectoolkit.py) like this:

table_0

  # sectoolkit.py [args]

Now sectoolkit is in interactive mode, you have a text based interface that waits for your input:

table_1

  Welcome!!!
  This is a alpha release of SecurityToolkit
  SecurityToolkit is an automated program to
  speed up the use of OSSTMM.


  You can perform an test (a), query *all* database (q),
  query the database by field with regex (r) or delete a row (d):
  (^C exits)

  a: test
  d: delete row
  q: query
  r: query by regex
  

  sectoolkit prompt>

You can do a test (a), delete a row in the database (d), query the database by showing all rows in it (q) or restrict query with regular expressions text matching (r).

By switching to option 'a' you will be prompted to select which type of plugin you want to spawn, and so which test you want to perform:

table_2

  0 -  Cron
  1 -  Inetd
  2 -  maurochecklist
  3 -  security-update-check

  *****************
  Make your choice:

You shold insert '0', '1', '2' or '3' based on your choice and the plugin will be spawned and so test performed.
While test is being performed you should hit many times the <ENTER> key; you should also note that based on your system configuration you may need root privilegies to perform a test.
After the test is performed sectoolkit will ask you to answer to same questions, then he quietly commit all results in the ZODB database.

Every time you launch sectoolkit it will check first for expired tests and eventually dumps a warning message to stdout. If you want a more complete resume of expired tests you can query database.
The '-R' option shows show test's expiration time.

Now let's try option 'd' from table_1. The prompt that you'll get will be similar to this:

table_3

  !!!!!!!!!!!!!!     Test below expired   !!!!!!!!!!!!!!
  **  0  **
  Cron check test spawned at:  Thu Jan  1 22:22:24 2004
  Expiration at:  Sat Jan 31 22:22:24 2004

  **  1  **
  Cron check test spawned at:  Tue Aug  3 10:40:01 2004
  Expiration at:  Thu Sep  2 10:40:01 2004

  **  2  **
  Mauro Fast Security CheckList test spawned at:  Tue Aug  3 11:26:30 2004
  Expiration at:  Thu Sep  2 11:26:30 2004


  Which row do you want to delete?
  --------------------------------

  'q' exits & commits>

As you can see you also have information about expired tests, so you can safely delete these tests (entering the number id and then 'q') as sectoolkit will quietly save deleted tests in deleted-rows.sec file in the sectollkitZODB/ directory and will calculate MD5 checksums for it.
This is an example of such file:

table_4

  # cat sectollkitZODB/deleted-rows.sec    

  Tue Aug  3 11:26:43 2004
  Expiration time: Thu Sep  2 11:26:43 2004
  Plugin name: Inetd check
  Primary key: Tue Aug  3 11:26:43 2004
  Machine id: 0
  Error id: 5
  Error description: Warning: there are active services
  Error long description: Warning: there are active services started by inetd.
  Suggest: Edit your inetd.conf file.
  Admin name: tmp
  Admin email: tmp<AT>cmlug.org
  Organization: 
  License: GPL
  License description: you can find it at www.gnu.org
  md5 checksum: no
  Key: no
  Plugin type: 0
  Action description: Inetd check
  Action long description: 
        This plugin will examinate your inetd configuration and
        permissions of inetd files.
        
  Disclaimer: This is experimental code..
  Expected result: 
        Improve the inetd configuration.
        
  Tasks: 
        
        # ENSURE that the permissions on this file are set to 600.

        # ENSURE that the owner is root.

        # DO disable any services which you do not require.
    
        
  Reviewing: 
        You should edit the /etc/inetd.conf and /etc/xinetd.conf files.
        
  Post exec: 
        Warning!! You should execute again this test in the next months!
        
  Module: 
  Module bin: 
  Executable: 1
  RAV cycle: 30
  RAV degradation: 5

  Checksum:
  1b73d5851c5242a3d66dca8e053b1769

  *********************************************************

At the end of the file you can see the MD5 checksum.
This file should be used for legal purposes.

Option 'q' will simply dump all database rows into stdout, so stream is piped to less.

Option 'r' will provide a full regular expression text matching, see this article (in italian) if you want a quick description of regex.
See table_5 below.

table_5

  ****************************************
  Query ZODB database by field with regex:
  ****************************************


  Now you have to insert a regex that matches one of the field to query database.
  Enter a regex:

  ^$.*\[](|) >

Simply insert a regex and you will be prompted with another textual interface, as shown in table_6 below:

table_6

  Do you want to search for primary keys (date and time) or
  for other fields?
  p = primary key
  o = other

  p/o >

This will ask you if you want to perform a search on primary key attribute or on all attributes (or fields). Remember that primary keys are the date when tests are spawned, so searching with regex on this field will show only date in the form of the date command, based on your shell environment variables (LANG, LC* ...).

Whatever option you'll choose, the text matching will be performed an all database rows. The row that will match with your regex will be fully displayed.

Speech support
If you want speech support launch sectoolkit with the '-S' option; this option requires the festival package installed available at http://www.cstr.ed.ac.uk/projects/festival/download.html.

This document is not yet complete, please come back soon ....

Feedback: Send us your comments and suggestions: sracatus | tmp

HOME

sectoolkit: a simple security toolkit written in python and released under GNU/GPL.
All pages Edited with Vim and Gimp