Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting up authentication clients using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network authentication with Kerberos
    6. 8 Active Directory support
    7. 9 Setting up a freeRADIUS server
  5. II Local security
    1. 10 Physical security
    2. 11 Automatic security checks with seccheck
    3. 12 Software management
    4. 13 File management
    5. 14 Encrypting partitions and files
    6. 15 Storage encryption for hosted applications with cryptctl
    7. 16 User management
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access control lists in Linux
    12. 21 Certificate store
    13. 22 Intrusion detection with AIDE
  6. III Network security
    1. 23 X Window System and X authentication
    2. 24 SSH: secure network operations
    3. 25 Masquerading and firewalls
    4. 26 Configuring a VPN server
    5. 27 Managing a PKI with XCA, X certificate and key manager
    6. 28 Enabling FIPS 140-2
  7. IV Confining privileges with AppArmor
    1. 29 Introducing AppArmor
    2. 30 Getting started
    3. 31 Immunizing programs
    4. 32 Profile components and syntax
    5. 33 AppArmor profile repositories
    6. 34 Building and managing profiles with YaST
    7. 35 Building profiles from the command line
    8. 36 Profiling your Web applications using ChangeHat
    9. 37 Confining users with pam_apparmor
    10. 38 Managing profiled applications
    11. 39 Support
    12. 40 AppArmor glossary
  8. V SELinux
    1. 41 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 42 Understanding Linux audit
    2. 43 Setting up the Linux audit framework
    3. 44 Introducing an audit rule set
    4. 45 Useful resources
  10. A Achieving PCI DSS compliance
  11. B GNU licenses
Applies to SUSE Linux Enterprise Server 15 SP3

11 Automatic security checks with seccheck

The seccheck SUSE Security Checker is a set of shell scripts designed to automatically check the local security of a system on a regular schedule, and emails reports to the root user, or any user as configured by the administrator.

If seccheck is not installed on your system, install it with sudo zypper in seccheck. These scripts are controlled by systemd timers, which are not enabled by default, but must be enabled by the administrator.

11.1 Seccheck timers

There are four seccheck timers:

  • /usr/lib/systemd/system/seccheck-daily.timer

  • /usr/lib/systemd/system/seccheck-monthly.timer

  • /usr/lib/systemd/system/seccheck-weekly.timer

  • /usr/lib/systemd/system/seccheck-autologout.timer

seccheck-daily.timer, seccheck-monthly.timer, and seccheck-weekly.timer run multiple checks as described in Section 11.3, “Daily, weekly, and monthly checks”. seccheck-autologout.timer logs out inactive users, see Section 11.4, “Automatic logout”.

You can change the recipient of the seccheck mails from root to any user in /etc/sysconfig/seccheck. The following example changes it to an admin user named firewall:


11.2 Enabling seccheck timers

Manage your timers with systemctl, just like any other systemd timer. The following example enables and starts seccheck-daily.timer:

tux > sudo systemctl enable --now seccheck-daily.timer

List all active timers:

tux > sudo systemctl list-timers

List all enabled timers, active and inactive:

tux > sudo systemctl list-timers --all

11.3 Daily, weekly, and monthly checks

seccheck performs the following daily checks:

/etc/passwd check

length/number/contents of fields, accounts with same UID accounts with UID/GID of 0 or 1, other than root and bin

/etc/shadow check

length/number/contents of fields, accounts with no password

/etc/group check

length/number/contents of fields

user root checks

secure umask and PATH


checks if important system users are put there


checks for mail aliases that execute programs

.rhosts check

checks if users' .rhosts files contain + signs

home directory

checks if home directories are writable or owned by someone else

dot-files check

checks many dot-files in the home directories for correct ownership and permissions

mailbox check

checks if user mailboxes are owned by the correct users, and are readable

NFS export check

exports should not be exported globally

NFS import check

NFS mounts should have the nosuid option set

promisc check

checks if network cards are in promiscuous mode

list modules

lists loaded modules

list sockets

lists open ports

The following table lists the weekly checks:

password check

runs john to crack the password file; user will receive an e-mail notice to change their password

RPM md5 check

checks for changed files via RPM's MD5 checksum feature

suid/sgid check

lists all suid and sgid files

exec group write

lists all executables that are group/world-writable

writable check

lists all files that are world-writable (including executables)

device check

lists all devices

Important: Auditing passwords with john

To enable password auditing, it is necessary to first install the package john, the John the Ripper fast password cracker. The package is available on the openSUSE Build Service at https://build.opensuse.org/package/show/security/john.

The monthly check prints a complete report, and the daily and weekly checks print diffs.

11.4 Automatic logout

The seccheck-autologout.timer timer runs every 10 minutes, checks both remote and local terminal sessions for inactivity, and terminates them if an idle time is exceeded.

Configure your desired timeouts in /etc/security/autologout.conf file. Parameters include default idle and logout delay times, and the configuration for limiting maximum idle times specific to users, groups, TTY devices, and SSH sessions. /etc/security/autologout.conf includes several configuration examples.

Print this page