Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 15

11 Automatic Security Checks with seccheck Edit source

The seccheck SUSE Security Checker is a set of shell scripts designed to automatically check the local security of a system on a regular schedule, and emails reports to the root user, or any user as configured by the administrator.

If seccheck is not installed on your system, install it with sudo zypper in seccheck. These scripts are controlled by systemd timers, which are not enabled by default, but must be enabled by the administrator.

11.1 Seccheck Timers Edit source

There are four seccheck timers:

  • /usr/lib/systemd/system/seccheck-daily.timer

  • /usr/lib/systemd/system/seccheck-monthly.timer

  • /usr/lib/systemd/system/seccheck-weekly.timer

  • /usr/lib/systemd/system/seccheck-autologout.timer

seccheck-daily.timer, seccheck-monthly.timer, and seccheck-weekly.timer run multiple checks as described in Section 11.3, “Daily, Weekly, and Monthly Checks”. seccheck-autologout.timer logs out inactive users, see Section 11.4, “Automatic Logout”.

You can change the recipient of the seccheck mails from root to any user in /etc/sysconfig/seccheck. The following example changes it to an admin user named firewall:


11.2 Enabling Seccheck Timers Edit source

Manage your timers with systemctl, just like any other systemd timer. The following example enables and starts seccheck-daily.timer:

tux > sudo systemctl enable --now seccheck-daily.timer

List all active timers:

tux > sudo systemctl list-timers

List all enabled timers, active and inactive:

tux > sudo systemctl list-timers --all

11.3 Daily, Weekly, and Monthly Checks Edit source

seccheck performs the following daily checks:

/etc/passwd check

length/number/contents of fields, accounts with same UID accounts with UID/GID of 0 or 1 beside root and bin

/etc/shadow check

length/number/contents of fields, accounts with no password

/etc/group check

length/number/contents of fields

user root checks

secure umask and PATH


checks if important system users are put there


checks for mail aliases which execute programs

.rhosts check

checks if users' .rhosts file contain + signs

home directory

checks if home directories are writable or owned by someone else

dot-files check

checks many dot-files in the home directories if they are writable or owned by someone else

mailbox check

checks if user mailboxes are owned by user and are readable

NFS export check

exports should not be exported globally

NFS import check

NFS mounts should have the nosuid option set

promisc check

checks if network cards are in promiscuous mode

list modules

lists loaded modules

list sockets

lists open ports

The following table lists the weekly checks:

password check

runs john to crack the password file, user will receive an e-mail notice to change their password

RPM md5 check

checks for changed files via RPM's MD5 checksum feature

suid/sgid check

lists all suid and sgid files

exec group write

lists all executables which are group/world-writable

writable check

lists all files which are world-writable (including executables)

device check

lists all devices

Important: Auditing Passwords with john

To enable password auditing, it is necessary to first install the package john, the John the Ripper fast password cracker. The package is available on the openSUSE Build Service at https://build.opensuse.org/package/show/security/john.

The monthly check prints a complete report, and the daily and weekly checks print diffs.

11.4 Automatic Logout Edit source

The seccheck-autologout.timer timer runs every 10 minutes, checks both remote and local terminal sessions for inactivity, and terminates them if an idle time is exceeded.

Configure your desired timeouts in /etc/security/autologout.conf file. Parameters include default idle and logout delay times, and the configuration for limiting maximum idle times specific to users, groups, TTY devices and SSH sessions. /etc/security/autologout.conf includes several configuration examples.

Print this page