lsat(1) [debian man page]
LSAT(1) User Contributed LSAT Documentation LSAT(1) NAME
lsat - a security auditing tool SYNOPSIS
lsat [OPTION] DESCRIPTION
Linux Security Auditing Tool (LSAT) is a post install security auditing tool. It is modular in design, so new features can be added quickly. It checks inetd entries and scans for unneeded RPM packages. It is being expanded to work with Linux distributions other than Red Hat, and checks for kernel versions. Output is in lsat.out. On subsequent runs, previous output is in lsat.old. OPTIONS
-d diff current and old md5 runs, output in lsatmd5.diff -m <distribution> Force a specific distribution test Names are: redhat, debian, mandrake, solaris, gentoo -h Show LSAT help -a Show LSAT advanced help -o <filename> Output filename, default is last.out -r Check rpm integrity. RedHat or Mandrake only. -s Be silent. No output at all. -x <filename> Filename is a text file consisting of modules to exclude from being run. This should be a comma, tab or newline delimited file, with just the name(s) below one wishes to exclude. Module names (with a small description) are: bpass check for bootloader passwd cfg check runlevel daemons (redhat) dotfiles check for dotfiles files check for sticky bits, etc forward check for network forwarding ftpusers check ftpusers file for bad entries inetd check for unneeded services inittab check runlevel, etc. ipv4 check for other things in ipv4 issue check issue banner kbd check kbd/login perms limits check limits file logging check for enough logging md5 perform md5 of all files on sys modules check for loadable kern mod. net check network open check open files passwd check passwd file for bad entries perms check permissions on files pkgs check for unwanted packages promisc are we in promisc mode? rc check for unwanted rc files rpm perform rpm integrity check securetty check secure tty set check for SUID files ssh check ssh config startx check for tcp listening in X umask check default umask write check world read/write files www output in html -v Be verbose about it. -w Output file is in html format. MODULES
Current modules are checkbpass, checkdotfiles, checkfiles, checkftpusers, checkhostsfiles, checkinetd, checkipv4, checkissue, checkkbd, checklimits, checkmodule, checkmd5, checknet, checknetforward, checknetp, checkopenfiles, checkpasswd, checkperms, checkpkgs, checkrc, checkrpm, checksecuretty, checkset, checkssh, checkumask, checkwrite and checkwww. A breif description is included in each module. Writing a module is fairly easy and straightforward. See README.modules for more information. LICENSE
This software is licensed under the GNU/GPL, please see http://www.gnu.org for more details. BUGS
Doesn't correct the problems that it discovers (yet). Running on Solaris is not fully functional. AUTHOR
Robert Minvielle <number9 at www dot dimlight dot org> If that fails, <triode at users dot sourceforge dot net> perl v5.10.0 2008-05-04 LSAT(1)
Check Out this Related Man Page
RPMLINT(1) User Commands RPMLINT(1) NAME
rpmlint - check common problems in rpm packages SYNOPSIS
rpmlint [OPTION]... [FILE|PACKAGE]... DESCRIPTION
rpmlint is a tool for checking common errors in rpm packages. It can be used to test individual packages and spec files before uploading or to check an entire distribution. By default all applicable checks are processed but specific checks can be performed by using command line parameters. FILE can be a rpm package file, a spec file, or a directory. In case of a directory, it is recursively searched for rpm and spec files to check. The special value - results in standard input being read and treated as (single) spec file content. PACKAGE is the name of an installed package or a glob(7) pattern to match installed packages, unless a file by that name exists. -i, --info Display explanations for reported messages. -I, --explain=messageid Display explanations for the specified message identifiers and exit. This option may be given multiple times. -c, --check=check Run only the specified check. This option may be given multiple times to specify multiple checks to run. check is the name of the Python module (as it would be given to Python's import statement) containing the check. -a, --all Check all installed packages. -C, --checkdir=dir Insert dir to the front of the list of paths to load checks from, unless it is already in the list. The default list of check dirs typically contains only /usr/share/rpmlint. Directories in the check dirs list are also inserted to the front of the list of paths to load Python modules from when the check process begins. -h, --help Display summary of command line options and exit. -v, --verbose Operate in verbose mode. -E, --extractdir=dir Base directory for extracted temporary files, default is what Python's tempfile.gettempdir() returns. -V, --version Display version information and exit. -n, --noexception Ignore output filters. --rawout=file Write unfiltered output to file. -f, --file=conffile Load user configuration from the specified file, default is $XDG_CONFIG_HOME/rpmlint (~/.config/rpmlint if $XDG_CONFIG_HOME is empty or not set). -o, --option=value Override a configuration option. value is a whitespace separated string, first word of which is the option name to set, and the Python eval() return value for the rest is set as the value for the option. Passing only an option name is treated as if None was passed as its value. See the file "config" shipped with rpmlint for the list of configuration options and their types. For exam- ple: -o "NetworkEnabled True" -o "Distribution 'My favorite distro'" -o "MaxLineLength 80" -o "ValidShells ('/bin/sh', '/bin/bash')" CAVEATS
All checks do not apply to all argument types. For best check coverage, run rpmlint on all source and binary packages your build produces. The set of checks rpmlint runs on source packages is a superset of the one for plain specfiles, the set of checks run for installed binary packages is a superset of the one for uninstalled binary package files, and the source and binary package check sets are quite different. FILES
/usr/share/rpmlint/config, /usr/share/rpmlint/config.* Built-in configuration. When invoked as someprefix-rpmlint, /usr/share/rpmlint/config.someprefix is used if it exists, otherwise /usr/share/rpmlint/config. /etc/rpmlint/*config System wide configuration. $XDG_CONFIG_HOME/rpmlint or ~/.config/rpmlint User configuration. EXIT CODES
0 No errors. 1 Unspecified error. 2 Interrupted. 64 One or more error message printed. 66 Badness threshold exceeded. AUTHOR
Originally written by Frederic Lepied, see the file AUTHORS for (probably incomplete) list of additional contributors. COPYRIGHT
This program is licensed under the GNU General Public License, see the file COPYING included in the distribution archive. rpmlint April 2011 RPMLINT(1)