Description of problem: When default level is set in /etc/sectool/sectool.conf using the "LEVEL=" option it has no effect. Version-Release number of selected component (if applicable): sectool-0.9.4-2.fc11.i586 Steps to Reproduce: # grep -A7 ACTION /etc/sectool/sectool.conf [ACTION] # which security level we run # 1 - Naive - pretty basic and short set of tests, # 2 - Desktop - set of tests prepared to run on box not connected to internet, # 3 - Network - standard client machine connected to internet, # 4 - Server - network server, # 5 - Paranoid - bunch of tests for paranoid admins. LEVEL=1 Actual results: # sectool --auto | grep PASS integrity: PASS bootloader: PASS disc_usage: PASS group: PASS passwd: PASS shadow: PASS home_dirs: PASS home_files: PASS filesystem: PASS path: PASS firewall: PASS netserv: PASS openssh: PASS openvpn: PASS removedlibs: PASS xinetd: PASS suid: PASS logfiles: PASS pam: PASS permissions: PASS exec-shield: PASS selinux: PASS mountopt: PASS aliases: PASS cron: PASS vsftpd: PASS nfs: PASS tcp_wrappers: PASS routing: PASS Expected results: The list of tests run should be the same as it is with using manual "--level 1" option: # sectool --level 1 | tee /tmp/manual # grep PASS /tmp/manual integrity: PASS disc_usage: PASS group: PASS passwd: PASS shadow: PASS home_dirs: PASS exec-shield: PASS aliases: PASS cron: PASS nfs: PASS
(In reply to comment #0) > Description of problem: > > When default level is set in /etc/sectool/sectool.conf using the > "LEVEL=" option it has no effect. When you start sectool with parameter --auto it will start *all tests* in level defined in the "LEVEL" option. > Expected results: > > The list of tests run should be the same as it is with using > manual "--level 1" option: > > # sectool --level 1 | tee /tmp/manual > # grep PASS /tmp/manual > integrity: PASS > disc_usage: PASS > group: PASS > passwd: PASS > shadow: PASS > home_dirs: PASS > exec-shield: PASS > aliases: PASS > cron: PASS > nfs: PASS When you start sectool --level it will start tests defined in specified level (see sectool --list). So all test results from both runs should be same, but some tests that are not defined in level from "--level run" will be not executed (or has some missing requirements).