checksecurity - basic system security checks

Distribution: Ubuntu 16.04 LTS (Xenial Xerus)
Repository: Ubuntu Main amd64
Package name: checksecurity
Package version: 2.0.16+nmu1ubuntu1
Package release:
Package architecture: all
Package type: deb
Installed size: 83 B
Download size: 21.71 KB
Official Mirror:
Checksecurity can periodically do some very basic system security checks: * check-setuid - scans for insecurely mounted remote file systems, and tracks changes in setuid programs; * check-sockets - tracks changes in open ports to detect rogue programs; * check-passwd - scans for empty or duplicate system accounts; * check-disfree - scans for mounted filesystems nearing capacity; * check-iptables-logs - scans logs generated by iptables and look for intrusion attempts. Be aware that these minimal set of checks are no substitute for a full security auditing and integrity checking system. In addition to these checks you are encourage to install additional packages (listed in "Recommends") to provide more information concerning the security or vulnerability of your system. Installing the suggested package lockfile-progs can help to prevent the cron jobs running multiple times if something gets jammed.



  • lockfile-progs << 0.1.7


  • cron


    Source package: checksecurity

    Install Howto

    1. Update the package index:
      # sudo apt-get update
    2. Install checksecurity deb package:
      # sudo apt-get install checksecurity


    • /etc/checksecurity.conf
    • /etc/checksecurity/check-diskfree.conf
    • /etc/checksecurity/check-passwd.conf
    • /etc/checksecurity/check-setuid.conf
    • /etc/checksecurity/check-socket.conf
    • /etc/cron.daily/checksecurity
    • /etc/cron.weekly/checksecurity
    • /etc/logrotate.d/checksecurity
    • /usr/sbin/checksecurity
    • /usr/share/checksecurity/check-diskfree
    • /usr/share/checksecurity/check-iptables-logs
    • /usr/share/checksecurity/check-passwd
    • /usr/share/checksecurity/check-setuid
    • /usr/share/checksecurity/check-sockets
    • /usr/share/doc/checksecurity/README.Debian
    • /usr/share/doc/checksecurity/changelog.gz
    • /usr/share/doc/checksecurity/copyright
    • /usr/share/lintian/overrides/checksecurity
    • /usr/share/man/man8/check-diskfree.8.gz
    • /usr/share/man/man8/check-passwd.8.gz
    • /usr/share/man/man8/check-setuid.8.gz
    • /usr/share/man/man8/checksecurity.8.gz


    2016-03-09 - Nishanth Aravamudan <> checksecurity (2.0.16+nmu1ubuntu1) xenial; urgency=medium * Merge from Debian unstable (LP: #1555357). Remaining changes: - Downgrade all Recommends to Suggests. * Do not downgrade logcheck to Suggests, it is in main. * Remove fcron from Depends, it is not in the archive.

    2015-12-29 - Andreas Metzler <> checksecurity (2.0.16+nmu1) unstable; urgency=medium * Non-maintainer upload. * Use "find -perm /x" instead of "find -perm +x". Closes: #731944

    2015-02-21 - Javier Fernández-Sanguino Peña <> checksecurity (2.0.16) unstable; urgency=medium * plugins/check-setuid: Prevent error from find by putting -ignore_readdir_race as first option (Closes: 714152) * plugins/check-iptables-logs, man/check-iptables-logs.8: Add new plugin to check for iptables logs and provide information of attacked ports, blacklisted hosts (using fail2ban), etc. * etc/global-checksecurity.conf: Add information for the new plugin, this is disabled by default (as systems might not have iptables configured and, even if enabled, there might not be a log target) * man/{check-diskfree.8,check-passwd.8,check-setuid.8}: Clarify that these plugins are written to be run by checksecurity. Some of the plugins might not work if missing some environment variables (which are defined by checksecurity) * man/checksecurity.8: Add a reference to the new plugin check-iptables-logs * debian/control: Improve the package description with the recommendations made by Justin B Rye (Closes: #688070) * debian/control: Add debsecan to the Recommends, this provides notification of vulnerabilities in the system and security updates (Closes: #253097) * etc/check-setuid.conf: Exclude more filesystems for the setuid checks as are system based filesystems * debian/po/tr.po: Add Turkish translation provided by Mert Dirik (Closes: #759874)

    2014-06-04 - Michael Vogt <> checksecurity (2.0.15ubuntu1) utopic; urgency=low * Merge from Debian unstable. Remaining changes: - Downgrade all Recommends to Suggests. - Downgrade fcron from Depends to Suggest, it is in universe and we are already depending on anacron

    2013-09-28 - Javier Fernández-Sanguino Peña <> checksecurity (2.0.15) unstable; urgency=medium * Fix bug in the CS_NFSAFS definition in etc/check-setuid.conf that prevents the script from matching any filesystem. This bug was, actually, making the script not do anything in the default configuration. (Closes: 724687) Thanks go to Alessandro Vesely for spotting this bug and providing a fix. * debian/control: Adjust the maintainer's name

    2010-10-29 - Angel Abad <> checksecurity (2.0.14ubuntu1) natty; urgency=low * Merge from debian unstable (LP: #668500). Remaining changes: - Downgrade all Recommends to Suggests. - Downgrade fcron from Depends to Suggest, it is in universe and we are already depending on anacron

    2010-10-27 - Javier Fernandez-Sanguino Pen~a <> checksecurity (2.0.14) unstable; urgency=low * plugins/check-setuid: - Integrate changes to from Ubuntu to make use of ionice when calling find. (Closes: #578640) - Use the -ignore_readdir_race option when calling find to avoid error messages when encountering stale files (Closes: #583809) * etc/global-checksecurity.conf: Adjust comments associated to CHECKSECURITY_EMAIL to point to bsd-mailx instead of mailx and remove reference to cron. (Closes: #541636) * debian/control: Depend on util-linux (>= 2.15~rc1-1) which provides ionice. * debian/compat: Change from 4 to 5 * debian/rules: Adjust calls to dh_clean