TracNav menu

How to write a profile for SEChecker

1. Use of Profiles
2. Format of the Profile

2.0 <sechecker>
2.1 <profile>
2.2 <module>
2.3 <output>
2.4 <option>

3. Example profile

1. Use of Profiles

SEChecker has a wide variety of modules which perform various tests on the policy and/or system. To make the management and running of these modules easier, several profiles are defined.

A profile is used to run a set of modules with options set in a way that the resulting report reflects a specific security goal.

To write your own profile, create a new XML file named profile_name.prof. The format of the file is detailed below.

2. Format of the Profile

A profile is an XML file loaded by SEChecker to run a specific set of tests. The profile recognizes the following tags

2.0 <sechecker>

The sechecker tag should be the first open tag in the file and the final tag to be closed. The tag has a single attribute version, which should be set to the current version of SEChecker you are using. To find your version number, run: sechecker --version. 

<sechecker version="1.0">

Be sure to remember to close this tag at the end of the file.

2.1 <profile>

The profile tag tells the parser that SEChecker should interpret this file as a profile. This tag has no attributes. 

<profile>

Close this tag just before the sechecker tag is closed at the end of the file

2.2 <module>

The module tag tells SEChecker that a particular module should be run for this profile. The only attribute is name. 

<module name="mod_name">

This tag is closed after all other tags related to that module

2.3 <output>

The output tag tells SEChecker to use this output format for the module in which it appears. This tag is optional and has one attribute, value. 

<output value="short"/>

This tag should close itself. The valid values are:

none
do not print anything in the report; only run this module as dependency of another module.
quiet
print only the stats and header in the report
short
print the header, stats, and a list of items found by the module without any accompanying proof
long
print the header, stats, and a list of items found by the module with proof of the result following each item
verbose
print all possible output including the header, stats, a list of items and a list of items with proof

NOTE: any of the above values other than none are overridden by the command line output flags. Setting an output value in a profile overrides the default setting in the configuration file for this profile only.

2.4 <option>

The option tag allows a profile to specify additional options for a module. The option tag has two mandatory attributes, name and value. The values of these attributes is specific to the module for which the option is specified. Options specified in a profile are used in addition to those in the configuration file. 

<option name="option_name" value="some_value"/>

This tag closes itself. As its name implies this tag is optional.

3. Example Profile

The following is a brief example of a profile 

<sechecker version="1.0">
<profile>

   <module name="mod1">
   </module> 

   <module name="mod2">
      <output value="none"/>
      <option name="attribute" value="my_attrib"/>
   </module> 

   <module name="mod3">
      <option name="foo" value="bar"/>
   </module> 

   <module name="mod4">
      <output value="short"/>
   </module> 

   <module name="mod5">
      <output value="quiet"/>
      <option name="type" value="shadow_t"/>
   </module> 

</profile>
</sechecker>

The result of this profile would be:

  • run mod1 with default configuration; print with default settings
  • run mod2 with the additional attribute my_attrib, but don't print its results
  • run mod3 with option foo set to bar (in addition to any other settings); print with default settings
  • run mod4; print in short output
  • run mod5 with additional type shadow_t; print using quiet output

If there are also modules mod6 and mod7, neither would be run unless one of the other modules (mod1-5) had a dependency on them.