diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml
new file mode 100644
index 00000000000..951a8b8cf12
--- /dev/null
+++ b/.github/workflows/profile-checks.yml
@@ -0,0 +1,31 @@
+name: Profile Checks
+
+on:
+  push:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'etc/**'
+      - 'ci/check/profiles/**'
+      - 'src/firecfg/firecfg.config'
+      - 'contrib/sort.py'
+
+jobs:
+  profile-checks:
+    runs-on: ubuntu-20.04
+    steps:
+    - uses: actions/checkout@v2
+    - name: sort.py
+      run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: private-etc-always-required.sh
+      run: ./ci/check/profiles/private-etc-always-required.sh etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile
+    - name: sort-disable-programs.sh
+      run: ./ci/check/profiles/sort-disable-programs.sh etc/inc/disable-programs.inc
+    - name: sort-firecfg.config.sh
+      run: ./ci/check/profiles/sort-firecfg.config.sh src/firecfg/firecfg.config
diff --git a/.github/workflows/sort.yml b/.github/workflows/sort.yml
deleted file mode 100644
index cfa40d2d2db..00000000000
--- a/.github/workflows/sort.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-name: sort.py
-
-on:
-  push:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-  pull_request:
-    branches: [ master ]
-    paths:
-      - 'etc/**'
-      - 'contrib/sort.py'
-
-jobs:
-  profile-sort:
-    runs-on: ubuntu-20.04
-    steps:
-    - uses: actions/checkout@v2
-    - name: check profiles
-      run: ./contrib/sort.py etc/*/{*.inc,*.profile}
diff --git a/ci/check/profiles/private-etc-always-required.sh b/ci/check/profiles/private-etc-always-required.sh
new file mode 100755
index 00000000000..892b15aa450
--- /dev/null
+++ b/ci/check/profiles/private-etc-always-required.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+ALWAYS_REQUIRED=(alternatives ld.so.cache ld.so.preload)
+
+error=0
+while IFS=: read -r profile private_etc; do
+	for required in "${ALWAYS_REQUIRED[@]}"; do
+		if grep -q -v -E "( |,)$required(,|$)" <<<"$private_etc"; then
+			printf '%s misses %s\n' "$profile" "$required" >&2
+			error=1
+		fi
+	done
+done < <(grep "^private-etc " "$@")
+
+exit "$error"
diff --git a/ci/check/profiles/sort-disable-programs.sh b/ci/check/profiles/sort-disable-programs.sh
new file mode 100755
index 00000000000..d81ee75d7d3
--- /dev/null
+++ b/ci/check/profiles/sort-disable-programs.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +5 "$1" | LC_ALL=C sort -c -u
diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh
new file mode 100755
index 00000000000..17a59535076
--- /dev/null
+++ b/ci/check/profiles/sort-firecfg.config.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d
diff --git a/ci/check/profiles/sort.py b/ci/check/profiles/sort.py
new file mode 120000
index 00000000000..e1f3f5f165e
--- /dev/null
+++ b/ci/check/profiles/sort.py
@@ -0,0 +1 @@
+../../../contrib/sort.py
\ No newline at end of file