2

glsa-check is a tool to report a server's exposure to known security vulnerabilities. Has anyone written a tool to do a similar thing for apt based systems?

jldugger
  • 14,122
  • 19
  • 73
  • 129

4 Answers4

3

http://lzone.de/Automated+Linux+Package+Vulnerability+Scanning

  • Debian: debsecan
  • CentOS, Fedora, Redhat: "yum list-security"
  • OpenSuSE: "zypper list-patches"
  • SLES: "rug lu"
  • Gentoo: glsa-check
  • FreeBSD: Portaudit
  • *nixes: lynis
Parthian Shot
  • 1,155
  • 3
  • 16
  • 32
synapse
  • 216
  • 2
  • 3
1

Check the Security HOWTO for Debian which refers to vulnerability scanners like Nessus. While not as Free as it used to be, Nessus is still considered the #1 tool for UNIX vulnerability scanning.

If you have the security repository for Debian or Ubuntu installed, you can apt-get upgrade to that without fear of installing new packages, and safe in the knowledge that (as much as the Debian/Ubuntu maintainers are on the case) you will get patched packages at the version that you chose to install.

Some people choose to automatically 'apt-get update; apt-get upgrade -y' if they are only using security; your mileage may vary.

crb
  • 7,928
  • 37
  • 53
1

Nessus can do an external scans and will pick up on any problems it knows about with anything it finds listening on a port. However unless you use the Unix compliance (needs a professional nessus feed) module you can't check what is actually installed on the scanned host. By default it's pretty good with RedHat and will give you a list of packages that have had redhat advisories issued. AFAIK it doesn't to the same for Debian based systems, so it would need someone to write and maintain a plugin or nessus audit file that cross references DSA or CVE.

goo
  • 2,838
  • 18
  • 15
0

GLSA is not a network vulnerability scanner as Geoff rightfully pointed, it's only a little script comparing the versions of emerged ebuilds against a list of vulnerabilites affecting official gentoo ebuilds. See here for details: http://gentoo.devel-net.org/glsa/readme

Nessus on the other way only checks a system from the point of view of the network, not locally and as such cannot find vulnerabilities like local root exploits.

I don't know of an equivalent in Debian but if you feel ok developing your own script have a look here: Debian Security Bug Tracker, Debian Security main page and the associated feed of vulnerabilities.

Shadok
  • 623
  • 5
  • 10