glsa-check is a tool to report a server's exposure to known security vulnerabilities. Has anyone written a tool to do a similar thing for apt based systems?
4 Answers
http://lzone.de/Automated+Linux+Package+Vulnerability+Scanning
- Debian: debsecan
- CentOS, Fedora, Redhat: "yum list-security"
- OpenSuSE: "zypper list-patches"
- SLES: "rug lu"
- Gentoo: glsa-check
- FreeBSD: Portaudit
- *nixes: lynis
![](../../users/profiles/226538.webp)
- 1,155
- 3
- 16
- 32
![](../../users/profiles/149815.webp)
- 216
- 2
- 3
Check the Security HOWTO for Debian which refers to vulnerability scanners like Nessus. While not as Free as it used to be, Nessus is still considered the #1 tool for UNIX vulnerability scanning.
If you have the security repository for Debian or Ubuntu installed, you can apt-get upgrade to that without fear of installing new packages, and safe in the knowledge that (as much as the Debian/Ubuntu maintainers are on the case) you will get patched packages at the version that you chose to install.
Some people choose to automatically 'apt-get update; apt-get upgrade -y' if they are only using security; your mileage may vary.
![](../../users/profiles/5724.webp)
- 7,928
- 37
- 53
Nessus can do an external scans and will pick up on any problems it knows about with anything it finds listening on a port. However unless you use the Unix compliance (needs a professional nessus feed) module you can't check what is actually installed on the scanned host. By default it's pretty good with RedHat and will give you a list of packages that have had redhat advisories issued. AFAIK it doesn't to the same for Debian based systems, so it would need someone to write and maintain a plugin or nessus audit file that cross references DSA or CVE.
![](../../users/profiles/5392.webp)
- 2,838
- 18
- 15
GLSA is not a network vulnerability scanner as Geoff rightfully pointed, it's only a little script comparing the versions of emerged ebuilds against a list of vulnerabilites affecting official gentoo ebuilds. See here for details: http://gentoo.devel-net.org/glsa/readme
Nessus on the other way only checks a system from the point of view of the network, not locally and as such cannot find vulnerabilities like local root exploits.
I don't know of an equivalent in Debian but if you feel ok developing your own script have a look here: Debian Security Bug Tracker, Debian Security main page and the associated feed of vulnerabilities.
![](../../users/profiles/56270.webp)
- 623
- 5
- 10