HomeBlogsLars Windolf's blog

Scan Linux for Vulnerable Packages

Submitted by Lars Windolf on 17. September 2012 - 23:10
in

How do you know wether your Linux server (which has no desktop update notifier or unattended security updates running) does need to be updated? Of course an

apt-get update && apt-get --dry-run upgrade

might give an indication. But what of the package upgrades do stand for security risks and whose are only simple bugfixes you do not care about?

Check using APT

One useful possibility is apticron which will tell you which packages should be upgraded and why. It presents you the package ChangeLog to decided wether you want to upgrade a package or not. Similar but less details is cron-apt which also informs you of new package updates.

Analyze Security Advisories

Now with all those CERT newsletters, security mailing lists and even security news feeds out there: why can't we check the other way around? Why not find out:

  1. Which security advisories do affect my system?
  2. Which ones I have already complied with?
  3. And which vulnerabilities are still there?

My mad idea was to take those security news feeds (as a start I tried with the ones from Ubuntu and CentOS) and parse out the package versions and compare them to the installed packages. The result was a script producing the following output:

screenshot of lpvs-scan.pl

In the output you see lines starting with "CEBA-2012-xxxx" which is CentOS security advisory naming schema (while Ubuntu has USN-xxxx-x). Yellow color means the security advisory doesn't apply because the relevant packages are not installed. Green means the most recent package version is installed and the advisory shouldn't affect the system anymore. Finally red, of course meaning that the machine is vulnerable.

Does it Work Reliably?

The script producing this output can be found here. I'm not yet satisfied with how it works and I'm not sure if it can be maintained at all given the brittle nature of the arbitrarily formatted/rich news feeds provided by the distros. But I like how it gives a clear indication of current advisories and their effect on the system.

Maybe persuading the Linux distributions into using a common feed format with easy to parse metadata might be a good idea...

How do you check your systems? What do you think of a package scanner using XML security advisory feeds?

Comments

Or you can use debsecan.

Submitted by Gromm (not verified) on 18. September 2012 - 22:40.

Or you can use debsecan. Debsecan will send you a daily e-mail about updates that need to be done, the reasons why, and their severity.

HTH, HAND!

RE: Or you can use debsecan

Submitted by Lars Windolf on 19. September 2012 - 22:22.

Cool! This is much better than writing a custom script.

Is any chance perl has

Submitted by khakimov (not verified) on 19. September 2012 - 3:04.

Is any chance perl has better package system than installing from sources? (I'm using search.cpan.org and download/tar -zxf/perl Makefile.pl/make/make install each package). btw, installed everything and got err, maybe will help

perl lpvs-scan.pl
1828 Ubuntu packages are installed.
Downloading advisory feed 'http://www.ubuntu.com/usn/rss.xml' ...
Failed to fetch advisory feed! (HTTP::Response=HASH(0x17064e8)->status_line) at lpvs-scan.pl line 107.

Use RHN + Yum security

Submitted by Anonymous (not verified) on 19. September 2012 - 21:44.

You can try this process for checking updates on Centos/Redhat:
http://serverfault.com/questions/369833/automatically-check-for-security...

Syndicate content