Link Search Menu Expand Document

Package Vulnerabilities Cheat Sheet

This page is about scanning Linux/FreeBSD servers for vulnerabilities locally.

Free Linux Distro Scanners

The following scanners are part of the OS and are run on the machine:

Comparison of Free Distro Scanners

DebiandebsecansuperbEasy to use. Maintained by the Debian testing team. Lists packages, CVE numbers and details.
UbuntudebsecanuselessThey just packaged the Debian scanner without providing a database for it! And since 2008 there is a bug about it being 100% useless.
CentOS Fedora Redhat"yum list-security"goodProvides package name and CVE number. Note: On older systems there is only "yum list updates".
OpenSuSE"zypper list-patches"okProvides packages names with security relevant updates. You need to filter the list yourself or use the "--cve" switch to limit to CVEs only.
SLES"rug lu"okProvides packages names with security relevant updates. Similar to zypper you need to do the filtering yourself.
Gentooglsa-checkbadThere is a dedicated scanner, but no documentation.
FreeBSDPortauditsuperbNo Linux? Still a nice solution... Lists vulnerable ports and vulnerability details.

Commercial Scanners

  • CIS CAT Pro Assessor
  • Ubuntu Advantage
  • JFrog XRay (package repo scan + local scans via JFrog CLI)

Cloud Control Plane Scanning

When you are in the cloud you might want to choose scanning from the control plane. This usually requires building your VM images with a cloud specific agent. For containers the scanning usually happens automatically.

  • AWS: Amazon Inspector
  • Azure: Security Center
  • GCP: Security Command Center

Patch Orchestration

Tools to use once you find a vulnerability on your servers to orchestrate a fix: