Scan linux for vulnerable packages
How do you know wether your Linux server (which has no desktop update notifier or unattended security updates running) does need to be updated? Of course an
In the output you see lines starting with "CEBA-2012-xxxx" which is CentOS security advisory naming schema (while Ubuntu has USN-xxxx-x). Yellow color means the security advisory doesn't apply because the relevant packages are not installed. Green means the most recent package version is installed and the advisory shouldn't affect the system anymore. Finally red, of course meaning that the machine is vulnerable.
apt-get update && apt-get --dry-run upgrademight give an indication. But what of the package upgrades do stand for security risks and whose are only simple bugfixes you do not care about?
Check using APT
One useful possibility is apticron which will tell you which packages should be upgraded and why. It presents you the package ChangeLog to decided wether you want to upgrade a package or not. Similar but less details is cron-apt which also informs you of new package updates.Analyze Security Advisories
Now with all those CERT newsletters, security mailing lists and even security news feeds out there: why can't we check the other way around? Why not find out:- Which security advisories do affect my system?
- Which ones I have already complied with?
- And which vulnerabilities are still there?
In the output you see lines starting with "CEBA-2012-xxxx" which is CentOS security advisory naming schema (while Ubuntu has USN-xxxx-x). Yellow color means the security advisory doesn't apply because the relevant packages are not installed. Green means the most recent package version is installed and the advisory shouldn't affect the system anymore. Finally red, of course meaning that the machine is vulnerable.