Skip to content

Package Vulnerabilities.md

Latest commit

 

History

History
109 lines (83 loc) · 3.88 KB

Package Vulnerabilities.md

File metadata and controls

109 lines (83 loc) · 3.88 KB

This page is about scanning Linux/FreeBSD servers for vulnerabilities locally.

Free Linux Distro Scanners

The following scanners are part of the OS and are run on the machine:

Comparison of Free Distro Scanners

Distribution Scanner Rating Description
Debian debsecan superb Easy to use. Maintained by the Debian testing team. Lists packages, CVE numbers and details.
Ubuntu debsecan useless They just packaged the Debian scanner without providing a database for it! And since 2008 there is a bug about it being 100% useless.
CentOS Fedora Redhat "yum list-security" good Provides package name and CVE number. Note: On older systems there is only "yum list updates".
OpenSuSE "zypper list-patches" ok Provides packages names with security relevant updates. You need to filter the list yourself or use the "--cve" switch to limit to CVEs only.
SLES "rug lu" ok Provides packages names with security relevant updates. Similar to zypper you need to do the filtering yourself.
Gentoo glsa-check bad There is a dedicated scanner, but no documentation.
FreeBSD Portaudit superb No Linux? Still a nice solution... Lists vulnerable ports and vulnerability details.

Commercial Scanners

  • CIS CAT Pro Assessor
  • Ubuntu Advantage
  • JFrog XRay (package repo scan + local scans via JFrog CLI)

Cloud Control Plane Scanning

When you are in the cloud you might want to choose scanning from the control plane. This usually requires building your VM images with a cloud specific agent. For containers the scanning usually happens automatically.

  • AWS: Amazon Inspector
  • Azure: Security Center
  • GCP: Security Command Center

Patch Orchestration

Tools to use once you find a vulnerability on your servers to orchestrate a fix: