debsecan

The debsecan program evaluates the security status of a host running the Debian operation system. It reports missing security updates and known vulnerabilities in the programs which are installed on the host.

Overview

debsecan accesses the dpkg database and obtains a list of installed packages and their versions. This list is then evaluated against a feed of vulnerability information which ultimately comes from a database maintained by Debian's Testing Security Team <http://secure-testing-master.debian.net/>. Various output formats are supported, including incremental reporting via email.

Beginning with version 0.2, debsecan includes a script called debsecan-create-cron, which allows you to create a cron job which periodically sends you mail (once per day) when the security status of the system changes.

Examples

In the following examples, we assume that the host under examination runs Debian sid, hence the --suite sid option is specified in all cases. Since version 0.3, the --suite is no longer mandatory, but additional information (regarding available updates and installed, but obsolete packages) is available if you specify the correct suite.

The first command gives a brief overview of all known vulnerabilities which potentially affect the system:

$ debsecan --suite sid
CVE-2005-1119 sudo (low urgency)
CVE-2005-4158 sudo (medium urgency)
FAKE-0340105 vpnc (medium urgency)
CVE-2005-2351 mutt (low urgency)
FAKE-0329814 apt (low urgency)
[…]

We can get more detail if we choose a different output format:

$ debsecan --suite sid --format detail
CVE-2005-1119 (low urgency)
  Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary ...
  installed: sudo 1.6.8p9-4
             (built from sudo 1.6.8p9-4)
  fixed package: not yet available

CVE-2005-4158 (medium urgency)
  Sudo before 1.6.8 p12, when the Perl taint flag is off, does not clear ...
  installed: sudo 1.6.8p9-4
             (built from sudo 1.6.8p9-4)
  fixed package: not yet available
[…]

Using --only-fixed, the output can be restricted to missing security updates:

$ debsecan --suite sid --only-fixed
CVE-2005-3191 tetex-bin (fixed, medium urgency)
CVE-2005-3192 tetex-bin (fixed, remotely exploitable, medium urgency)
CVE-2005-3193 tetex-bin (fixed, medium urgency)

The packages output format is suitable for input to apt-get:

# debsecan --suite sid --only-fixed --format packages
tetex-bin
# apt-get install $(debsecan --suite sid --only-fixed --format packages)
Reading package lists... Done
Building dependency tree... Done
Suggested packages:
  dvipng chktex lacheck rubber sam2p
The following packages will be upgraded:
  tetex-bin
1 upgraded, 0 newly installed, 0 to remove and 401 not upgraded.
Need to get 3845kB of archives.
After unpacking 4096B of additional disk space will be used.
[…]

In addition to these interactive use cases, it is also possible to invoke debsecan periodically to check the system status and alert the system administrators of any changes. The next command only sends mail if a change is detected.

# debsecan --suite sid --format report --mailto root --update-history

After installing tetex-bin, the email report might look like this:

From: root
Subject: Debian security status of deneb.enyo.de
To: root
Date: Thu, 15 Dec 2005 18:17:02 +0100

Security report based on the sid release 

*** Fixed vulnerabilities

CVE-2005-3192
  - tetex-bin

CVE-2005-3193
  - tetex-bin

CVE-2005-3191
  - tetex-bin

*** Vulnerabilities without updates

CVE-2004-1617 Lynx allows remote attackers to cause a denial of service…
  - lynx (remotely exploitable, low urgency)
[…]

Availability

debsecan is an official Debian package. The current development version is distributed as a GIT <http://git.or.cz/> repository. If you want to create a local mirror of the repository, use the following command:

$ git clone https://git.enyo.de/fw/debian/debsecan.git

The debsecan program itself is a freestanding Python script. If you do not want to install darcs, you can download just the script:

Revisions


Florian Weimer
Home Blog (DE) Blog (EN) Impressum RSS Feeds