In the world of Linux security, staying vigilant against vulnerabilities and threats is paramount. Fortunately, Linux provides a variety of tools to help users monitor and protect their systems. One such tool is debsecan, a command-line utility designed to scan Debian-based systems (Debian, Ubuntu etc distros) for security vulnerabilities in installed packages. In this comprehensive guide, we’ll explore how to use the debsecan tool and command effectively, discussing its features, options, and usage examples.
Understanding debsecan
Debsecan is a Debian Security Scanner, a tool specifically designed to identify known security vulnerabilities in Debian-based systems. It works by querying the Debian Security Tracker (DST) database, which maintains a comprehensive list of security advisories and vulnerabilities for Debian packages. Debsecan compares the installed packages on a system with the information in the DST database to identify any known vulnerabilities.
Installing debsecan
Before using debsecan, it’s essential to ensure that the tool is installed on your system. Debsecan is available in the official repositories of most Debian-based Linux distributions, including Debian, Ubuntu, and Linux Mint. You can install debsecan using the package manager of your distribution. For example, on Debian-based systems, you can use the following command:
---
1 | sudo apt-get install debsecan |
Debian and Ubuntu Linux distributions have code names that correspond to suits. For example, Ubuntu 22.04 is code-named Jammy Jellyfish. debsecan produces more informative output (including obsolete packages) if the correct suite is specified.
Using debsecan
Once installed, debsecan can be run from the command line with various options and arguments to perform security scans on your system. The basic syntax of the debsecan command is as follows:
1 2 3 4 5 | debsecan [options] ## for ubuntu ## debsecan --suite sid ## help ## debsecan --help |
Let’s explore some of the most commonly used options and examples of debsecan.
Basic Usage
To perform a basic security scan using debsecan, simply run the command without any options:
1 | debsecan |
This command will query the Debian Security Tracker database and display a summary of any security vulnerabilities found in installed packages on your system.
Display Detailed Information
To view detailed information about each vulnerability, including package names, CVE identifiers, and severity levels, use the “-a” option:
1 2 3 | debsecan -a debsecan --suite sid --only-fixed debsecan --suite sid --format detail |
This command will provide a more comprehensive report, allowing you to identify specific vulnerabilities and take appropriate action.
Check Specific Packages
You can also specify specific packages to check for vulnerabilities using the “-p” option followed by the package name(s):
1 | debsecan -p package1 package2 |
This command will only scan the specified packages for vulnerabilities, useful for targeted security assessments. The release code name has to be used (“sid”), not the temporal name (“unstable”). For example, if you are running sid. You can download the packages which contain security fixes.
1 2 | apt-get install \ $(debsecan --suite sid --format packages --only-fixed) |
Generate HTML Report
Debsecan can generate an HTML report summarizing the security vulnerabilities found on your system. Use the “-o” option followed by the output file name to generate the report:
1 | debsecan -o report.html |
This command will generate an HTML report named report.html containing the scan results.
You can send the report to your email as well:
1 2 | debsecan --suite sid --format report \ --update-history --mailto admin@domain.com |
You can combine debsecan with grep, pipe, sed etc tools. For example:
1 | debsecan | grep "remotely exploitable, high urgency" | wc -l |
Output:
1 | 967 |
More example without --suite options:
1 | debsecan | grep "remotely exploitable, high urgency" | col2 | uniq | wc -l |
Output:
1 | 220 |
More example:
1 | debsecan | grep -o "CVE-20[0-2][0-9]" | sort | uniq -c |
Output, it is biased since the debsecan script only checks the Debian Security Tracker, and only supports Debian releases in the --suite options. The patched versions of Ubuntu packages will not show up in Debian’s tracker, hence we will get results like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 | 3 CVE-2007 2 CVE-2008 8 CVE-2009 3 CVE-2012 14 CVE-2013 9 CVE-2014 42 CVE-2015 173 CVE-2016 948 CVE-2017 3616 CVE-2018 4158 CVE-2019 3540 CVE-2020 1 CVE-2021 |
To rectify this, you understand that you have to append the --suite options. But Ubuntu’s system itself has issues which are explained here:
1 | https://askubuntu.com/questions/169467/is-there-an-api-for-accessing-historical-ubuntu-security-notices |
You need to perform some manual work for Ubuntu. I have demonstrated you the syntax of the commands.
Conclusion
In conclusion, debsecan is a powerful tool for identifying security vulnerabilities in Debian-based systems. By regularly running debsecan scans and addressing any identified vulnerabilities promptly, you can enhance the security posture of your Linux environment and protect against potential threats.
I am not an engineer, I have to read the documentation, test and write for you. If you are in the same boat as me then after facing an output of a lot of CVE, you need to find a freelancer who can fix the issues.
With its flexible options and straightforward usage, debsecan is an invaluable asset for Linux administrators tasked with maintaining the security of the systems.
