DEBSECAN - Documentation
Basic Usage
The primary purpose of `debsecan` is to display vulnerabilities in installed packages. By default, it will list any vulnerable packages with details such as the severity of the vulnerability and links to further information.
debsecan
This will output a list of vulnerable packages currently installed on the system.
Checking Vulnerabilities for a Specific Package
To check for vulnerabilities in a specific package, simply pass the package name as an argument.
debsecan <package-name>
Example:
debsecan openssl
This command will list vulnerabilities related to the `openssl` package if any are found.
Output Format and Severity Levels
The output from `debsecan` includes a list of vulnerabilities with various details, including a severity level. The severity levels can be:
- `low`: Low severity issues, typically requiring minimal attention. - `medium`: Moderate severity, may need closer review. - `high`: High severity, should be addressed as soon as possible. - `critical`: Critical vulnerabilities, requiring immediate action.
Example output:
Package: openssl Vulnerability ID: CVE-2014-3566 Severity: high Description: A vulnerability in the SSLv3 protocol could allow attackers to perform man-in-the-middle attacks. Fix: Update to version 1.0.1i-2+deb7u3
Checking All Packages with Security Updates
To list all installed packages that have available security updates, use the `--security` option.
debsecan --security
This command will display all packages that have known security vulnerabilities and updates available to address them.
Checking for Specific Vulnerabilities by CVE ID
`debsecan` can also be used to search for specific CVE IDs. This is useful when you need to verify whether a certain vulnerability exists on your system.
debsecan --cve <CVE-ID>
Example:
debsecan --cve CVE-2021-3450
This will check for the specific CVE ID `CVE-2021-3450` and return the associated vulnerability details if it affects any installed packages.
Filtering by Package Version
You can also filter the output by package version using the `--version` flag.
debsecan --version <version>
Example:
debsecan --version 1.0.2-1
This will limit the output to vulnerabilities related to the version `1.0.2-1` of installed packages.
Output to File
To save the output of `debsecan` to a file, you can redirect the output using the standard Linux redirection operator.
debsecan > vulnerabilities.txt
This will save the list of vulnerable packages into the file `vulnerabilities.txt` for further review or archiving.
Regular Updates
It is important to regularly run `debsecan` to check for vulnerabilities, as new security advisories are released frequently. You can automate the process by setting up a cron job that runs `debsecan` periodically.
Example cron job:
0 2 * * * /usr/bin/debsecan --security > /var/log/debsecan.log
This cron job runs `debsecan` every day at 2 AM, checking for security vulnerabilities and logging the output to `/var/log/debsecan.log`.
Useful Links
For further information on `debsecan`, you can refer to the following links:
- [Debian Security Tracker](https://security-tracker.debian.org/)
- [Debsecan GitHub Repository](https://github.com/mvo5/debsecan)
- [Debian Security Announcements](https://www.debian.org/security/)
- [CVE Details for Debian](https://www.cvedetails.com/vulnerability-list/vendor_id-89/product_id-1607/Debian-Debian.html)
