You are not logged in.
Pages: 1
Topic closed
Does Arch Linux have a package auditing tool?
I know Arch is usually on top of most packages. I recently completed a scan of an Arch system that suggested installing a package audit tool to determine vulnerable packages. I know some OS', like FreeBSD, have an option to scan for vulnerable packages and ports, but I didn't find anything in the wiki that was comparable.
Offline
namcap?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
Thanks for the quick reply. I'm looking at it right now - had to edit the namcap python file in /usr/bin so it would work (changed "python3" in last line to "python3.4")
Looks like it works on a per-package basis - can't get it to do an entire scan of all package.
Offline
What exactly are you looking for? Maybe you mean 'pacman -Qkk'?
Looks like it works on a per-package basis - can't get it to do an entire scan of all package.
Can you use a 'for' loop and pipe the list of installed packages?
Last edited by karol (2014-12-03 17:16:35)
Offline
Something similar to FreeBSD's
$ pkg audit
Offline
What does it do?
Offline
"Audit installed packages for security advisories"
pacman -Qkk just checks installed package mod info not if there's a known vulnerability.
Offline
Checking the 'pkg' man page, it checks for "known" vulnerabilities in packages. But known by whom? These just strikes me as very odd - maybe it makes more sense in a non-rolling release system: if a vulnerability is known about in a package, why would it still be there?!
There is an interesting story somewhere in Allan's blog about the recent bash bug. It was "known" for a total of a few minutes before the fix was pushed to the repos. So why look for known issues? Just eliminate them with `pacman -Syu'.
EDIT: I am not nearly so naive to think a rolling release doesn't have all sorts of vulnerabilities. But these would be primarily of the unknown variety.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Online
Does Arch Linux have a package auditing tool?
I know Arch is usually on top of most packages. I recently completed a scan of an Arch system that suggested installing a package audit tool to determine vulnerable packages. I know some OS', like FreeBSD, have an option to scan for vulnerable packages and ports, but I didn't find anything in the wiki that was comparable.
As far as I know, no such tool currently exists. But the Arch CVE Monitoring Team has expressed ideas for eventually making a tool. For now one can follow the security mailing list for advisories.
aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies
Offline
Thanks for the reply and links.
Offline
Hi, if you are still interested I started to write arch-audit.
Offline
Thanks for the heads up, ilpianista. I'm gonna go ahead and close this old topic now.
Closing.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
Pages: 1
Topic closed