Package Audit Tool

tzoi516 · 2014-12-03 16:21:54

Does Arch Linux have a package auditing tool?

I know Arch is usually on top of most packages. I recently completed a scan of an Arch system that suggested installing a package audit tool to determine vulnerable packages. I know some OS', like FreeBSD, have an option to scan for vulnerable packages and ports, but I didn't find anything in the wiki that was comparable.

graysky · 2014-12-03 16:22:27

namcap?

tzoi516 · 2014-12-03 16:38:53

Thanks for the quick reply. I'm looking at it right now - had to edit the namcap python file in /usr/bin so it would work (changed "python3" in last line to "python3.4")

Looks like it works on a per-package basis - can't get it to do an entire scan of all package.

karol · 2014-12-03 17:15:48

What exactly are you looking for? Maybe you mean 'pacman -Qkk'?

tzoi516 wrote:

Looks like it works on a per-package basis - can't get it to do an entire scan of all package.

Can you use a 'for' loop and pipe the list of installed packages?

Last edited by karol (2014-12-03 17:16:35)

tzoi516 · 2014-12-03 17:20:55

Something similar to FreeBSD's

$ pkg audit

karol · 2014-12-03 17:21:58

What does it do?

tzoi516 · 2014-12-03 17:24:56

"Audit installed packages for security advisories"

pacman -Qkk just checks installed package mod info not if there's a known vulnerability.

Trilby · 2014-12-03 17:26:17

Checking the 'pkg' man page, it checks for "known" vulnerabilities in packages. But known by whom? These just strikes me as very odd - maybe it makes more sense in a non-rolling release system: if a vulnerability is known about in a package, why would it still be there?!

There is an interesting story somewhere in Allan's blog about the recent bash bug. It was "known" for a total of a few minutes before the fix was pushed to the repos. So why look for known issues? Just eliminate them with `pacman -Syu'.

EDIT: I am not nearly so naive to think a rolling release doesn't have all sorts of vulnerabilities. But these would be primarily of the unknown variety.

fsckd · 2014-12-03 21:16:26

tzoi516 wrote:

Does Arch Linux have a package auditing tool?
I know Arch is usually on top of most packages. I recently completed a scan of an Arch system that suggested installing a package audit tool to determine vulnerable packages. I know some OS', like FreeBSD, have an option to scan for vulnerable packages and ports, but I didn't find anything in the wiki that was comparable.

As far as I know, no such tool currently exists. But the Arch CVE Monitoring Team has expressed ideas for eventually making a tool. For now one can follow the security mailing list for advisories.

tzoi516 · 2014-12-03 22:07:48

Thanks for the reply and links.

ilpianista · 2016-09-24 10:31:58

Hi, if you are still interested I started to write arch-audit.

WorMzy · 2016-09-24 11:36:47

Thanks for the heads up, ilpianista. I'm gonna go ahead and close this old topic now.

Closing.

Arch Linux

#1 2014-12-03 16:21:54

Package Audit Tool

#2 2014-12-03 16:22:27

Re: Package Audit Tool

#3 2014-12-03 16:38:53

Re: Package Audit Tool

#4 2014-12-03 17:15:48

Re: Package Audit Tool

#5 2014-12-03 17:20:55

Re: Package Audit Tool

#6 2014-12-03 17:21:58

Re: Package Audit Tool

#7 2014-12-03 17:24:56

Re: Package Audit Tool

#8 2014-12-03 17:26:17

Re: Package Audit Tool

#9 2014-12-03 21:16:26

Re: Package Audit Tool

#10 2014-12-03 22:07:48

Re: Package Audit Tool

#11 2016-09-24 10:31:58

Re: Package Audit Tool

#12 2016-09-24 11:36:47

Re: Package Audit Tool

Board footer