PKGS-7392 - Vulnerable packages

This information is provided as part of the Lynis community project. It is related to Lynis control PKGS-7392 and should be considered as-is and without guarantees. Any advice and commands should be tested before implementing them in production environments.

Control details
Category	Software
Application

Description

Lynis tests for vulnerable packages, packages with known security flaws and which already have an update available.

How to solve

Most software will sooner or later encounter a software error. These so-called bugs can make software unstable, or work differently than the programmer had intended. Some of these bugs turn out to be security related, like errors which don't properly check the input, or the amount of data stored in a temporary buffer. This is a weakness, which makes the software vulnerable for abuse.

Most Linux distributions, like Debian and Ubuntu, mark which package updates are security related. It is then the task for the system administrator to discover these as quickly as possible, and implement them. Depending on company size this can be done as an ad-hoc activity, or using a predefined software patch management process.

Lynis tests for the presence of any vulnerable packages. When it finds any, this control is triggered, with a related warning. It is marked as high impact, as each vulnerable package has a different potential for being exploited by attackers. Still you should determine the impact for your environment, and see when you want to apply the related security update.

Commands

apt-get update
apt-get upgrade

Suggestions

Consider using a tool like unattended-upgrade to keep the time of window for vulnerable packages as low as possible. It can be configured to automatically install security updates, while leaving normal updates for later moment of deployment.

Additional resources

Unattended upgrade for Debian and Ubuntu (How to use the unattended-upgrade utility)
Upgrading external packages automatically (How to use unattended-upgrade to also deploy packages from external repositories)

Need more details?

Consider the upgrade to Lynis Enterprise to receive additional details and guidance. The Enterprise version helps to you with daily health checks of your environment, learn in-depth system hardening, and resources to protect your systems better.

See demo

About

Lynis is a technical security auditing tool for Unix flavors like Linux, macOS, AIX, Solaris, and *BSD. It is open source software and free to use. Typical usage include system hardening, compliance testing, and vulnerability scanning. The project has an active community, including development via GitHub.

Lynis Enterprise

Do you need to collect data from multiple systems or compliance reporting? Lynis Enterprise uses Lynis to collect the data and make your work easier.

Benefits: automate security audits, detailed reporting, compliance testing.

Centralized management
Improvement plan with priorities
Reporting
Dashboards
Predefined policies
Integration (API)
Improvement snippets for tools like Ansible, Chef, Cfengine, Puppet, and SaltStack

Take the Tour