Tabela de Conteúdos

7.3.1 Debsecan

O debsecan efectua uma avaliação de segurança ao sistema e relata vulnerabilidades conhecidas associadas aos pacotes instalado no sistema, notificando o administrador (root) dos resultados.

Instalação

root@server:~# apt-get install debsecan

Configuração

Para relatórios mais rigorosos, deverá ser indicada a versão Debian do nosso sistema no ficheiro /etc/default/debsecan:

/etc/default/debsecan
#[...]

# For better reporting, specify the correct suite here, using the code
# name (that is, "sid" instead of "unstable").
SUITE=jessie

#[...]

O debsecan pode ser configurado para ser executado diariamente através de uma tarefa agendada (cron), sendo os resultados enviados por email ao administrador do sistema (root):

root@server:~# debsecan-create-cron

Utilização

A tarefa agendada durante a configuração irá enviar uma email ao administrador com o resultado da análise de segurança:

Subject: Debian security status of server
To: root@home.lan
Message-Id: <20150426204302.EA0FA70026F@server.home.lan>
Date: Sun, 26 Apr 2015 21:43:02 +0100 (WEST)
From: daemon@home.lan (daemon)

Security report based on the jessie release

*** New security updates

CVE-2015-3331 Buffer overruns in Linux kernel RFC4106...
  <http://security-tracker.debian.org/tracker/CVE-2015-3331>
  - linux-libc-dev, linux-image-3.16.0-4-amd64

CVE-2015-3339 chown() was racy relative to execve()
  <http://security-tracker.debian.org/tracker/CVE-2015-3339>
  - linux-libc-dev, linux-image-3.16.0-4-amd64

*** New vulnerabilities

CVE-2010-5321 v4l: videobuf: hotfix a bug on multiple calls to mmap()
  <http://security-tracker.debian.org/tracker/CVE-2010-5321>
  - linux-libc-dev, linux-image-3.16.0-4-amd64

CVE-2013-1841 Net-Server, when the reverse-lookups option is...
  <http://security-tracker.debian.org/tracker/CVE-2013-1841>
  - libnet-server-perl (remotely exploitable, low urgency)

CVE-2013-2207 pt_chown in GNU C Library (aka glibc or libc6) before...
  <http://security-tracker.debian.org/tracker/CVE-2013-2207>
  - multiarch-support, libc6, libc-bin, libc-dev-bin, libc6-dev,
    locales (low urgency)
# [...]

Opcionalmente, o debsecan também pode ser executado a partir da linha de comandos:

root@server:~# debsecan
CVE-2014-7937 libavcodec56 (remotely exploitable, high urgency)
CVE-2014-7937 libavformat56 (remotely exploitable, high urgency)
CVE-2014-9645 busybox (low urgency)
CVE-2013-2207 multiarch-support (low urgency)
CVE-2014-8121 multiarch-support (remotely exploitable, low urgency)
CVE-2015-1781 multiarch-support
TEMP-0779587-B973D8 multiarch-support
TEMP-0779587-F20A8A multiarch-support
CVE-2010-5321 linux-libc-dev
CVE-2014-8171 linux-libc-dev
CVE-2015-1350 linux-libc-dev
CVE-2015-3331 linux-libc-dev (fixed)
CVE-2015-3339 linux-libc-dev (fixed)
TEMP-0000000-1E2093 linux-libc-dev
TEMP-0000000-776ECE linux-libc-dev
# [...]

Referências