O debsecan efectua uma avaliação de segurança ao sistema e relata vulnerabilidades conhecidas associadas aos pacotes instalado no sistema, notificando o administrador (root) dos resultados.
root@server:~# apt-get install debsecan
Para relatórios mais rigorosos, deverá ser indicada a versão Debian do nosso sistema no ficheiro /etc/default/debsecan:
#[...] # For better reporting, specify the correct suite here, using the code # name (that is, "sid" instead of "unstable"). SUITE=jessie #[...]
O debsecan pode ser configurado para ser executado diariamente através de uma tarefa agendada (cron), sendo os resultados enviados por email ao administrador do sistema (root):
root@server:~# debsecan-create-cron
A tarefa agendada durante a configuração irá enviar uma email ao administrador com o resultado da análise de segurança:
Subject: Debian security status of server To: root@home.lan Message-Id: <20150426204302.EA0FA70026F@server.home.lan> Date: Sun, 26 Apr 2015 21:43:02 +0100 (WEST) From: daemon@home.lan (daemon) Security report based on the jessie release *** New security updates CVE-2015-3331 Buffer overruns in Linux kernel RFC4106... <http://security-tracker.debian.org/tracker/CVE-2015-3331> - linux-libc-dev, linux-image-3.16.0-4-amd64 CVE-2015-3339 chown() was racy relative to execve() <http://security-tracker.debian.org/tracker/CVE-2015-3339> - linux-libc-dev, linux-image-3.16.0-4-amd64 *** New vulnerabilities CVE-2010-5321 v4l: videobuf: hotfix a bug on multiple calls to mmap() <http://security-tracker.debian.org/tracker/CVE-2010-5321> - linux-libc-dev, linux-image-3.16.0-4-amd64 CVE-2013-1841 Net-Server, when the reverse-lookups option is... <http://security-tracker.debian.org/tracker/CVE-2013-1841> - libnet-server-perl (remotely exploitable, low urgency) CVE-2013-2207 pt_chown in GNU C Library (aka glibc or libc6) before... <http://security-tracker.debian.org/tracker/CVE-2013-2207> - multiarch-support, libc6, libc-bin, libc-dev-bin, libc6-dev, locales (low urgency) # [...]
Opcionalmente, o debsecan também pode ser executado a partir da linha de comandos:
root@server:~# debsecan CVE-2014-7937 libavcodec56 (remotely exploitable, high urgency) CVE-2014-7937 libavformat56 (remotely exploitable, high urgency) CVE-2014-9645 busybox (low urgency) CVE-2013-2207 multiarch-support (low urgency) CVE-2014-8121 multiarch-support (remotely exploitable, low urgency) CVE-2015-1781 multiarch-support TEMP-0779587-B973D8 multiarch-support TEMP-0779587-F20A8A multiarch-support CVE-2010-5321 linux-libc-dev CVE-2014-8171 linux-libc-dev CVE-2015-1350 linux-libc-dev CVE-2015-3331 linux-libc-dev (fixed) CVE-2015-3339 linux-libc-dev (fixed) TEMP-0000000-1E2093 linux-libc-dev TEMP-0000000-776ECE linux-libc-dev # [...]