Audit (Open)SuSE with zypper: vulnerable packages

Proper software management is an important part in keeping your system secured. Acting on time is important, especially when network services have discovered security vulnerabilities.

Vulnerable packages

Usually packages with known security vulnerabilities, get priority and updates are soon available. The risk in installing these packages is fairly low, as they don’t introduce new features. Instead, they fix the related security hole, which sometimes is nothing more than 1 single character!

Check your system

Checking for vulnerable packages is a little bit tricky with the current version of Zypper. However with the easy parse-able output of the “list packages”, we can extract all available package updates. From there we filter out only the packages marked as being security related.

system # zypper lp | awk ‘{ if ($7==”security”) { if ($11==”update”) { print $13 } else { print $11 } } }’ | sed ‘s/:$//’ | grep -v “^$” | sort | uniq

Zypper then can be used to apply security updates (by package). Another option is to implement the output in a monitoring solution, especially for machines which require a high security level. The operations team then can quickly detect what systems need an audit for vulnerable packages.

If you want to automate checking, you could create a script and mail the output. Or use our security auditing tool Lynis to detect them. As vulnerable packages impose usually a high risk to the system, they will show up as warnings. Also the hardening index will decrease with each discovered package.