Audit SuSE with zypper: vulnerable packages

Audit (Open)SuSE with zypper: vulnerable packages

Proper software management is an important part in keeping your system secured. Acting on time is important, especially when network services have discovered security vulnerabilities.

Vulnerable packages

Usually packages with known security vulnerabilities, get priority and updates are soon available. The risk in installing these packages is fairly low, as they don’t introduce new features. Instead, they fix the related security hole, which sometimes is nothing more than 1 single character!

Check your system

Checking for vulnerable packages is a little bit tricky with the current version of Zypper. However with the easy parse-able output of the “list packages”, we can extract all available package updates. From there we filter out only the packages marked as being security related.

system # zypper lp | awk ‘{ if ($7==”security”) { if ($11==”update”) { print $13 } else { print $11 } } }’ | sed ‘s/:$//’ | grep -v “^$” | sort | uniq

Zypper then can be used to apply security updates (by package). Another option is to implement the output in a monitoring solution, especially for machines which require a high security level. The operations team then can quickly detect what systems need an audit for vulnerable packages.

If you want to automate checking, you could create a script and mail the output. Or use our security auditing tool Lynis to detect them. As vulnerable packages impose usually a high risk to the system, they will show up as warnings. Also the hardening index will decrease with each discovered package.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.