Linux Security

Audit installed packages for security

Practical Linux guide: audit installed packages for security without the usual guesswork.

10 min read Beginner Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Find packages with known CVEs on Debian/Ubuntu and Fedora — and distinguish "security update available" from "actually exploitable on this box".

1) Ubuntu/Debian

sudo apt update
sudo apt install debsecan
debsecan --suite $(lsb_release -cs) --format detail
sudo unattended-upgrade --dry-run

2) Check for security upgrades

apt list --upgradable | grep -i security
grep linux-image /var/run/reboot-required.pkgs 2>/dev/null

3) Fedora/RHEL

sudo dnf updateinfo list security
sudo dnf upgrade --security

4) Remove unused packages

sudo apt autoremove --purge
dpkg -l | awk '/^rc/ {print $2}' | xargs sudo dpkg --purge

Verify

Re-run debsecan or dnf updateinfo after patching; schedule reboot if kernel CVEs were fixed.

5) Needrestart after kernel patches

sudo apt install needrestart
sudo needrestart -r a

Lists services still running old libraries — reboot or restart each daemon.

6) Third-party repos risk

ls /etc/apt/sources.list.d/
apt-cache policy | grep -v ubuntu.com | head

Random PPA packages rarely get timely security fixes. Prefer distro packages or containers.

7) Lynis system audit

sudo apt install lynis
sudo lynis audit system

Broader than package CVEs — covers sshd config, kernel hardening, file permissions.

Prioritisation

Not every CVE is remotely exploitable on your box. Focus on network-facing daemons (nginx, sshd, postfix) and kernel when debsecan lists dozens of low-risk libs.

8) CVE false positives

debsecan may flag embedded libraries in custom binaries — verify whether your deployment exposes the vulnerable code path before emergency patching.

Prerequisites

apt or dnf current, outbound mirror access, list of business-critical packages. Maintenance window for kernel reboots. Optional: debsecan, needrestart, lynis packages installed.

CVE triage template

For each CVE: affected package version installed? Network exposed? Exploit public? If all yes → patch urgent. If internal lib only → schedule normal cycle.

unattended-upgrades overlap

debsecan finds CVEs; unattended-upgrades applies fixes — run both in monthly patch cadence documented in change calendar.

Supply chain SBOM

Generate software bill of materials with dpkg-query -W -f='${Package} ${Version}\n' monthly — compare against vendor SBOM for compliance questionnaires. Flatpak and snap need separate audit: flatpak list --columns=application,version. Critical CVE on openssl triggers everywhere — prioritise libc/ssl linked daemons first after patch.

Commercial support contracts

Ubuntu Pro and RHEL subscriptions extend security coverage beyond standard support window — ESM for 16.04/18.04 still running in estates. Document which machines rely on extended support before debsecan shows unfixed CVE with no patch in main archives.

Related guides

audit installed linux packages security

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Security
sudo vs root: best practice
Practical Linux guide: sudo vs root: best practice without the usual guesswork.
Read guide
Security
AppArmor vs SELinux overview
Practical Linux guide: appArmor vs SELinux overview without the usual guesswork.
Read guide