I started a tiny project a couple of days ago: arch-audit.
arch-audit main (and unique) goal is to display the Arch Linux packages that are affected by known vulnerabilities on your system.
To do that, arch-audit parses the CVE page on the Arch wiki, which is maintained by the Arch CVE Monitoring Team.
arch-audit output is very verbose when it’s started without any argument, but two options --quiet (or -q or -qq) and --format (or -f) allows to change the output for your use case.
There’s also a third option --upgradable to display only packages that have already been fixed in the Arch Linux repositories.
In my opinion a great use case is the following:
$ ssh www.andreascarpino.it
openssl>=1.0.2.i-1
lib32-openssl>=1:1.0.2.i-1
Last login: Sat Sep 24 23:13:56 2016
$
In fact, I added a systemd timer that executes arch-audit -uq everyday and saves its output to a temporary file that is configured as banner for SSH.
Then, every time I log into my server, I get notified about packages that have vulnerabilities, but that already have been fixed. Time to do a system update!
So, now I’m waiting your feedbacks! Have fun!
BTW, Lynis already added arch-audit support!
Tags: linux, floss, arch linux, projects