On 21/02/2024 21:08, Michael Kjörling wrote:
Thanks, I will try this approach, this is a good idea. Yes, using a VM is easy, that's the approach I used for the development.On 21 Feb 2024 19:03 +0000, from andre@rodier.me (Andre Rodier):- What is the best approach to check if there is any vulnerability in the packages configuration ? - Is there any service that could audit the deployment code or the configuration files ?My understanding is that both Lynis and Vuls are popular for already-installed systems. If you have your configuration packaged as Ansible scripts, then deploying that onto a disposable VM based on a minimal Debian installation should be a reasonably practical way of auditing the deployment process itself for vulnerabilities.
I tried the debsecan package, which is good as well. I will see if I can make this more readable and integrated with the distribution.A web search for something like "linux local vulnerability scanner" will provide you with additional leads.
Note that any automated tool will use some kind of heuristics so (a) may find things that are not actually vulnerabilities in your setup, and (b) might not find something which _is_ a vulnerability in your setup
Of course, as usual with this kind of tools. Thanks for your insights. André