### Systemd Timer Setup for Automated Audits Source: https://context7.com/archlinux/arch-audit/llms.txt Instructions for installing and enabling systemd units to run `arch-audit -u` daily. This setup includes a randomized startup delay to prevent traffic spikes. ```bash # Install the units (if not packaged) $ sudo cp contrib/systemd/arch-audit.service /usr/lib/systemd/system/ $ sudo cp contrib/systemd/arch-audit.timer /usr/lib/systemd/system/ ``` ```bash # Enable and start the timer $ sudo systemctl enable --now arch-audit.timer ``` -------------------------------- ### Configuration File Example Source: https://context7.com/archlinux/arch-audit/llms.txt Example TOML configuration for arch-audit, specifying network settings like the advisory source URL and proxy configuration. User configuration takes precedence over system-wide settings. ```toml # /etc/arch-audit/settings.toml (or ~/.config/arch-audit/settings.toml) [network] # Override the default advisory feed URL, or point to a local file source = "https://security.archlinux.org/all.json" # Route all requests through a proxy (HTTP, HTTPS, SOCKS5 supported) proxy = "socks5://127.0.0.1:9050" ``` -------------------------------- ### Example output after pacman transaction with hook Source: https://context7.com/archlinux/arch-audit/llms.txt This is an example of the output you might see in your terminal after installing a package, if the arch-audit hook is enabled and detects a vulnerability. ```bash :: Checking packages for known vulnerabilities curl is affected by buffer-overflow. Critical risk! Update to at least 8.9.1-1! ``` -------------------------------- ### Install arch-audit from official repositories Source: https://github.com/archlinux/arch-audit/blob/main/README.md Use pacman to install the latest stable release of arch-audit from the official Arch Linux repositories. ```bash pacman -S arch-audit ``` -------------------------------- ### Generate shell completions for arch-audit Source: https://github.com/archlinux/arch-audit/blob/main/README.md Generate and install shell completion scripts for various shells like zsh, bash, and fish. ```bash arch-audit completions zsh > /usr/share/zsh/site-functions/_arch-audit arch-audit completions bash > /usr/share/bash-completion/completions/arch-audit arch-audit completions fish > /usr/share/fish/vendor_completions.d/arch-audit.fish ``` -------------------------------- ### Install arch-audit pacman hook Source: https://context7.com/archlinux/arch-audit/llms.txt Copy the provided hook file to the correct directory to enable automatic vulnerability checks after package transactions. ```bash sudo cp contrib/hooks/arch-audit.hook /usr/share/libalpm/hooks/ ``` -------------------------------- ### Alternate Pacman Database Path Source: https://context7.com/archlinux/arch-audit/llms.txt Use the `--dbpath` or `-b` flag to specify an alternate local pacman database path. This is useful for auditing chroot environments or alternative installations. ```bash # Audit a chroot environment $ arch-audit --dbpath /mnt/arch/var/lib/pacman ``` ```bash # Audit with a custom pacman database directory $ arch-audit -b /srv/pacman/db --upgradable --quiet ``` -------------------------------- ### Arch-audit pacman hook configuration Source: https://context7.com/archlinux/arch-audit/llms.txt This INI file configures the pacman hook to run arch-audit after package installations or upgrades. It ensures that vulnerabilities are checked immediately. ```ini # /usr/share/libalpm/hooks/arch-audit.hook [Trigger] Operation = Install Operation = Upgrade Type = Package Target = * [Action] Depends = ca-certificates Depends = arch-audit When = PostTransaction Exec = /usr/bin/arch-audit --color always Description = Checking packages for known vulnerabilities ``` -------------------------------- ### Condensed Output with --quiet Source: https://context7.com/archlinux/arch-audit/llms.txt Reduces output verbosity. Use `-q` for package names and minimum fix versions, or `-qq` for package names only. Requires `--upgradable` to be effective for upgrade-related information. ```bash # Single -q: name and minimum version $ arch-audit -u -q curl>=8.9.1-1 libtiff>=4.6.0-2 # Double -qq: package names only $ arch-audit -u -qq curl libtiff ``` -------------------------------- ### Custom Output Format with --format Source: https://context7.com/archlinux/arch-audit/llms.txt Allows custom formatting of output using printf-style placeholders. Available placeholders include package name (`%n`), CVEs (`%c`), fixed version (`%v`), type (`%t`), and severity (`%s`). ```bash # Pipe-delimited name|CVEs $ arch-audit -u -f "%n|%c" curl|CVE-2024-7264,CVE-2024-6197 # Full structured record $ arch-audit -f "%n :: %s :: %t :: fix=%v" curl :: Critical risk :: buffer-overflow, multiple issues :: fix=8.9.1-1 openssl :: Low risk :: timing-attack :: fix= # Nagios/monitoring-compatible single-line $ arch-audit -u -f "CRITICAL: %n must be updated to %v (%c)" CRITICAL: curl must be updated to 8.9.1-1 (CVE-2024-7264,CVE-2024-6197) ``` -------------------------------- ### Build arch-audit from source Source: https://github.com/archlinux/arch-audit/blob/main/README.md Clone the arch-audit repository and build the development version using Cargo. ```bash git clone https://gitlab.archlinux.org/archlinux/arch-audit.git cd arch-audit cargo build cargo run ``` -------------------------------- ### Control Output Ordering with --sort Source: https://context7.com/archlinux/arch-audit/llms.txt Customize the output order using a comma-separated list of sort keys. Available keys include `severity`, `pkgname`, `upgradable`, and `reverse`. The default order is `severity,pkgname`. ```bash # Alphabetical only $ arch-audit --sort pkgname ``` ```bash # Upgradable first, then by severity $ arch-audit --sort upgradable,severity ``` ```bash # Reverse severity (lowest risk first) $ arch-audit --sort severity,reverse ``` -------------------------------- ### List upgradable packages with arch-audit Source: https://github.com/archlinux/arch-audit/blob/main/README.md Use the --upgradable and --quiet flags to list only the packages that have available updates due to security vulnerabilities. ```bash $ arch-audit --upgradable --quiet curl>=7.52.1-1 ``` -------------------------------- ### Run Basic Audit Source: https://context7.com/archlinux/arch-audit/llms.txt Executes the default audit to display all affected packages, their severity, and fix guidance. This is the most comprehensive output. ```bash $ arch-audit # Example output: bzip2 is affected by compression. Medium risk! curl is affected by multiple issues, buffer-overflow. Critical risk! Update to at least 8.9.1-1! libtiff is affected by heap-buffer-overflow. Critical risk! Update to at least 4.6.0-2! openssl is affected by timing-attack. Low risk! ``` -------------------------------- ### Include Testing Repository Fixes Source: https://context7.com/archlinux/arch-audit/llms.txt Use the `--show-testing` flag to include packages with fixes available only in Arch's `[testing]` repositories. This flag also enables the 'Update to ... from the testing repos!' message. ```bash $ arch-audit --show-testing --upgradable ``` -------------------------------- ### Run arch-audit to check for vulnerabilities Source: https://github.com/archlinux/arch-audit/blob/main/README.md Execute arch-audit to list packages affected by known vulnerabilities, including risk levels. ```bash $ arch-audit bzip2 is affected by CVE-2016-3189. Medium risk! curl is affected by CVE-2016-9594, CVE-2016-9586. Update to 7.52.1-1! gst-plugins-bad is affected by CVE-2016-9447, CVE-2016-9446, CVE-2016-9445. High risk! jasper is affected by CVE-2016-8886. Medium risk! libimobiledevice is affected by CVE-2016-5104. Low risk! libtiff is affected by CVE-2015-7554. Critical risk! libusbmuxd is affected by CVE-2016-5104. Low risk! openjpeg2 is affected by CVE-2016-9118, CVE-2016-9117, CVE-2016-9116, CVE-2016-9115, CVE-2016-9114, CVE-2016-9113. High risk! openssl is affected by CVE-2016-7055. Low risk! ``` -------------------------------- ### Recursive Dependency Check with Formatted Output Source: https://context7.com/archlinux/arch-audit/llms.txt Perform a recursive audit of dependencies and format the output to show package names and fix versions. The `%r` placeholder is only populated when the `-r` flag is used. ```bash $ arch-audit -rr ``` ```bash $ arch-audit -r -f "%n required by: %r | fix: %v" ``` -------------------------------- ### Format arch-audit output for package and CVE Source: https://github.com/archlinux/arch-audit/blob/main/README.md Use the -uf flag with a custom format string to display only the package name and its associated CVEs. ```bash $ arch-audit -uf "%n|%c" curl|CVE-2016-9594,CVE-2016-9586 ``` -------------------------------- ### Show Reverse Dependencies Source: https://context7.com/archlinux/arch-audit/llms.txt Displays packages that depend on a vulnerable package. Use `-r` for direct dependents or `-rr` for the full recursive dependency tree. ```bash # Direct dependents $ arch-audit -r curl is affected by buffer-overflow. It's required by git, wget. Critical risk! Update to at least 8.9.1-1! ``` -------------------------------- ### Custom Advisory Data Source Source: https://context7.com/archlinux/arch-audit/llms.txt Specify a custom URL or local file path for advisory data using the `--source` flag. This is useful for offline auditing, testing with local snapshots, or using self-hosted mirrors. ```bash # Use a local advisory snapshot for offline auditing $ curl -o /tmp/all.json https://security.archlinux.org/all.json $ arch-audit --source /tmp/all.json ``` ```bash # Point at a self-hosted mirror $ arch-audit --source https://mirror.example.com/arch-security/all.json ``` ```bash # Combine with JSON output for CI pipeline usage $ arch-audit --source /tmp/all.json --json | jq 'length' ``` -------------------------------- ### Rust library usage for advisory data Source: https://context7.com/archlinux/arch-audit/llms.txt Demonstrates deserializing advisory data from JSON, creating an Affected record, and sorting a list of affected packages using the arch-audit Rust crate. ```rust use arch_audit::types::{Avg, Avgs, Severity, Status, Affected}; use arch_audit::args::{Args, SortBy, Color}; use arch_audit::util::sort_affected; fn main() { // Deserialize advisory JSON (e.g., from https://security.archlinux.org/all.json) let json = r#"[{ "name": "AVG-99", "packages": ["curl"], "status": "Fixed", "type": "buffer-overflow", "severity": "Critical", "fixed": "8.9.1-1", "issues": ["CVE-2024-7264"] }]"#; let avgs: Avgs = serde_json::from_str(json).expect("parse failed"); // Build an Affected record and sort a list let mut aff = Affected::new("curl"); aff.severity = Severity::Critical; aff.status = Status::Fixed; aff.fixed = Some("8.9.1-1".to_string()); aff.cves = vec!["CVE-2024-7264".to_string()]; aff.kind = vec!["buffer-overflow".to_string()]; let mut list: Vec<&Affected> = vec![&aff]; sort_affected(&mut list, &[SortBy::Severity, SortBy::Pkgname]); for item in list { println!("{} - {} - fix: {:?}", item.package, item.severity, item.fixed); } // Output: curl - Critical risk - fix: Some("8.9.1-1") } ``` -------------------------------- ### Generate Shell Completions Source: https://context7.com/archlinux/arch-audit/llms.txt Use the `completions` subcommand to generate shell completion scripts for various shells like `zsh`, `bash`, `fish`, `elvish`, and `powershell`. ```bash # Zsh $ arch-audit completions zsh > /usr/share/zsh/site-functions/_arch-audit ``` ```bash # Bash $ arch-audit completions bash > /usr/share/bash-completion/completions/arch-audit ``` ```bash # Fish $ arch-audit completions fish > /usr/share/fish/vendor_completions.d/arch-audit.fish ``` ```bash # Elvish $ arch-audit completions elvish > ~/.config/elvish/lib/arch-audit.elv ``` -------------------------------- ### Machine-Readable JSON Output Source: https://context7.com/archlinux/arch-audit/llms.txt Emits the full advisory list as a JSON array. Each object details vulnerabilities, including name, packages, status, type, severity, fixed version, and issues (CVEs). Useful for programmatic processing. ```bash $ arch-audit --json | python3 -m json.tool [ { "name": "AVG-12345", "packages": ["curl"], "status": "Fixed", "type": "buffer-overflow", "severity": "Critical", "fixed": "8.9.1-1", "issues": ["CVE-2024-7264", "CVE-2024-6197"] }, { "name": "AVG-12300", "packages": ["openssl"], "status": "Vulnerable", "type": "timing-attack", "severity": "Low", "fixed": null, "issues": ["CVE-2024-5535"] } ] # Filter to only critical items with jq $ arch-audit --json | jq '.[] | select(.severity == "Critical")' ``` -------------------------------- ### Proxy Configuration Source: https://context7.com/archlinux/arch-audit/llms.txt Route outbound HTTP requests through a specified proxy using `--proxy` or disable it with `--no-proxy`. Supports HTTP, HTTPS, and SOCKS5 proxies. ```bash # Route through a SOCKS5 proxy (e.g., Tor) $ arch-audit --proxy socks5://127.0.0.1:9050 ``` ```bash # Route through an HTTP proxy $ arch-audit --proxy http://proxy.example.com:8080 ``` ```bash # Ignore the proxy configured in settings.toml $ arch-audit --no-proxy ``` -------------------------------- ### View arch-audit.service logs Source: https://context7.com/archlinux/arch-audit/llms.txt View the output of the last run of the arch-audit service using journalctl. This helps in diagnosing issues or reviewing audit results. ```bash journalctl -u arch-audit.service --no-pager ``` -------------------------------- ### Show Only Upgradable Packages Source: https://context7.com/archlinux/arch-audit/llms.txt Filters the audit results to show only packages that have available fixes in the repositories. Useful for creating a targeted upgrade list. ```bash $ arch-audit --upgradable curl is affected by multiple issues, buffer-overflow. Critical risk! Update to at least 8.9.1-1! libtiff is affected by heap-buffer-overflow. Critical risk! Update to at least 4.6.0-2! ``` -------------------------------- ### Include CVE Identifiers Source: https://context7.com/archlinux/arch-audit/llms.txt Appends CVE numbers to each line of the standard output, providing quick access to specific vulnerability identifiers alongside the package information. ```bash $ arch-audit --show-cve curl is affected by buffer-overflow. (CVE-2024-7264, CVE-2024-6197). Critical risk! Update to at least 8.9.1-1! openssl is affected by timing-attack. (CVE-2024-5535). Low risk! ``` -------------------------------- ### Check arch-audit.timer status Source: https://context7.com/archlinux/arch-audit/llms.txt Use this command to check the status of the arch-audit systemd timer, which is responsible for daily audits. ```bash systemctl status arch-audit.timer ``` -------------------------------- ### Color Output Control Source: https://context7.com/archlinux/arch-audit/llms.txt Manage terminal color output using the `--color` flag. Options include `auto` (default), `always`, and `never`. This is useful for piping output to tools like `less -R` or redirecting to files. ```bash # Force colors even when piping (e.g., to less -R) $ arch-audit --color always | less -R ``` ```bash # Disable colors $ arch-audit --color never > audit-report.txt ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.