Contents

How to List Debian Packages Across All Linux Devices

Using Kolide, you can easily view and query Linux Debian Packages across your fleet.

Introduction

Debian packages are the standard way to install software packages on linux distributions based on Debian.

What Linux Debian Package Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Linux Debian Packages from Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Linux Debian Packages Schema

Column	Type	Description
id	Primary Key	Unique identifier for the object
device_id	Foreign Key	Device associated with the entry
device_name	Text	Display name of the device associated with the entry
arch	Text	Debian package architecture
maintainer	Text	Debian package maintainer
mount_namespace_id	Text	Debian package mount namespace id
name	Text	Debian package name
pid_with_namespace	Integer	Debian package pidwithnamespace
priority	Text	Debian package priority
revision	Text	Debian package revision
section	Text	Debian package section
size	Bigint	Debian package size in bytes
source	Text	Debian package source
status	Text	Debian package status
version	Text	The text representation of the version
version_major	Bigint	`version`'s semver major version (ex: `4.2.1` would yield `4`)
version_minor	Bigint	`version`'s semver minor version (ex: `4.2.1` would yield `2`)
version_patch	Bigint	`version`'s semver patch version (ex: `4.2.1` would yield `1`)
version_subpatch	Bigint	`version`'s numeric status fourth position number (ex: `4.2.1.6` would yield `6`)
version_pre	Text	`version`'s semver pre-release version (ex: `1.2.3-prerelease+build` would yield `pre-release`)
version_build	Text	`version`'s semver build version (ex: `1.2.3-prerelease+build` would yield `build`)
collected_at	Timestamp	Time the row of data was first collected in the database
updated_at	Timestamp	Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Search for required package (Zoom) from single source

Show Query

Verify required linux package is installed on device (ClamAV) across sources

Show Query

Check whether installed package is up to date with latest release (Zoom)

Show Query

Search for required package (Zoom) from single source

Kolide SQL

SELECT device_name, name, version FROM linux_debian_packages WHERE name = 'zoom'

Example Results

device_name	name	version
airstream	zoom	5.7.31792.0820
daves-pc	zoom	5.7.31792.0820
crusher999	zoom	5.8.3.145
bambox	zoom	5.9.0.1273

Verify required linux package is installed on device (ClamAV) across sources

Kolide SQL

WITH 
-- Linux packages can come from two different sources (rpm_packages, and debian_packages)
-- We combine two queries using a UNION ALL and matching the columns
union_linux_packages AS (
  SELECT 
    device_name, 
    'dpkg' AS source, 
    name, 
    version 
  FROM linux_debian_packages 
  UNION ALL
  SELECT 
    device_name, 
    'rpm' AS source, 
    name, 
    version 
  FROM linux_rpm_packages
)
SELECT * FROM union_linux_packages WHERE name = 'clamav'

Example Results

device_name	name	version	source
bambox	clamav	0.103.6+dfsg-0+deb11u1	dpkg
pancake	clamav	0.103.6+dfsg-0ubuntu0.21.10.1	dpkg
Dave-thinkpad-x1	clamav	0.103.6+dfsg-0ubuntu0.20.04.1	dpkg
jeff-pc	clamav	0.103.6+dfsg-0ubuntu0.20.04.1	dpkg
crayoneater	clamav	0.103.6+dfsg-0ubuntu0.20.04.1	dpkg
Airstream	clamav	0.103.6	rpm

Check whether installed package is up to date with latest release (Zoom)

Kolide SQL

WITH 
-- Linux packages can come from two different sources (rpm_packages, and debian_packages)
-- We combine two queries using a UNION ALL and matching the columns
union_linux_packages AS (
  SELECT 
    device_name, 
    'dpkg' AS source, 
    name, 
    version AS installed_version,
    version_major AS installed_version_major,
    version_minor AS installed_version_minor,
    version_patch AS installed_version_patch,
    version_subpatch AS installed_version_subpatch
  FROM linux_debian_packages 
  UNION ALL
  SELECT 
    device_name, 
    'rpm' AS source, 
    name, 
    version AS installed_version,
    version_major AS installed_version_major,
    version_minor AS installed_version_minor,
    version_patch AS installed_version_patch,
    version_subpatch AS installed_version_subpatch
  FROM linux_rpm_packages
),
zoom_latest_prompted AS (
  SELECT 
  version AS latest_prompted_version,
  CAST(version_major AS int) AS latest_major,
  CAST(version_minor AS int) AS latest_minor,
  CAST(version_patch AS int) AS latest_patch,
  CAST(version_build AS int) AS latest_build
   FROM zoom_latest_releases 
  WHERE platform = 'linux' AND release_type = 'latest_prompted_release'
),
merge_data AS (
SELECT 
  ulp.*, zlp.*
FROM union_linux_packages ulp, zoom_latest_prompted zlp
WHERE name = 'zoom'
)
-- Evaluate installed version against latest_prompted_release
SELECT device_name, installed_version, latest_prompted_version,
  CASE WHEN (
      installed_version_major <  latest_major
   OR installed_version_major <=  latest_major AND installed_version_minor <  latest_minor
   OR installed_version_major <=  latest_major AND installed_version_minor <=  latest_minor AND installed_version_patch <  latest_patch
   OR installed_version_major <=  latest_major AND installed_version_minor <=  latest_minor AND installed_version_patch <=  latest_patch AND installed_version_subpatch <  latest_build
   ) THEN 'true' ELSE 'false' END AS zoom_requires_update
 FROM merge_data;

Example Results

device_name	installed_version	latest_prompted_version	zoom_requires_update
airstream	5.7.31792.0820	5.10.4 (2845)	true
daves-pc	5.7.31792.0820	5.10.4 (2845)	true
conference-room-zoom	5.10.4.2845	5.10.4 (2845)	false
Bambox	5.9.0.1273	5.10.4 (2845)	true

Why Should I Collect Linux Debian Packages?

Since .deb packages are the standard way to install software on a wide range of Linux operating system distributions, there is the potential for malicious actors to distribute malware. Given the wide range of possible software that can be installed, it is important to regularly audit the list of installed packages on a machine.

.deb packages are cataloged and tracked to allow:

Reviewing installed packages to verify desired device configuration
Discovering potential malicious software
Identifying out-of-date or otherwise vulnerable software packages
Identifying unsafe or unapproved installed software

Kolide collects metadata about Debian packages including name, version and source

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Debian package installations reveal a partial list of the applications and software installed on your device. This could include software used for personal or sensitive reasons.

When you use Kolide to list Linux Debian Package data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.