Tom Gatermann told me about a nice tool for Debian (and presumably Ubuntu) called checkrestart. Sometimes, even though you did an apt-get update and apt-get upgrade to bring your system up to date, you can still be running the out-of-date version of something. That’s the problem checkrestart helps you solve.
It’s part of the debian-goodies package. So you install it with the command apt-get install debian-goodies which takes care of all the dependencies for you–the nice thing about Debian and its derivatives.
Then, after you do updates, it tells you what’s still running the old version. In my case, the last time I updated, it updated SSH, but since I was logged in through SSH, the old version was still running.
So if your security tools say you’re running one version of a piece of software–say, Apache, just to pick on one common process–but the contents of /var/log/apt say something else, checkrestart will help you run that down. And better yet, make a habit of running checkrestart each time you apply updates, just to make sure everything took the way it should have.
The help file cautions you against relying solely on it, but that’s a good rule of thumb for any audit tool. Just this past week, I scanned the same system with both Nessus and Retina and got different results. Audit tools give you an indication there might be something wrong and (hopefully) point you in the right direction toward fixing them, but no matter how many tools you have, the most important tool in the toolchain is an intelligent human being to read, interpret, investigate, and act on the results.