Security Handbook/Staying up-to-date

From Gentoo Wiki
Jump to:navigation Jump to:search
Security Handbook
General Guidance
Boot Path Security
Information Security
Mounting partitions
User and group limitations
File permissions
Kernel security
Firewalls and Network Security
Securing services
Chrooting and virtual servers
Intrusion detection
Staying up-to-date

This section is on keeping the system up-to-date.

Once you have successfully installed your system and ensured a good level of security you are not done. Much like development, security is an ongoing process; the vast majority of intrusions result from known vulnerabilities in unpatched systems. Keeping the system up-to-date is the single most valuable step to take for greater security.

First sync the Portage tree with emerge --sync and then issue the following command to check if the system is up to date security-wise:

root #glsa-check --list
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

200406-03 [N] sitecopy: Multiple vulnerabilities in included libneon ( net-misc/sitecopy )
200406-04 [U] Mailman: Member password disclosure vulnerability ( net-mail/mailman )
glsa-check is part of sys-apps/portage.

All lines with a [A] and [U] can be almost safely ignored as the system is not affected by this GLSA.

Please note that the usual emerge -vpuD @world will not pick up all package updates. You need to use glsa-check if you want to make sure all GLSAs are fixed on the system.

Check all GLSAs:

root #glsa-check -t all
This system is affected by the following GLSA:

See what packages would be emerged:

root #glsa-check -p $(glsa-check -t all)
Checking GLSA 200504-06
The following updates will be performed for this GLSA:
     app-arch/sharutils-4.2.1-r11 (4.2.1-r10)


     Checking GLSA 200510-08
     The following updates will be performed for this GLSA:
          media-libs/xine-lib-1.1.0-r5 (1.1.0-r4)

Apply required fixes:

root #glsa-check -f $(glsa-check -t all)

If you have upgraded a running service, you should not forget to restart it.

Keeping the kernel up-to-date is also recommended.

If you want an email each time a GLSA is released subscribe to the gentoo-announce mailing list. Instructions for joining it and many other great mailing lists can be found in the Gentoo mailing lists.

Another great security resource is the Bugtraq mailing list.

See also

  • GLSA — notifications generated by Gentoo's security team about vulnerable software available in the Gentoo ebuild repository.