|
1.
Keeping up-to-date
Once you have successfully installed your system and ensured a good level of
security you are not done. Security is an ongoing process; the vast majority of
intrusions result from known vulnerabilities in unpatched systems. Keeping your
system up-to-date is the single most valuable step you can take to greater
security.
If you have a recent version of portage installed, you can first sync
your portage tree with emerge --sync and then issue the command
glsa-check --list to check if your system is up to date security-wise.
glsa-check is part of app-portage/gentoolkit.
Code Listing 1.1: Example output of glsa-check -l |
# glsa-check -l
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.
200406-03 [N] sitecopy: Multiple vulnerabilities in included libneon ( net-misc/sitecopy )
200406-04 [U] Mailman: Member password disclosure vulnerability ( net-mail/mailman )
.......
|
Warning:
The glsa-check is still experimental, so if security really is your top
priority it would be wise to double check the list with other sources.
|
All lines with a [A] and [U] can be almost safely ignored as the
system is not affected by this GLSA.
Important:
Please note that the usual emerge -vpuD world will not pick up all
package updates. You need to use glsa-check if you want to make sure all
GLSAs are fixed on your system.
|
Code Listing 1.1: Check all GLSAs |
# glsa-check -t all
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.
This system is affected by the following GLSA:
200504-06
200510-08
200506-14
200501-35
200508-12
200507-16
# glsa-check -p $(glsa-check -t all)
Checking GLSA 200504-06
The following updates will be performed for this GLSA:
app-arch/sharutils-4.2.1-r11 (4.2.1-r10)
**********************************************************************
Checking GLSA 200510-08
The following updates will be performed for this GLSA:
media-libs/xine-lib-1.1.0-r5 (1.1.0-r4)
# glsa-check -f $(glsa-check -t all)
|
If you have upgraded a running service, you should not forget to restart it.
Keeping your kernel up-to-date is
also recommended.
If you want an email each time a GLSA is released subscribe to the
gentoo-announce mailing list. Instructions for joining it and many other
great mailing lists can be found Gentoo Linux
Mailing List Overview.
Another great security resource is the Bugtraq
mailing list.
|
