What's basic to a healthy secure gentoo system

[schmeggahead]

I've been kind of ad hoc managing my Gentoo systems and was wondering what everyone thought was basic to handling the system appropriately.

My list looks something like this:

1. update packages frequently:
emerge --sync (daily)
emerge -uDv system (daily) <- substitute glsa-check
emerge -uDv world (daily) <-substitute --pretend and then do the real thing weekly
revdep-rebuild (weekly)

2. monitor logs and intrusion:
logrotate
logwatch
chkrootkit
(add brute force check for ssh, sftp)

3. reboot periodically (weekly)

4. use hardened on non-X systems

Any other items that are critical?

[coolsnowmen]

I think in theory, upgrading all your packages would catch this, but I have found that the secret to a healthy and secure system is not to just 'Deep update everything; all the time.' You did not say bleeding edge.

if you care about security, check glsa once a day (I cron this to a file)
something like this the folder reports must already exist.

[Phenax]

Update every week (month max).
Give major items about a week to 'sit' before upgrading to them.

[micmac]

How about "None of the above"? Instead subscribe to the GLSA announcement mailing list and when a GLSA comes your way sync your tree and install the update. Makes Gentoo pretty easy to maintain.

[tylerwylie]

[schmeggahead]

Thanks for the insights. I'd forgotten about glsa.
I figured updating daily would be better but glsa is a better daily approach - decide if it is really worth the possible impact.

I updated system first because I'm not using emwrap to force tool chain updates.
I'm thinking I should use that script to avoid updating the toolchain without a great deal of time to work it through.

So for my workstation systems, I could update during the week in between, if I was wanting to get that work out of the way.

I think the glsa does work, but I'm not sure how to make it silent if there are no applicable impacted packages. (I use glsa-check -l | grep -v [U]
and always get these lines:
[A] means this GLSA was already applied,
[U] means the system is not affected and
[N] indicates that the system might be affected.

) I think it has to do with standard error rather then standard out, but haven't gotten to looking up how to send that to /dev/null.

I'll be creating cron scripts now.
Thanks.

[schmeggahead]

[coolsnowmen]

[Phobos666]

- USE="hardened"
- GLSA check after every sync every day
- hardened-sources

rock-solid, secure and neat.

and dont listen to the expat lame warnings. when you understand gentoo, theres no expat pain.

[coolsnowmen]

[Phobos666]

yeah right. but revdep-rebuild --library=/usr/lib/libexpat.so.x.x.x (dunno the old version) did the whole trick.
i think there were postins warnings to do that.

i did this exactly after the expat update on all 4 machines directly after the update. thats no expat pain.

[schmeggahead]

try doing that six months after the expat problem surfaced and then search the forums for the right answer.
That was my expat pain.
No revdep-rebuild or emerge -e world will fix that - the dependencies are too complex. I don't think I knew about emwrap then though.
(and I think I'm the only one who didn't upgrade their systems for that long, so no one else was working the problem from that vantage point).

Really, I know I can't be on this distro (or any for that matter) without constant upgrades (weekly at a minimum). And that's ok.

But I learned that the hard way. (And no, after 4 years on Gentoo with multiple, I don't "know Gentoo" - and yes, I did stage 1 installs as a total noob to linux/unix and boy was I confused, but they worked and worked well.)

and thank you coolsnowmen for pointing out the script in your previous post. I really did miss the connection by reading the thread in stages. Thanks for explicitly connecting it for me (matrix threading).

The more I learn about Gentoo, the more I like it.

[bunder]

[schmeggahead]

[speeddemon]