Myth BOX
The home of guides for Myth TV, IPTables, and other linux based phenomena. 		 
HD version
Preamble
Home
News
Spec
General guides
Partitioning
Installation
Firewall
Channel setup
Home automation
Product overview
Other
Useful links
SD version
Preamble
Functionality
Hardware
Software
Screenshots
Gallery
General guides
DVB Card
Myth TV
Broadband modem
Wireless network
Firewall
Network shares
Network IDS
Extra security
Streaming
Gensplash
EPIA specific guides
TV-Out cables
Audio/USB cables
Backplate
Wireless network
EPIA Kernel
Openchrome drivers
Surround sound
VPN
Online store
Prebuilt mythbox
Other
Useful links

Extra security

Gentoo Linux Security Advisories are now distributed as part of the portage tree, so each time you update your portage tree you also receive information about security vulnerabilities. This section describes how you can utilise this information to automatically download, compile, and install fixed versions of any insecure packages you might have on your system.
  1. Make sure that you have gentoolkit by doing: emerge gentoolkit.
  2. Now we need to list all the packages that have potential security issues. For this we use the glsa-check script. Run glsa-check -l | grep "\[N\]".
  3. Do a pretend emerge on each of the packages that glsa-check lists. Then remove any packages that don't need to be compiled (either because they are up to date, or it is not installed), and then redo the pretend emerge.
  4. Once you are happy with what is to be updated, carry out the emerge.
  5. The system is up-to-date for now. However we need to make the system keep updating itself with a cron job. To do this we need a cron daemon installed, so emerge vixie-cron.
  6. Now make it run on boot using rc-update add vixie-cron default, and start it now using /etc/init.d/vixie-cron start.
  7. Create a file called /root/getglsas.sh and add the following to it:
    for i in `glsa-check -l | grep " \[N\] " | sed s/".*(\(.*\) )"/"\1"/ | sed s/" \.\.\."/""/ | sed s/" "/"\n"/g | grep "/" | sed s/".*\/\(.*\)"/"\1"/ | xargs` ; do emerge -p --columns $i | grep "\[ebuild     U " | sed s/"\[ebuild     U \] \(.*\)\/\(.*\) \(.*\)\[\(.*\)\[\(.*\)"/"\2"/ ; done ;
    This script gets all the potentially vulnerable packages, formats them in a list, does a pretend emerge to ensure that they are already on the system, and then outputs the package names.
  8. Create a file called /root/getupdates.sh and add the following to it:
    emerge -p --columns world | grep "\[ebuild     U " | sed s/"\[ebuild     U \] \(.*\)\/\(.*\) \(.*\)\[\(.*\)\[\(.*\)"/"\2"/
    This script just gets the packages that need updating (ignoring package rebuilds etc) and outputs their names.
  9. Create a file called /root/doupdate.sh and add the following to it:
    emerge sync ; emerge `/root/getupdates.sh | xargs` ; emerge `/root/getglsas.sh | xargs`
    This script pulls the previous two scripts together into one command to update the system
  10. Now apply chmod 755 <script_name.sh> to all three scripts to make them runnable.
  11. Now we need to make our cron daemon call this update script. Type crontab -e. This will start an editor where you can add your cron scripts.
  12. The format of a cron file is: mins, hours, days, months, day of the week, command (all space separated). We want to update every week, so add the following:
    0 1 * * mon /root/doupdate.sh
    This will update the system every week at 1:00am on monday.
  13. Now edit the file /var/lib/portage/world. Remove all source entries apart from gentoo-dev-sources, and add any packages that you may want to add. It is not entirely essential that you do this for security sake however, since the glsa-check will pick up on any package updates that aren't in the world file, but that have potential vulnerablilities.
  14. This whole process saves a lot of time, however one step still needs to be carried out manually every week - executing etc-update.