Document on Customizing OpenBSD after install

J. Joseph Max Katz jkatz at cpio.org
Wed Oct 15 20:02:27 PDT 1997


Re...

In the coming weekend, I'll be updating the newuser FAQ
(for things like PPP and 2.2). I'm sure a post-install checklist would be
a welcome addition.

B U T . . . .

Not everyone runs things like Kerberos or DNS. Keep in mind that many
people use OpenBSD for many things and in many environs. The OpenBSD setup
on my firewall at the office is much different than the Sparc, Alpha, and
P5/133 I run it on at home. The setup on my router machine at home is also
much different than the other machines in my house. There are ways people
have setup OpenBSD on embeded systems to do things like manage the
fuel/air mix ratio on their Corvettes (OK, one person I know of planned
that, but couldn't get the financing for the car...) I hope that draws the
picture.

As for the verification after install, that is sort of "auto-manditory"--
if a filesystem isn't mounted right, /etc/fstab has to be checked out. If
the network doesn't work, the network files must be examined to "make it
go." As oopposed to attacking this as a checklist, how about it is
attacked as "If networking doesn't work, check hostname.(interface)"-- but
there is more to that then just files in /etc (boot -c in order to
reconfigure hardware addresses)

/----------------------------------------------------------------
/ Jonathan Katz, jkatz at cpio.org         /  http://www.cpio.org
/ Student, Unix geek, Security guy      /  http://posse.cpio.org
/ President and Founder: Corinne Posse  /  http://jon.katz.com
/ Phone: +1 (317) 590-7092              /  "OpenBSD: Secure!"
/     "The meek may inherit the earth,      
/             but Gale and I will seize the stars!"

On Wed, 15 Oct 1997, Marshall Midden wrote:

> Is there a checklist someplace on what to do after the install of OpenBSD 2.2?
> 
> I'm thinking like:
>    1) Go into /etc
> 	a) Verify disks and network interfaces configured correctly.
> 	   Files: fstab, hosts, myname, hostname.le0, mygate, resolv.conf, defaultdomain.
> 	   You might wish to turn off multicast routing in /etc/netstart.
> 	b) Edit motd to make lawyers comfortable and delete "Welcome".
> 	c) Fix passwd via "vipw" to change passwords, set up users, etc.
> 	   Make sure password on "root".  Default is no password from console, and
> 	   disabled from network.  Make sure to edit "group" for any user groups,
> 	   and to put people into the wheel group if they need root access.
> 	d) Any local configuration change in: rc.conf, rc.local
> 	e) printcap, hosts.lpd	Get printers set up
> 	f) Tighten security:
> 		fbtab		Set security for X
> 		inetd.conf	Turn off extra stuff, add that which is really needed.
> 		rc.securelevel	Turn on Network Time Protocol.
> 	g) kerberosIV		Get kerberos configured.  Remember to get a srvtab.
> 	h) aliases		Local mail delivery (set postmaster, etc).  Run newaliases
> 	   after changes.
> 	i) bootptab		If this is a bootp server.
> 	j) ccd.conf		If using concatenated disks (striped, etc).
> 	k) exports		If this is an NFS server.
> 	m) NIS (old yellow pages), hosts.equiv, defaultdomain, etc.
> 	n) ifaliases for www, etc.
> 	o) daily, weekly, monthly.
> 	p) "amd" directory if using this package.
> 	q) rbootd if needed for remote booting (ethernet MAC address to IP translation).
> 	r) Any other files and directories in /etc.
> 
>    2) crontab -l.		Do you need anything else?
>    3) After the first nights security run, change ownerships and permissions on things.
> 	Best bet is to have permissions as in the security list.
> 







More information about the cypherpunks-legacy mailing list