afterboot - things to check after the first complete boot
Starting Out
This document attempts to list items for the system administrator to
check and set up after the installation and first complete
boot of the
system. The idea is to create a list of items that can be
checked off so
that you have a warm fuzzy feeling that something obvious
has not been
missed. A basic knowledge of UNIX is assumed, otherwise
type
# help
Complete instructions for correcting and fixing items is not
provided.
There are manual pages and other methodologies available for
doing that.
For example, to view the man page for the ls(1) command,
type:
# man 1 ls
Administrators will rapidly become more familiar with OpenBSD if they get
used to using the high quality manual pages.
Errata [Toc] [Back]
By the time that you have installed your system, it is quite
likely that
bugs in the release have been found. All significant and
easily fixed
problems will be reported at
http://www.openbsd.org/errata.html. The web
page will mention if a problem is security related. It is
recommended
that you check this page regularly.
Login [Toc] [Back]
Login as ``root''. You can do so on the console, or over
the network using
ssh(1). If you wish to deny root logins over the network, edit the
/etc/ssh/sshd_config file and set PermitRootLogin to ``no''
(see
sshd_config(5)).
Upon successful login on the console, you may see the message ``Don't
login as root, use su''. For security reasons, it is bad
practice to login
as root during regular use and maintenance of the system. Instead,
administrators are encouraged to add a ``regular'' user, add
said user to
the ``wheel'' group, then use the su(1) and sudo(8) commands
when root
privileges are required. This process is described in more
detail later.
Root password [Toc] [Back]
Change the password for the root user. (Note that throughout the documentation,
the term ``superuser'' is a synonym for the root
user.)
Choose a password that has numbers, digits, and special
characters (not
space) as well as from the upper and lower case alphabet.
Do not choose
any word in any language. It is common for an intruder to
use dictionary
attacks. Type the command /usr/bin/passwd to change it.
It is a good idea to always specify the full path name for
both the
passwd(1) and su(1) commands as this inhibits the possibility of files
placed in your execution PATH for most shells. Furthermore,
the superuser's
PATH should never contain the current directory
(``.'').
System date [Toc] [Back]
Check the system date with the date(1) command. If needed,
change the
date, and/or change the symbolic link of /etc/localtime to
the correct
time zone in the /usr/share/zoneinfo directory.
Examples:
Set the current date to January 27th, 1999 3:04pm:
# date 199901271504
Set the time zone to Atlantic Standard Time:
# ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime
Check hostname [Toc] [Back]
Use the hostname command to verify that the name of your machine is correct.
See the man page for hostname(1) if it needs to be
changed. You
will also need to edit the /etc/myname file to have it stick
around for
the next reboot.
Verify network interface configuration [Toc] [Back]
The first thing to do is an ifconfig -a to see if the network interfaces
are properly configured. Correct by editing
/etc/hostname.interface
(where interface is the interface name, e.g., ``le0'') and
then using
ifconfig(8) to manually configure it if you do not wish to
reboot. Read
the hostname.if(5) man page for more information on the format of
/etc/hostname.interface files. The loopback interface will
look something
like:
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
an Ethernet interface something like:
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 192.168.4.52 netmask 0xffffff00 broadcast
192.168.4.255
inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid
0x1
and a PPP interface something like:
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
inet 203.3.131.108 --> 198.181.0.253 netmask
0xffff0000
See netstart(8) for instructions on configuring multicast
routing.
See dhcp(8) for instructions on configuring interfaces with
DHCP.
Check routing tables [Toc] [Back]
Issue a netstat -rn command. The output will look something
like:
Routing tables
Internet:
Destination Gateway Flags Refs Use
Mtu Interface
default 192.168.4.254 UGS 0 11098028
- le0
127 127.0.0.1 UGRS 0 0
- lo0
127.0.0.1 127.0.0.1 UH 3 24
- lo0
192.168.4 link#1 UC 0 0
- le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707
- le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0
- le0
Internet6:
Destination Gateway Flags Refs Use
Mtu Interface
::/96 ::1 UGRS 0 0
32972 lo0 =>
::1 ::1 UH 4 0
32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0
32972 lo0
fc80::/10 ::1 UGRS 0 0
32972 lo0
fe80::/10 ::1 UGRS 0 0
32972 lo0
fe80::%le0/64 link#1 UC 0 0
1500 le0
fe80::%lo0/64 fe80::1%lo0 U 0 0
32972 lo0
ff01::/32 ::1 U 0 0
32972 lo0
ff02::%le0/32 link#1 UC 0 0
1500 le0
ff02::%lo0/32 fe80::1%lo0 UC 0 0
32972 lo0
The default gateway address is stored in the /etc/mygate
file. If you
need to edit this file, a painless way to reconfigure the
network afterwards
is route flush followed by a sh -x /etc/netstart command. Or, you
may prefer to manually configure using a series of route add
and route
delete commands (see route(8)). If you run dhclient(8) you
will have to
kill it by running kill `cat /var/run/dhclient.pid` after
you flush the
routes.
If you wish to route packets between interfaces, add the directive
net.inet.ip.forwarding=1
or
net.inet6.ip6.forwarding=1
to /etc/sysctl.conf. Packets are not forwarded by default,
due to RFC
requirements.
You can add new ``virtual interfaces'' by adding the required entries to
/etc/hostname.if.
BIND Name Server (DNS) [Toc] [Back]
If you are using the BIND Name Server, check the
/etc/resolv.conf file.
It may look something like:
domain nts.umn.edu
nameserver 128.101.101.101
nameserver 134.84.84.84
search nts.umn.edu. umn.edu.
lookup file bind
If using a caching name server, add the line "nameserver
127.0.0.1"
first. To get a local caching name server to run you will
need to set
named_flags in /etc/rc.conf.local. The same holds true if
the machine is
going to be a name server for your domain. In both these
cases, make
sure that named(8) is running (otherwise there are long
waits for resolver
timeouts).
RPC-based network services [Toc] [Back]
Several services depend on the RPC portmapper, portmap(8),
being running
for proper operation. This includes YP and NFS exports,
among other services.
To get the RPC portmapper to start automatically on
boot, you
will need to have this line in /etc/rc.conf.local:
portmap=YES
YP Setup [Toc] [Back]
Check the YP domain name with the domainname(1) command. If
necessary,
correct it by editing the /etc/defaultdomain file (see defaultdomain(5)).
The /etc/netstart script reads this file on bootup to determine and set
the domain name. You may also set the running system's domain name with
the domainname(1) command. To start YP client services,
simply run
ypbind, then perform the remaining YP activation as described in
passwd(5) and group(5).
In particular, to enable YP passwd support, you'll need to
add the following
line to /etc/master.passwd:
+:*::::::::
You do this by using vipw(8).
There are many more YP man pages available to help you. You
can find
more information by starting with yp(8).
Check disk mounts [Toc] [Back]
Check that the disks are mounted correctly by comparing the
/etc/fstab
file against the output of the mount(8) and df(1) commands.
Example:
# cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,nosuid 1 3
/dev/sd0g /tmp ffs rw,nodev,nosuid 1 4
/dev/sd0h /home ffs rw,nodev,nosuid 1 5
# mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, nosuid)
/dev/sd0g on /tmp type ffs (local, nodev, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)
# df
Filesystem 1024-blocks Used Avail Capacity
Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0d 203399 150221 43008 78%
/usr
/dev/sd0e 10447 682 9242 7%
/var
/dev/sd0g 18823 2 17879 0%
/tmp
/dev/sd0h 7519 5255 1888 74%
/home
# pstat -s
Device 512-blocks Used Avail Capacity
Priority
swap_device 131072 84656 46416 65% 0
Edit /etc/fstab and use the mount(8) and umount(8) commands
as appropriate.
Refer to the above example and fstab(5) for information on the format
of this file.
You may wish to do NFS partitions now too, or you can do
them later.
Concatenated disks (ccd) [Toc] [Back]
If you are using ccd(4) concatenated disks, edit
/etc/ccd.conf. Use the
ccdconfig -U command to unload and the ccdconfig -C command
to create tables
internal to the kernel for the concatenated disks. You
then
mount(8), umount(8), and edit /etc/fstab as needed.
Automounter daemon (AMD) [Toc] [Back]
If using the amd(8) package, go into the /etc/amd directory
and set it up
by renaming master.sample to master and editing it and creating other
maps as needed. Alternatively, you can get your maps with
YP.
Clock synchronisation [Toc] [Back]
In order to make sure the system clock is synchronised to
that of a publicly
accessible NTP server, make sure that
/etc/rc.conf.local contains
the following:
ntpd_flags=""
See ntpd(8), rdate(8), and timed(8) for more information on
setting the
system's date.
CHANGING /etc FILES
The system should be usable now, but you may wish to do more
customizing,
such as adding users, etc. Many of the following sections
may be skipped
if you are not using that package (for example, skip the
Kerberos section
if you won't be using Kerberos). We suggest that you cd
/etc and edit
most of the files in that directory.
Note that the /etc/motd file is modified by /etc/rc whenever
the system
is booted. To keep any custom message intact, ensure that
you leave two
blank lines at the top, or your message will be overwritten.
Add new users [Toc] [Back]
Add users. There is an adduser(8) script. You may use
vipw(8) to add
users to the /etc/passwd file and edit /etc/group by hand to
add new
groups. You may also wish to edit /etc/login.conf and tune
some of the
limits documented in login.conf(5). The manual page for
su(1) tells you
to make sure to put people in the `wheel' group if they need
root access
(non-Kerberos). For example:
wheel:*:0:root,myself
Follow instructions for login_krb5(8) if using Kerberos for
authentication.
System command scripts [Toc] [Back]
The /etc/rc.* scripts are invoked at boot time, after single
user mode
has exited, and at shutdown. The whole process is controlled, more or
less, by the master script /etc/rc. This script should not
be changed by
administrators.
/etc/rc is in turn influenced by the configuration variables
present in
/etc/rc.conf. Again this script should not be changed by
administrators:
site-specific changes should be made to (freshly created if
necessary)
/etc/rc.conf.local.
Any commands which should be run before the system sets its
secure level
should be made to /etc/rc.securelevel, and commands to be
run after the
system sets its secure level should be made to
/etc/rc.local. Commands
to be run before system shutdown should be set in
/etc/rc.shutdown.
For more information about system startup/shutdown files,
see rc(8),
rc.conf(8), securelevel(7), and rc.shutdown(8).
If you've installed X, you may want to turn on xdm(1), the X
Display Manager.
To do this, change the value of xdm_flags in
/etc/rc.conf.local.
Printers [Toc] [Back]
Edit /etc/printcap and /etc/hosts.lpd to get any printers
set up. Consult
lpd(8) and printcap(5) if needed.
Set keyboard type [Toc] [Back]
Some architectures permit keyboard type control. Use the
kbd(8) command
to change the keyboard encoding. kbd -l will list all
available encodings.
kbd xxx will select the xxx encoding. Store the encoding in
/etc/kbdtype to make sure it is set automatically at boot
time.
Tighten up security [Toc] [Back]
You might wish to tighten up security more by editing
/etc/fbtab as when
installing X. In /etc/inetd.conf comment out any extra entries you do
not need, and only add things that are really needed. Note
that by default
the telnetd(8) and ftpd(8) daemons are not enabled in
favor of SSH
(Secure Shell).
Kerberos [Toc] [Back]
If you are going to use Kerberos (see `info heimdal') for
authentication,
and you already have a Kerberos master, change directory to
/etc/kerberosV and configure. Remember to get a srvtab from
the master
so that the remote commands work.
Mail Aliases [Toc] [Back]
Edit /etc/mail/aliases and set the three standard aliases to
go to either
a mailing list, or the system administrator.
# Well-known aliases -- these should be filled in!
root: sysadm
manager: root
dumper: root
Run newaliases(8) after changes.
Sendmail [Toc] [Back]
OpenBSD ships with a default /etc/mail/localhost.cf file
that will work
for simple installations; it was generated from
openbsd-localhost.mc in
/usr/share/sendmail/cf. Please see
/usr/share/sendmail/README and
/usr/share/doc/smm/08.sendmailop/op.me for information on
generating your
own sendmail configuration files. For the default installation, sendmail
is configured to only accept connections from the local host
and to not
accept connections on any external interfaces. This makes
it possible to
send mail locally, but not receive mail from remote servers,
which is
ideal if you have one central incoming mail machine and several clients.
To cause sendmail to accept external network connections,
modify the
sendmail_flags variable in /etc/rc.conf.local to use the
/etc/mail/sendmail.cf file in accordance with the comments
therein. This
file was generated from openbsd-proto.mc. Note that sendmail now also
listens on port 587 by default. This is to implement the
RFC 2476 message
submission protocol. You may disable this via the
no_default_msa
option in your sendmail .mc file. See
/usr/share/sendmail/README for
more information. The /etc/mail/localhost.cf file already
has this disabled.
DHCP server [Toc] [Back]
If this is a DHCP server, edit /etc/dhcpd.conf and
/etc/dhcpd.interfaces
as needed. You will have to make sure /etc/rc.conf.local
has:
dhcpd_flags=""
or run dhcpd(8) manually.
BOOTP server [Toc] [Back]
If this is a BOOTP server, edit /etc/dhcpd.conf as needed.
dhcpd(8) will
have to be turned on in rc.conf.local(8).
NFS server [Toc] [Back]
If this is an NFS server make sure /etc/rc.conf.local has:
nfs_server=YES
Edit /etc/exports and get it correct. It is probably easier
to reboot
than to get the daemons running manually, but you can get
the order correct
by looking at /etc/rc.
HP remote boot server [Toc] [Back]
Edit /etc/rbootd.conf if needed for remote booting. If you
do not have
HP computers doing remote booting, do not enable this.
Daily, weekly, monthly scripts
Look at and possibly edit the /etc/daily, /etc/weekly, and
/etc/monthly
scripts. Your site specific things should go into
/etc/daily.local,
/etc/weekly.local, and /etc/monthly.local.
These scripts have been limited so as to keep the system
running without
filling up disk space from normal running processes and
database updates.
(You probably do not need to understand them.)
The /altroot filesystem can optionally be used to provide a
backup of the
root filesystem on a daily basis. To take advantage of
this, you must
have an entry in /etc/fstab with ``xx'' for the mount option:
/dev/wd0j /altroot ffs xx 0 0
and you must add a line to root's crontab:
ROOTBACKUP=1
so that the /etc/daily script will make a daily backup of
the root
filesystem.
Other files in /etc
Look at the other files in /etc and edit them as needed.
(Do not edit
files ending in .db -- like pwd.db, spwd.db, nor localtime,
nor rmt, nor
any directories.)
Crontab (background running processes) [Toc] [Back]
Check what is running by typing crontab -l as root and see
if anything
unexpected is present. Do you need anything else? Do you
wish to change
things? For example, if you do not like root getting standard output of
the daily scripts, and want only the security scripts that
are mailed internally,
you can type crontab -e and change some of the
lines to read:
30 1 * * * /bin/sh /etc/daily 2>&1 >
/var/log/daily.out
30 3 * * 6 /bin/sh /etc/weekly 2>&1 >
/var/log/weekly.out
30 5 1 * * /bin/sh /etc/monthly 2>&1 >
/var/log/monthly.out
See crontab(5).
Next day cleanup [Toc] [Back]
After the first night's security run, change ownerships and
permissions
on files, directories, and devices; root should have received mail with
subject: "<hostname> daily insecurity output.". This mail
contains a set
of security recommendations, presented as a list looking
like this:
var/mail:
permissions (0755, 0775)
etc/daily:
user (0, 3)
The best bet is to follow the advice in that list. The recommended setting
is the first item in parentheses, while the current
setting is the
second one. This list is generated by mtree(8) using
/etc/mtree/special.
Use chmod(1), chgrp(1), and chown(8) as needed.
Packages [Toc] [Back]
Install your own packages. The OpenBSD ports collection includes a large
set of third-party software. A lot of it is available as
binary packages
that you can download from ftp://ftp.openbsd.org or a mirror, and install
using pkg_add(1). See ports(7) and packages(7) for more details.
Copy vendor binaries and install them. You will need to install any
shared libraries, etc. (Hint: man -k compat to find out how
to install
and use compatibility mode.)
There is also other third-party software that is available
in source form
only, either because it has not been ported to OpenBSD yet,
or because
licensing restrictions make binary redistribution impossible. Sometimes
checking the mailing lists for past problems that people
have encountered
will result in a fix posted.
First, review the system message buffer using the dmesg(8)
command to
find out information on your system's devices as probed by
the kernel at
boot. In particular, note which devices were not configured. This information
will prove useful when editing kernel configuration files.
To compile a kernel inside a writable source tree, do the
following:
# cd /usr/src/sys/arch/somearch/conf
# vi SOMEFILE (to make any changes)
# config SOMEFILE
# cd ../compile/SOMEFILE
# make
where somearch is the architecture (e.g. i386), and SOMEFILE
should be a
name indicative of a particular configuration (often that of
the hostname).
You can also do a make depend so that you will have
dependencies
there the next time you do a compile.
If you are building your kernel again, before you do a make
you should do
a make depend after making changes (including updates or
patches) to your
kernel source, or a make clean after making changes to your
kernel options.
After either of these two methods, you can place the new
kernel (called
bsd) in / (i.e. /bsd) and the system will boot it next time.
Most people
save their backup kernels as /bsd.1, /bsd.2, etc.
It is not always necessary to recompile the kernel if only
configuration
changes are required. With config(8), you can change the
device configuration
in the kernel file directly:
# config -e -o bsd.new /bsd
OpenBSD 2.7-beta (GENERIC.rz0) #0: Mon Oct 4 03:57:22
MEST 1999
root@winona:/usr/src/sys/arch/pmax/compile/GENERIC.rz0
Enter 'help' for information
ukc>
Additionally, you can permanently save the changes made with
UKC during
boot time in the kernel image.
chgrp(1), chmod(1), crontab(1), date(1), df(1), domainname(1),
hostname(1), ls(1), make(1), man(1), netstat(1), passwd(1),
pkg_add(1),
ssh(1), su(1), xdm(1), ccd(4), aliases(5), crontab(5), defaultdomain(5),
dhcpd.conf(5), exports(5), fbtab(5), fstab(5), group(5),
hostname.if(5),
login.conf(5), passwd(5), printcap(5), resolv.conf(5),
ssh_config(5),
hostname(7), packages(7), ports(7), adduser(8), amd(8), ccdconfig(8),
chown(8), config(8), dhclient(8), dhcp(8), dhcpd(8),
dmesg(8), ftpd(8),
ifconfig(8), inetd(8), kbd(8), lpd(8), mount(8), mtree(8),
named(8),
netstart(8), newaliases(8), ntpd(8), portmap(8), rbootd(8),
rc(8),
rdate(8), rmt(8), route(8), sudo(8), telnetd(8), timed(8),
umount(8),
vipw(8), yp(8), ypbind(8)
This document first appeared in OpenBSD 2.2.
OpenBSD 3.6 October 20, 1997
[ Back ] |
