1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
|
.\" $OpenBSD: afterboot.8,v 1.116 2007/03/21 22:11:54 jmc Exp $
.\"
.\" Copyright (c) 1997 Marshall M. Midden
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by Marshall M. Midden.
.\" 4. The name of the author may not be used to endorse or promote products
.\" derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd October 20, 1997
.Dt AFTERBOOT 8
\!\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu
.Os
.Sh NAME
.Nm afterboot
.Nd things to check after the first complete boot
.Sh DESCRIPTION
.Ss Starting out
This document attempts to list items for the system administrator
to check and set up after the installation and first complete boot of the
system.
The idea is to create a list of items that can be checked off so that you have
a warm fuzzy feeling that something obvious has not been missed.
A basic knowledge of
.Ux
is assumed, otherwise type:
.Pp
.Dl # help
.Pp
Complete instructions for correcting and fixing items is not provided.
There are manual pages and other methodologies available for doing that.
For example, to view the man page for the
.Xr ls 1
command, type:
.Pp
.Dl # man 1 ls
.Pp
Administrators will rapidly become more familiar with
.Ox
if they get used to using the high quality manual pages.
.Ss Errata
By the time that you have installed your system, it is quite likely that
bugs in the release have been found.
All significant and easily fixed problems will be reported at
.Pa http://www.openbsd.org/errata.html .
The web page will mention if a problem is security related.
It is recommended that you check this page regularly.
.Ss Login
Log in as
.Dq root .
You can do so on the console, or over the network using
.Xr ssh 1 .
If you wish to deny root logins over the network, edit the
.Pa /etc/ssh/sshd_config
file and set
.Cm PermitRootLogin
to
.Dq no
(see
.Xr sshd_config 5 ) .
.Pp
For security reasons, it is bad practice to log in as root during regular use
and maintenance of the system.
Instead, administrators are encouraged to add a
.Dq regular
user, add said user to the
.Dq wheel
group, then use the
.Xr su 1
and
.Xr sudo 8
commands when root privileges are required.
This process is described in more detail later.
.Ss Root password
Change the password for the root user.
(Note that throughout the documentation, the term
.Dq superuser
is a synonym for the root user.)
Choose a password that has numbers, digits, and special characters (not space)
as well as from the upper and lower case alphabet.
Do not choose any word in any language.
It is common for an intruder to use dictionary attacks.
Type the command
.Ic /usr/bin/passwd
to change it.
.Pp
It is a good idea to always specify the full path name for both the
.Xr passwd 1
and
.Xr su 1
commands as this inhibits the possibility of files placed in your execution
.Ev PATH
for most shells.
Furthermore, the superuser's
.Ev PATH
should never contain the current directory
.Pq Dq \&. .
.Ss System date
Check the system date with the
.Xr date 1
command.
If needed, change the date, and/or change the symbolic link of
.Pa /etc/localtime
to the correct time zone in the
.Pa /usr/share/zoneinfo
directory.
.Pp
Examples:
.Pp
Set the current date to January 27th, 1999 3:04pm:
.Dl # date 199901271504
.Pp
Set the time zone to Atlantic Standard Time:
.Dl # ln -fs /usr/share/zoneinfo/Canada/Atlantic /etc/localtime
.Ss Check hostname
Use the
.Ic hostname
command to verify that the name of your machine is correct.
See the man page for
.Xr hostname 1
if it needs to be changed.
You will also need to edit the
.Pa /etc/myname
file to have it stick around for the next reboot.
.Ss Verify network interface configuration
The first thing to do is an
.Ic ifconfig -a
to see if the network interfaces are properly configured.
Correct by editing
.Pa /etc/hostname. Ns Ar interface
(where
.Ar interface
is the interface name, e.g.,
.Dq le0 )
and then using
.Xr ifconfig 8
to manually configure it
if you do not wish to reboot.
Read the
.Xr hostname.if 5
man page for more information on the format of
.Pa /etc/hostname. Ns Ar interface
files.
The loopback interface will look something like:
.Bd -literal -offset indent
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
.Ed
.Pp
an Ethernet interface something like:
.Bd -literal -offset indent
le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST>
inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
.Ed
.Pp
and a PPP interface something like:
.Bd -literal -offset indent
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST>
inet 203.3.131.108 --> 198.181.0.253 netmask 0xffff0000
.Ed
.Pp
See
.Xr netstart 8
for instructions on configuring multicast routing.
.Pp
See
.Xr dhcp 8
for instructions on configuring interfaces with DHCP.
.Ss Check routing tables
Issue a
.Ic netstat -rn
command.
The output will look something like:
.Bd -literal -offset indent
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 192.168.4.254 UGS 0 11098028 - le0
127 127.0.0.1 UGRS 0 0 - lo0
127.0.0.1 127.0.0.1 UH 3 24 - lo0
192.168.4 link#1 UC 0 0 - le0
192.168.4.52 8:0:20:73:b8:4a UHL 1 6707 - le0
192.168.4.254 0:60:3e:99:67:ea UHL 1 0 - le0
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::/96 ::1 UGRS 0 0 32972 lo0 =>
::1 ::1 UH 4 0 32972 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0 0 32972 lo0
fc80::/10 ::1 UGRS 0 0 32972 lo0
fe80::/10 ::1 UGRS 0 0 32972 lo0
fe80::%le0/64 link#1 UC 0 0 1500 le0
fe80::%lo0/64 fe80::1%lo0 U 0 0 32972 lo0
ff01::/32 ::1 U 0 0 32972 lo0
ff02::%le0/32 link#1 UC 0 0 1500 le0
ff02::%lo0/32 fe80::1%lo0 UC 0 0 32972 lo0
.Ed
.Pp
The default gateway address is stored in the
.Pa /etc/mygate
file.
If you need to edit this file, a painless way to reconfigure the network
afterwards is
.Ic route flush
followed by a
.Ic sh -x /etc/netstart
command.
Or, you may prefer to manually configure using a series of
.Ic route add
and
.Ic route delete
commands (see
.Xr route 8 ) .
If you run
.Xr dhclient 8
you will have to kill it by running
.Ic kill `cat /var/run/dhclient.pid`
after you flush the routes.
.Pp
If you wish to route packets between interfaces, add one or both
of the following directives (depending on whether IPv4 or IPv6 routing
is required) to
.Pa /etc/sysctl.conf :
.Pp
.Dl net.inet.ip.forwarding=1
.Dl net.inet6.ip6.forwarding=1
.Pp
Packets are not forwarded by default, due to RFC requirements.
.Ss Check disk mounts
Check that the disks are mounted correctly by
comparing the
.Pa /etc/fstab
file against the output of the
.Xr mount 8
and
.Xr df 1
commands.
Example:
.Bd -literal -offset indent
# cat /etc/fstab
/dev/sd0a / ffs rw 1 1
/dev/sd0d /usr ffs rw,nodev 1 2
/dev/sd0e /var ffs rw,nodev,nosuid 1 3
/dev/sd0g /tmp ffs rw,nodev,nosuid 1 4
/dev/sd0h /home ffs rw,nodev,nosuid 1 5
# mount
/dev/sd0a on / type ffs (local)
/dev/sd0d on /usr type ffs (local, nodev)
/dev/sd0e on /var type ffs (local, nodev, nosuid)
/dev/sd0g on /tmp type ffs (local, nodev, nosuid)
/dev/sd0h on /home type ffs (local, nodev, nosuid)
# df
Filesystem 1024-blocks Used Avail Capacity Mounted on
/dev/sd0a 22311 14589 6606 69% /
/dev/sd0d 203399 150221 43008 78% /usr
/dev/sd0e 10447 682 9242 7% /var
/dev/sd0g 18823 2 17879 0% /tmp
/dev/sd0h 7519 5255 1888 74% /home
# pstat -s
Device 512-blocks Used Avail Capacity Priority
swap_device 131072 84656 46416 65% 0
.Ed
.Pp
Edit
.Pa /etc/fstab
and use the
.Xr mount 8
and
.Xr umount 8
commands as appropriate.
Refer to the above example and
.Xr fstab 5
for information on the format of this file.
.Pp
You may wish to do NFS partitions now too, or you can do them later.
.Ss Check the running system
You can use
.Xr ps 1 ,
.Xr netstat 1 ,
and
.Xr fstat 1
to check on running processes, network connections, and opened files,
respectively.
.Sh FURTHER CHANGES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc.
Many of the following sections may be skipped
if you are not using that package.
We suggest that you
.Ic cd /etc
and edit any files in that directory as necessary.
.Pp
Note that the
.Pa /etc/motd
file is modified by
.Pa /etc/rc
whenever the system is booted.
To keep any custom message intact, ensure that you leave two blank lines
at the top, or your message will be overwritten.
.Ss Add new users
Add users.
There is an
.Xr adduser 8
script.
You may use
.Xr vipw 8
to add users to the
.Pa /etc/passwd
file
and edit
.Pa /etc/group
by hand to add new groups.
You may also wish to edit
.Pa /etc/login.conf
and tune some of the limits documented in
.Xr login.conf 5 .
The manual page for
.Xr su 1
tells you to make sure to put people in
the
.Sq wheel
group if they need root access (non-Kerberos).
For example:
.Pp
.Dl wheel:*:0:root,myself
.Pp
Follow instructions for
.Xr login_krb5 8
if using
Kerberos
for authentication.
.Ss System command scripts
The
.Pa /etc/rc.*\&
scripts are invoked at boot time, after single user mode has exited,
and at shutdown.
The whole process is controlled, more or less, by the master script
.Pa /etc/rc .
This script should not be changed by administrators.
.Pp
.Pa /etc/rc
is in turn influenced by the configuration variables present in
.Pa /etc/rc.conf .
Again this script should not be changed by administrators:
site-specific changes should be made to
.Pq freshly created if necessary
.Pa /etc/rc.conf.local .
.Pp
Any commands which should be run before the system sets its
secure level should be made to
.Pa /etc/rc.securelevel ,
and commands to be run after the system sets its
secure level should be made to
.Pa /etc/rc.local .
Commands to be run before system shutdown should be set in
.Pa /etc/rc.shutdown .
.Pp
For more information about system startup/shutdown files, see
.Xr rc 8 ,
.Xr rc.conf 8 ,
.Xr securelevel 7 ,
and
.Xr rc.shutdown 8 .
.Pp
If you've installed X, you may want to turn on
.Xr xdm 1 ,
the X Display Manager.
To do this, change the value of
.Va xdm_flags
in
.Pa /etc/rc.conf.local .
.Ss Set keyboard type
Some architectures permit keyboard type control.
Use the
.Xr kbd 8
command to change the keyboard encoding.
.Ic kbd -l
will list all available encodings.
.Ic kbd xxx
will select the
.Ic xxx
encoding.
Store the encoding in
.Pa /etc/kbdtype
to make sure it is set automatically at boot time.
.Ss Printers
Edit
.Pa /etc/printcap
and
.Pa /etc/hosts.lpd
to get any printers set up.
Consult
.Xr lpd 8
and
.Xr printcap 5
if needed.
.Ss Mail aliases
Edit
.Pa /etc/mail/aliases
and set the three standard aliases to go to either a mailing list, or
the system administrator.
.Bd -literal -offset indent
# Well-known aliases -- these should be filled in!
root: sysadm
manager: root
dumper: root
.Ed
.Pp
Run
.Xr newaliases 8
after changes.
.Ss Sendmail
.Ox
ships with a default
.Pa /etc/mail/localhost.cf
file that will work for simple installations; it was generated from
.Pa openbsd-localhost.mc
in
.Pa /usr/share/sendmail/cf .
Please see
.Pa /usr/share/sendmail/README
and
.Pa /usr/share/doc/smm/08.sendmailop/op.me
for information on generating your own sendmail configuration files.
For the default installation, sendmail is configured to only accept
connections from the local host and to not accept connections on
any external interfaces.
This makes it possible to send mail locally, but not receive mail from remote
servers, which is ideal if you have one central incoming mail machine and
several clients.
To cause sendmail to accept external network connections, modify the
.Va sendmail_flags
variable in
.Pa /etc/rc.conf.local
to use the
.Pa /etc/mail/sendmail.cf
file in accordance with the comments therein.
This file was generated from
.Pa openbsd-proto.mc .
.Pp
Note that sendmail now also listens on port 587 by default.
This is to implement the RFC 2476 message submission protocol.
You may disable this via the
.Ic no_default_msa
option in your sendmail .mc file.
See
.Pa /usr/share/sendmail/README
for more information.
The
.Pa /etc/mail/localhost.cf
file already has this disabled.
.Ss Daily, weekly, monthly scripts
Look at and possibly edit the
.Pa /etc/daily , /etc/weekly ,
and
.Pa /etc/monthly
scripts.
Your site specific things should go into
.Pa /etc/daily.local , /etc/weekly.local ,
and
.Pa /etc/monthly.local .
.Pp
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
.Pp
The
.Pa /altroot
filesystem can optionally be used to provide a backup of the
root filesystem on a daily basis.
To take advantage of this, you must have an entry in
.Pa /etc/fstab
with
.Dq xx
for the mount option:
.Pp
.Dl /dev/wd0j /altroot ffs xx 0 0
.Pp
and the environment variable
.Ev ROOTBACKUP
must be set.
For example, the following can be added to root's
.Xr crontab 5 :
.Pp
.Dl ROOTBACKUP=1
.Pp
The
.Pa /etc/daily
script will then make a daily backup of the root filesystem.
.Ss Tighten up security
You might wish to tighten up security more by editing
.Pa /etc/fbtab
as when installing X.
In
.Pa /etc/inetd.conf
comment out any extra entries you do not need,
and only add things that are really needed.
.Ss Other files in /etc
Look at the other files in
.Pa /etc
and edit them as needed.
(Do not edit files ending in
.Pa .db
\(em like
.Pa pwd.db , spwd.db ,
nor
.Pa localtime ,
nor
.Pa rmt ,
nor any directories.)
.Ss Crontab (background running processes)
Check what is running by typing
.Ic crontab -l
as root
and see if anything unexpected is present.
Do you need anything else?
Do you wish to change things?
For example, if you do not
like root getting standard output of the daily scripts, and want only
the security scripts that are mailed internally, you can type
.Ic crontab -e
and change some of the lines to read:
.Bd -literal -offset indent
30 1 * * * /bin/sh /etc/daily 2>&1 > /var/log/daily.out
30 3 * * 6 /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out
30 5 1 * * /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out
.Ed
.Pp
See
.Xr crontab 5 .
.Ss Next day cleanup
After the first night's security run, change ownerships and permissions
on files, directories, and devices; root should have received mail
with subject: "<hostname> daily insecurity output.".
This mail contains
a set of security recommendations, presented as a list looking like this:
.Bd -literal -offset indent
var/mail:
permissions (0755, 0775)
etc/daily:
user (0, 3)
.Ed
.Pp
The best bet is to follow the advice in that list.
The recommended setting is the first item in parentheses, while
the current setting is the second one.
This list is generated by
.Xr mtree 8
using
.Pa /etc/mtree/special .
Use
.Xr chmod 1 ,
.Xr chgrp 1 ,
and
.Xr chown 8
as needed.
.Ss Daemons
Enable/disable any daemon processes as necessary.
.Xr intro 8
contains a comprehensive guide to the various daemons available on the
.Ox
system.
.Ss Packages
Install your own packages.
The
.Ox
ports collection includes a large set of third-party software.
A lot of it is available as binary packages that you can download from
.Pa ftp://ftp.openbsd.org
or a mirror, and install using
.Xr pkg_add 1 .
See
.Xr ports 7
and
.Xr packages 7
for more details.
.Pp
Copy vendor binaries and install them.
You will need to install any shared libraries, etc.
Read the compat_* man pages
to find out how to install and use compatibility mode.
.Pp
There is also other third-party software that is available
in source form only, either because it has not been ported to
.Ox
yet, or because licensing restrictions make binary redistribution
impossible.
Sometimes checking the mailing lists for
past problems that people have encountered will result in a fix posted.
.Ss Compiling a kernel
Information on building and modifying kernels
is contained within
.Xr config 8 .
.Sh SEE ALSO
.Xr ksh 1 ,
.Xr man 1 ,
.Xr pkg_add 1 ,
.Xr ps 1 ,
.Xr vi 1 ,
.Xr hier 7 ,
.Xr config 8 ,
.Xr dmesg 8 ,
.Xr ifconfig 8 ,
.Xr intro 8 ,
.Xr sudo 8 ,
.Xr sysctl 8
.Sh HISTORY
This document first appeared in
.Ox 2.2 .
|