man/man8/afterboot.8

.\"	$NetBSD: afterboot.8,v 1.52 2012/10/05 21:28:38 wiz Exp $
.\"	$OpenBSD: afterboot.8,v 1.72 2002/02/22 02:02:33 miod Exp $
.\"
.\" Originally created by Marshall M. Midden -- 1997-10-20, m4@umn.edu
.\" Adapted to NetBSD by Julio Merino -- 2002-05-10, jmmv@NetBSD.org
.\"
.\"
.\" Copyright (c) 2002-2008 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\"
.\" Copyright (c) 1997 Marshall M. Midden
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by Marshall M. Midden.
.\" 4. The name of the author may not be used to endorse or promote products
.\"    derived from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd October 2, 2012
.Dt AFTERBOOT 8
.Os
.Sh NAME
.Nm afterboot
.Nd things to check after the first complete boot
.Sh DESCRIPTION
.Ss Starting Out
This document attempts to list items for the system administrator
to check and set up after the installation and first complete boot of the
system.
The idea is to create a list of items that can be checked off so that you have
a warm fuzzy feeling that something obvious has not been missed.
A basic knowledge of
.Ux
is assumed.
.Pp
Complete instructions for correcting and fixing items is not provided.
There are manual pages and other methodologies available for doing that.
For example, to view the man page for the
.Xr ls 1
command, type:
.Bd -literal -offset indent
.Ic man 1 ls
.Ed
.Pp
Administrators will rapidly become more familiar with
.Nx
if they get used to using the manual pages.
.Ss Security alerts
By the time that you have installed your system, it is quite likely that
bugs in the release have been found.
All significant and easily fixed problems will be reported at
.Lk http://www.NetBSD.org/support/security/ .
It is recommended that you check this page regularly.
.Pp
Additionally, you should set
.Dq fetch_pkg_vulnerabilities=YES
in
.Pa /etc/daily.conf
to allow your system to automatically update the local database of known
vulnerable packages to the latest version available on-line.
The system will later check, on a daily basis, if any of your installed
packages are vulnerable based on the contents of this database.
See
.Xr daily.conf 5
and
.Xr security.conf 5
for more details.
.Ss Login
Login as
.Dq Ic root .
You can do so on the console, or over the network using
.Xr ssh 1 .
If you have enabled the SSH daemon (see
.Xr sshd 8 )
and wish to allow root logins over the network, edit the
.Pa /etc/ssh/sshd_config
file and set
.Dq PermitRootLogin
to
.Dq yes
(see
.Xr sshd_config 5 ) .
The default is to not permit root logins over the network
after fresh install in
.Nx .
.Pp
Upon successful login on the console, you may see the message
.Dq We recommend creating a non-root account... .
For security reasons, it is bad practice to login as root during
regular use and maintenance of the system.
In fact, the system will only let you login as root on a secure
terminal.
By default, only the console is considered to be a secure terminal.
Instead, administrators are encouraged to add a
.Dq regular
user, add said user to the
.Dq wheel
group, then use the
.Xr su 1
command when root privileges are required.
This process is described in more detail later.
.Ss Root password
Change the password for the root user.
(Note that throughout the documentation, the term
.Dq superuser
is a synonym for the root user.)
Choose a password that has numbers, digits, and special characters (not space)
as well as from the upper and lower case alphabet.
Do not choose any word in any language.
It is common for an intruder to use dictionary attacks.
Type the command
.Ic /usr/bin/passwd
to change it.
.Pp
It is a good idea to always specify the full path name for both the
.Xr passwd 1
and
.Xr su 1
commands as this inhibits the possibility of files placed in your execution
.Ev PATH
for most shells.
Furthermore, the superuser's
.Ev PATH
should never contain the current directory
.Po Dq \&.
.Pc .
.Ss System date
Check the system date with the
.Xr date 1
command.
If needed, change the date, and/or change the symbolic link of
.Pa /etc/localtime
to the correct time zone in the
.Pa /usr/share/zoneinfo
directory.
.Pp
Examples:
.Bl -tag -width date
.It Cm date 200205101820
Set the current date to May 10th, 2002 6:20pm.
.It Cm ln -fs /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
Set the time zone to Eastern Europe Summer Time.
.El
.Ss Console settings
One of the first things you will likely need to do is to set up your
keyboard map (and maybe some other aspects about the system console).
To change your keyboard encoding, edit the
.Dq Va encoding
variable found in
.Pa /etc/wscons.conf .
.Pp
.Xr wscons.conf 5
contains more information about this file.
.Ss Check hostname
Use the
.Ic hostname
command to verify that the name of your machine is correct.
See the man page for
.Xr hostname 1
if it needs to be changed.
You will also need to change the contents of the
.Dq Va hostname
variable in
.Pa /etc/rc.conf
or edit the
.Pa /etc/myname
file to have it stick around for the next reboot.
Note that
.Dq Va hostname
is supposed include a domainname, and that this should
not be confused with YP (NIS)
.Xr domainname 1 .
If you are using
.Xr dhcpcd 8
to configure network interfaces, it might override these local hostname
settings if your DHCP server specifies client's hostname with other network
configurations.
.Ss Verify network interface configuration
The first thing to do is an
.Ic ifconfig -a
to see if the network interfaces are properly configured.
Correct by editing
.Pa /etc/ifconfig. Ns Ar interface
or the corresponding
.Dq Va ifconfig_ Ns Ar interface
variable in
.Xr rc.conf 5
(where
.Ar interface
is the interface name, e.g.,
.Dq le0 )
and then using
.Xr ifconfig 8
to manually configure it
if you do not wish to reboot.
.Pp
Alternatively, you can configure interfaces automatically via DHCP with
.Xr dhcpcd 8
if you have a DHCP server running somewhere on your network.
To get
.Xr dhcpcd 8
to start automatically on boot,
you will need to have this line in
.Pa /etc/rc.conf :
.Pp
.Dl dhcpcd=YES
.Pp
See
.Xr dhcpcd 8
and
.Xr dhcpcd.conf 5
for more information on setting up a DHCP client.
.Pp
You can add new
.Dq virtual interfaces
by adding the required entries to
.Pa /etc/ifconfig. Ns Ar interface .
Read the
.Xr ifconfig.if 5
man page for more information on the format of
.Pa /etc/ifconfig. Ns Ar interface
files.
The loopback interface will look something like:
.Bd -literal -offset indent
lo0: flags=8009\*[Lt]UP,LOOPBACK,MULTICAST\*[Gt] mtu 32972
	inet 127.0.0.1 netmask 0xff000000
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
	inet6 ::1 prefixlen 128
.Ed
.Pp
an Ethernet interface something like:
.Bd -literal -offset indent
le0: flags=9863\*[Lt]UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST\*[Gt]
	inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255
	inet6 fe80::5ef0:f0f0%le0 prefixlen 64 scopeid 0x1
.Ed
.Pp
and a PPP interface something like:
.Bd -literal -offset indent
ppp0: flags=8051\*[Lt]UP,POINTOPOINT,RUNNING,MULTICAST\*[Gt]
        inet 203.3.131.108 --\*[Gt] 198.181.0.253 netmask 0xffff0000
.Ed
.Pp
See
.Xr mrouted 8
for instructions on configuring multicast routing.
.Ss Check routing tables
Issue a
.Ic netstat -rn
command.
The output will look something like:
.Bd -literal -offset indent
Routing tables

Internet:
Destination    Gateway           Flags  Refs     Use  Mtu  Interface
default        192.168.4.254     UGS      0 11098028    -  le0
127            127.0.0.1         UGRS     0        0    -  lo0
127.0.0.1      127.0.0.1         UH       3       24    -  lo0
192.168.4      link#1            UC       0        0    -  le0
192.168.4.52   8:0:20:73:b8:4a   UHL      1     6707    -  le0
192.168.4.254  0:60:3e:99:67:ea  UHL      1        0    -  le0

Internet6:
Destination        Gateway       Flags  Refs  Use     Mtu  Interface
::/96              ::1           UGRS     0     0   32972  lo0 =\*[Gt]
::1                ::1           UH       4     0   32972  lo0
::ffff:0.0.0.0/96  ::1           UGRS     0     0   32972  lo0
fc80::/10          ::1           UGRS     0     0   32972  lo0
fe80::/10          ::1           UGRS     0     0   32972  lo0
fe80::%le0/64      link#1        UC       0     0    1500  le0
fe80::%lo0/64      fe80::1%lo0   U        0     0   32972  lo0
ff01::/32          ::1           U        0     0   32972  lo0
ff02::%le0/32      link#1        UC       0     0    1500  le0
ff02::%lo0/32      fe80::1%lo0   UC       0     0   32972  lo0
.Ed
.Pp
The default gateway address is stored in the
.Dq Va defaultroute
variable in
.Pa /etc/rc.conf ,
or in the file
.Pa /etc/mygate .
If you need to edit this file, a painless way to reconfigure the network
afterwards is to issue
.Bd -literal -offset indent
.Ic /etc/rc.d/network restart
.Ed
.Pp
Or, you may prefer to manually configure using a series of
.Ic route add
and
.Ic route delete
commands (see
.Xr route 8 ) .
If you run
.Xr dhclient 8
you will have to kill it by running
.Bd -literal -offset indent
.Ic /etc/rc.d/dhclient stop
.Ed
.Pp
If you run
.Xr dhcpcd 8
you will have to kill it by running
.Bd -literal -offset indent
.Ic /etc/rc.d/dhcpcd stop
.Ed
.Pp
before you flush the routes.
.Pp
If you wish to route packets between interfaces, add one or both
of the following directives (depending on whether IPv4 or IPv6 routing
is required) to
.Pa /etc/sysctl.conf :
.Pp
.Dl net.inet.ip.forwarding=1
.Dl net.inet6.ip6.forwarding=1
.Pp
As an alternative, compile a new kernel with the
.Dq GATEWAY
option.
Packets are not forwarded by default, due to RFC requirements.
.Ss Secure Shell (SSH)
By default, all services are disabled in a fresh
.Nx
installation, and SSH is no exception.
You may wish to enable it so you can remotely control your system.
Set
.Dq Va sshd=YES
in
.Pa /etc/rc.conf
and then starting the server with the command
.Bd -literal -offset indent
.Ic /etc/rc.d/sshd start
.Ed
.Pp
The first time the server is started, it will generate a new keypair,
which will be stored inside the directory
.Pa /etc/ssh .
.Ss Host names and DNS
The system resolves host names according the rules for hosts in the
name service switch configuration at
.Pa /etc/nsswitch.conf .
By default, it will query
.Pa /etc/hosts
first, and then the DNS resolver specified in
.Pa /etc/resolv.conf .
.Pp
If your network does not have a usable DNS resolver, e.g. one provided
by DHCP, you can run a local caching recursive resolver by setting
.Dq named=YES
in
.Pa /etc/rc.conf
and either rebooting or running the following command:
.Bd -literal -offset indent
.Ic /etc/rc.d/named start
.Ed
.Pp
.Xr named 8
is configured in
.Pa /etc/named.conf
by default to run as a local caching recursive resolver.
Then, to make the system use it, put the following in
.Pa /etc/resolv.conf :
.Bd -literal -offset indent
nameserver 127.0.0.1
.Ed
.Ss RPC-based network services
Several services depend on the RPC portmapper
.Xr rpcbind 8
- formerly known as
.Ic portmap
- being running for proper operation.
This includes YP (NIS) and NFS exports, among other services.
To get the RPC portmapper to start automatically on boot,
you will need to have this line in
.Pa /etc/rc.conf :
.Pp
.Dl rpcbind=YES
.Ss YP (NIS) Setup
Check the YP domain name with the
.Xr domainname 1
command.
If necessary, correct it by editing the
.Pa /etc/defaultdomain
file or by setting the
.Dq Va domainname
variable in
.Pa /etc/rc.conf .
The
.Pa /etc/rc.d/network
script reads this file on bootup to determine and set the domain name.
You may also set the running system's domain name with the
.Xr domainname 1
command.
To start YP client services, simply run
.Ic ypbind ,
then perform the remaining
YP activation as described in
.Xr passwd 5
and
.Xr group 5 .
.Pp
In particular, to enable YP passwd support, you'll need to update
.Pa /etc/nsswitch.conf
to include
.Dq nis
for the
.Dq passwd
and
.Dq group
entries.
A traditional way to accomplish the same thing is to
add following entry to local passwd database via
.Xr vipw 8 :
.Bd -literal -offset indent
.Li +:*::::::::
.Ed
.Pp
Note this entry has to be the very last one.
This traditional way works with the default
.Xr nsswitch.conf 5
setting of
.Dq passwd ,
which is
.Dq compat .
.Pp
There are many more YP man pages available to help you.
You can find more information by starting with
.Xr nis 8 .
.Ss Check disk mounts
Check that the disks are mounted correctly by
comparing the
.Pa /etc/fstab
file against the output of the
.Xr mount 8
and
.Xr df 1
commands.
Example:
.Bd -literal -offset indent
.Li # Ic cat /etc/fstab
/dev/sd0a / ffs     rw              1 1
/dev/sd0b none swap sw
/dev/sd0e /usr ffs  rw              1 2
/dev/sd0f /var ffs  rw              1 3
/dev/sd0g /tmp ffs  rw              1 4
/dev/sd0h /home ffs rw              1 5

.Li # Ic mount
/dev/sd0a on / type ffs (local)
/dev/sd0e on /usr type ffs (local)
/dev/sd0f on /var type ffs (local)
/dev/sd0g on /tmp type ffs (local)
/dev/sd0h on /home type ffs (local)

.Li # Ic df
Filesystem  1024-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a         22311    14589     6606    69%    /
/dev/sd0e        203399   150221    43008    78%    /usr
/dev/sd0f         10447      682     9242     7%    /var
/dev/sd0g         18823        2    17879     0%    /tmp
/dev/sd0h          7519     5255     1888    74%    /home

.Li # Ic pstat -s
Device      512-blocks     Used    Avail Capacity  Priority
/dev/sd0b       131072    84656    46416    65%    0
.Ed
.Pp
Edit
.Pa /etc/fstab
and use the
.Xr mount 8
and
.Xr umount 8
commands as appropriate.
Refer to the above example and
.Xr fstab 5
for information on the format of this file.
.Pp
You may wish to do NFS mounts now too, or you can do them later.
.Ss Concatenated disks (ccd)
If you are using
.Xr ccd 4
concatenated disks, edit
.Pa /etc/ccd.conf .
You may wish to take a look to
.Xr ccdconfig 8
for more information about this file.
Use the
.Ic ccdconfig -U
command to unload and the
.Ic ccdconfig -C
command to create tables internal to the kernel for the concatenated disks.
You then
.Xr mount 8 ,
.Xr umount 8 ,
and edit
.Pa /etc/fstab
as needed.
.Ss Automounter daemon (AMD)
To use the
.Xr amd 8
automounter, create the
.Pa /etc/amd
directory, copy example config files from
.Pa /usr/share/examples/amd
to
.Pa /etc/amd
and customize them as needed.
Alternatively, you can get your maps with YP.
.Ss Clock synchronization
In order to make sure the system clock is synchronized
to that of a publicly accessible NTP server,
make sure that
.Pa /etc/rc.conf
contains the following:
.Pp
.Dl ntpdate=YES
.Dl ntpd=YES
.Pp
See
.Xr date 1 ,
.Xr ntpdate 8 ,
.Xr ntpd 8 ,
.Xr rdate 8 ,
and
.Xr timed 8
for more information on setting the system's date.
.Sh CHANGING /etc FILES
The system should be usable now, but you may wish to do more customizing,
such as adding users, etc.
Many of the following sections may be skipped
if you are not using that package (for example, skip the
.Sx Kerberos
section if you won't be using Kerberos).
We suggest that you
.Ic cd /etc
and edit most of the files in that directory.
.Pp
Note that the
.Pa /etc/motd
file is modified by
.Pa /etc/rc.d/motd
whenever the system is booted.
To keep any custom message intact, ensure that you leave two blank lines
at the top, or your message will be overwritten.
.Ss Add new users
To add new users and groups, there are
.Xr useradd 8
and
.Xr groupadd 8 ;
see also
.Xr user 8
for further programs for user and group manipulation.
You may use
.Xr vipw 8
to add users to the
.Pa /etc/passwd
file
and edit
.Pa /etc/group
by hand to add new groups.
The manual page for
.Xr su 1 ,
tells you to make sure to put people in
the
.Sq wheel
group if they need root access (non-Kerberos).
For example:
.Bd -literal -offset indent
wheel:*:0:root,myself
.Ed
.Pp
Follow instructions for
.Xr kerberos 8
if using
Kerberos
for authentication.
.Ss System boot scripts and /etc/rc.local
.Pa /etc/rc
and the
.Pa /etc/rc.d/*
scripts are invoked at boot time after single user mode has exited,
and at shutdown.
The whole process is controlled by the master script
.Pa /etc/rc .
This script should not be changed by administrators.
.Pp
The directory
.Pa /etc/rc.d
contains a series of scripts used at startup/shutdown, called by
.Pa /etc/rc .
.Pa /etc/rc
is in turn influenced by the configuration variables present in
.Pa /etc/rc.conf .
.Pp
The script
.Pa /etc/rc.local
is run as the last thing during multiuser boot, and is provided
to allow any other local hooks necessary for the system.
.Ss rc.conf
To enable or disable various services on system startup,
corresponding entries can be made in
.Pa /etc/rc.conf .
You can take a look at
.Pa /etc/defaults/rc.conf
to see a list of default system variables, which you can override in
.Pa /etc/rc.conf .
Note you are
.Em not
supposed to change
.Pa /etc/defaults/rc.conf
directly, edit only
.Pa /etc/rc.conf .
See
.Xr rc.conf 5
for further information.
.Ss X Display Manager
If you've installed X, you may want to turn on
.Xr xdm 1 ,
the X Display Manager.
To do this, set
.Dq xdm=YES
in
.Pa /etc/rc.conf .
.Ss Printers
Edit
.Pa /etc/printcap
and
.Pa /etc/hosts.lpd
to get any printers set up.
Consult
.Xr lpd 8
and
.Xr printcap 5
if needed.
.Ss Tighten up security
In
.Pa /etc/inetd.conf
comment out any extra entries you do not need, and only add things
that are really needed.
Note that by default all services are disabled for security reasons.
.Ss Kerberos
If you are going to use Kerberos for authentication,
see
.Xr kerberos 8
and
.Dq info heimdal
for more information.
If you already have a Kerberos master, change directory to
.Pa /etc/kerberosV
and configure.
Remember to get a
.Pa srvtab
from the master so that the remote commands work.
.Ss Mail Aliases
Check
.Pa /etc/mail/aliases
and update appropriately if you want e-mail to be routed
to non-local addresses or to different users.
.Pp
Run
.Xr newaliases 1
after changes.
.Ss Postfix
.Nx
uses Postfix as its MTA.
Postfix is started by default, but its initial configuration does not
cause it to listen on the network for incoming connections.
To configure Postfix, see
.Pa /etc/postfix/main.cf
and
.Pa /etc/postfix/master.cf .
If you wish to use a different MTA (e.g., sendmail), install your MTA of
choice and edit
.Pa /etc/mailer.conf
to point to the proper binaries.
.Ss DHCP server
If this is a
DHCP
server, edit
.Pa /etc/dhcpd.conf
and
.Pa /etc/dhcpd.interfaces
as needed.
You will have to make sure
.Pa /etc/rc.conf
has
.Dq dhcpd=YES
or run
.Xr dhcpd 8
manually.
.Ss Bootparam server
If this is a
Bootparam
server, edit
.Pa /etc/bootparams
as needed.
You will have to turn it on in
.Pa /etc/rc.conf
by adding
.Dq bootparamd=YES .
.Ss NFS server
If this is an NFS server, make sure
.Pa /etc/rc.conf
has:
.Bd -literal -offset indent
nfs_server=YES
mountd=YES
rpcbind=YES
.Ed
.Pp
Edit
.Pa /etc/exports
and get it correct.
After this, you can start the server by issuing:
.Bd -literal -offset indent
.Ic /etc/rc.d/rpcbind start
.Ic /etc/rc.d/mountd start
.Ic /etc/rc.d/nfsd start
.Ed
which will also start dependencies.
.Ss HP remote boot server
Edit
.Pa /etc/rbootd.conf
if needed for remote booting.
If you do not have HP computers doing remote booting, do not enable this.
.Ss Daily, weekly, monthly scripts
Look at and possibly edit the
.Pa /etc/daily.conf , /etc/weekly.conf ,
and
.Pa /etc/monthly.conf
configuration files.
You can check which values you can set by looking
to their matching files in
.Pa /etc/defaults .
Your site specific things should go into
.Pa /etc/daily.local , /etc/weekly.local ,
and
.Pa /etc/monthly.local .
.Pp
These scripts have been limited so as to keep the system running without
filling up disk space from normal running processes and database updates.
(You probably do not need to understand them.)
.Ss Other files in /etc
Look at the other files in
.Pa /etc
and edit them as needed.
(Do not edit files ending in
.Pa .db
\(em like
.Pa pwd.db , spwd.db ,
nor
.Pa localtime ,
nor
.Pa rmt ,
nor any directories.)
.Ss Crontab (background running processes)
Check what is running by typing
.Ic crontab -l
as root
and see if anything unexpected is present.
Do you need anything else?
Do you wish to change things?
For example, if you do not
like root getting standard output of the daily scripts, and want only
the security scripts that are mailed internally, you can type
.Ic crontab -e
and change some of the lines to read:
.Bd -literal -offset indent
30  1  *  *  *   /bin/sh /etc/daily 2\*[Gt]\*[Am]1 \*[Gt] /var/log/daily.out
30  3  *  *  6   /bin/sh /etc/weekly 2\*[Gt]\*[Am]1 \*[Gt] /var/log/weekly.out
30  5  1  *  *   /bin/sh /etc/monthly 2\*[Gt]\*[Am]1 \*[Gt] /var/log/monthly.out
.Ed
.Pp
See
.Xr crontab 5 .
.Ss Next day cleanup
After the first night's security run, change ownerships and permissions
on files, directories, and devices; root should have received mail
with subject: "\*[Lt]hostname\*[Gt] daily insecurity output.".
This mail contains
a set of security recommendations, presented as a list looking like this:
.Bd -literal -offset indent
var/mail:
        permissions (0755, 0775)
etc/daily:
        user (0, 3)
.Ed
.Pp
The best bet is to follow the advice in that list.
The recommended setting is the first item in parentheses, while
the current setting is the second one.
This list is generated by
.Xr mtree 8
using
.Pa /etc/mtree/special .
Use
.Xr chmod 1 ,
.Xr chgrp 1 ,
and
.Xr chown 8
as needed.
.Ss Packages
Install your own packages.
The
.Nx
packages collection, pkgsrc, includes a large set of third-party software.
A lot of it is available as binary packages that you can download from
.Lk ftp://ftp.NetBSD.org/pub/NetBSD/packages/
or a mirror, and install using
.Xr pkg_add 1 .
See
.Lk http://www.NetBSD.org/docs/pkgsrc/
and
.Pa pkgsrc/doc/pkgsrc.txt
for more details.
.Pp
Copy vendor binaries and install them.
You will need to install any shared libraries, etc.
(Hint:
.Ic man -k compat
to find out how to install and use compatibility mode.)
.Pp
There is also other third-party software that is available
in source form only, either because it has not been ported to
.Nx
yet, because licensing restrictions make binary redistribution
impossible, or simply because you want to build your own binaries.
Sometimes checking the mailing lists for
past problems that people have encountered will result in a fix posted.
.Ss Check the running system
You can use
.Xr ps 1 ,
.Xr netstat 1 ,
and
.Xr fstat 1
to check on running processes, network connections, and opened files,
respectively.
Other tools you may find useful are
.Xr systat 1
and
.Xr top 1 .
.Sh COMPILING A KERNEL
Note:
The standard
.Nx
kernel configuration (GENERIC) is suitable for most purposes.
.Pp
First, review the system message buffer in
.Pa /var/run/dmesg.boot
and by using the
.Xr dmesg 8
command to find out information on your system's devices as probed by the
kernel at boot.
In particular, note which devices were not configured.
This information will prove useful when editing kernel configuration files.
.Pp
To compile a kernel inside a writable source tree, do the following:
.Bd -literal -offset indent
$ cd /usr/src/sys/arch/SOMEARCH/conf
$ cp GENERIC SOMEFILE (only the first time)
$ vi SOMEFILE (adapt to your needs)
$ config SOMEFILE
$ cd ../compile/SOMEFILE
$ make depend
$ make
.Ed
.Pp
where
.Ar SOMEARCH
is the architecture (e.g., i386), and
.Ar SOMEFILE
should be a name indicative of a particular configuration (often
that of the hostname).
.Pp
If you are building your kernel again, before you do a
.Ic make
you should do a
.Ic make clean
after making changes to your kernel options.
.Pp
After either of these two methods, you can place the new kernel (called
.Pa netbsd )
in
.Pa /
(i.e.,
.Pa /netbsd )
by issuing
.Ic make install
and the system will boot it next time.
The old kernel is stored as
.Pa /onetbsd
so you can boot it in case of failure.
.Pp
If you are using toolchain to build your kernel, you will also need to
build a new set of toolchain binaries.
You can do it by changing into
.Pa /usr/src
and issuing:
.Bd -literal -offset indent
$ cd /usr/src
$ K=sys/arch/`uname -m`/conf
$ cp $K/GENERIC $K/SOMEFILE
$ vi $K/SOMEFILE (adapt to your needs)
$ ./build.sh tools
$ ./build.sh kernel=SOMEFILE
.Ed
.Sh SYSTEM TESTING
At this point, the system should be fully configured to your liking.
It is now a good time to ensure that the system behaves according to
its specifications and that it is stable on your hardware.
Please refer to
.Xr tests 7
for details on how to do so.
.Sh SEE ALSO
.Xr chgrp 1 ,
.Xr chmod 1 ,
.Xr config 1 ,
.Xr crontab 1 ,
.Xr date 1 ,
.Xr df 1 ,
.Xr domainname 1 ,
.Xr fstat 1 ,
.Xr hostname 1 ,
.Xr make 1 ,
.Xr man 1 ,
.Xr netstat 1 ,
.Xr newaliases 1 ,
.Xr passwd 1 ,
.Xr pkg_add 1 ,
.Xr ps 1 ,
.Xr ssh 1 ,
.Xr su 1 ,
.Xr systat 1 ,
.Xr top 1 ,
.Xr xdm 1 ,
.Xr ccd 4 ,
.Xr aliases 5 ,
.Xr crontab 5 ,
.Xr dhclient.conf 5 ,
.Xr dhcpcd.conf 5 ,
.Xr exports 5 ,
.Xr fstab 5 ,
.Xr group 5 ,
.Xr hosts 5 ,
.Xr ifconfig.if 5 ,
.Xr mailer.conf 5 ,
.Xr named.conf 5 ,
.Xr nsswitch.conf 5 ,
.Xr passwd 5 ,
.Xr printcap 5 ,
.Xr rc.conf 5 ,
.Xr resolv.conf 5 ,
.Xr sshd_config 5 ,
.Xr wscons.conf 5 ,
.Xr hier 7 ,
.Xr hostname 7 ,
.Xr pkgsrc 7 ,
.Xr tests 7 ,
.Xr amd 8 ,
.Xr ccdconfig 8 ,
.Xr chown 8 ,
.Xr dhclient 8 ,
.Xr dhcpcd 8 ,
.Xr dhcpd 8 ,
.Xr dmesg 8 ,
.Xr groupadd 8 ,
.Xr ifconfig 8 ,
.Xr inetd 8 ,
.Xr kerberos 8 ,
.Xr lpd 8 ,
.Xr mount 8 ,
.Xr mrouted 8 ,
.Xr mtree 8 ,
.Xr named 8 ,
.Xr nis 8 ,
.Xr ntpd 8 ,
.Xr ntpdate 8 ,
.Xr rbootd 8 ,
.Xr rc 8 ,
.Xr rdate 8 ,
.Xr rmt 8 ,
.Xr route 8 ,
.Xr rpc.bootparamd 8 ,
.Xr rpcbind 8 ,
.Xr sshd 8 ,
.Xr timed 8 ,
.Xr umount 8 ,
.Xr useradd 8 ,
.Xr vipw 8 ,
.Xr yp 8 ,
.Xr ypbind 8
.Sh HISTORY
This document first appeared in
.Ox 2.2 .
It has been adapted to
.Nx
and first appeared in
.Nx 2.0 .