From: Marshall Midden <m4@nts.umn.edu>
Date: Thu, 16 Oct 1997 11:57:35 -0700 (PDT)
To: katz@corinne.cpio.org
Subject: Checklist, expanded
Message-ID: <199710161612.LAA14238@unet.unet.umn.edu>
MIME-Version: 1.0
Content-Type: text/plain


NOTE: if upgrading or restoring files, it appears that some group numbers
have been changed.

-----------------------------------------------------------------------------
New installation checklist, after install and multi-user boot.
(Instructions for correcting not given.)

1) Login on console as "root".
2) Check the system date.  Type "date".  If necessary, set the system date,
   and/or change the symbolic link to get the correct Time Zone.
3) Put a password on root.  Run "passwd".
4) Check hostname.  Type "hostname".	(man "hostname" if need to change,
   and you also need to edit /etc/myname.)
5) Verify network interfaces configured correctly.
   a) "ifconfig -a".  Correct by editing /etc/hostname.{INTERFACE} and
      via "ifconfig" if you do not with to reboot.
      Loopback interface will look something like:
	lo0: flags=8009<UP,LOOPBACK,MULTICAST>
		inet 127.0.0.1 netmask 0xff000000
      An ethernet interface something like:
	le0: flags=9863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,LINK0,MULTICAST>
		inet 192.168.4.52 netmask 0xffffff00 broadcast 192.168.4.255

[Will someone else fill in the ppp and slip interfaces.]

   b) You may wish to turn off multicast routing in /etc/netstart by
      commenting out (place a # sign at start of line) the line:
	# route add -net 224.0.0.0 -interface $hostname
   c) Check for routing. ("netstat -r -n")  It will look something like:
      Routing tables

      Internet:
      Destination        Gateway            Flags     Refs     Use    Mtu
      Interface
      default            192.168.4.254      UGS         0 11098028      -  le0
      127                127.0.0.1          UGRS        0        0      -  lo0
      127.0.0.1          127.0.0.1          UH          3       24      -  lo0
      192.168.4          link#1             UC          0        0      -  le0
      192.168.4.52       8:0:20:73:b8:4a    UHL         1     6707      -  le0
      192.168.4.254      0:60:3e:99:67:ea   UHL         1        0      -  le0

      Fix via editing /etc/mygate, and using "route delete" and "route add"
      if you do not wish to reboot.
   d) If using the Bind Name Server (DNS), check /etc/resolv.conf.
      It might look something like:
	  domain nts.umn.edu
	  nameserver 128.101.101.101
	  nameserver 134.84.84.84
	  search nts.umn.edu. umn.edu.
      If using a caching name server add the line "nameserver 127.0.0.1" first.
      (Of course, you need to change "named_flags" in /etc/rc.conf and add
      the named.boot file in the appropriate place.  Same holds true if this
      is the name server for you domain.  Also make sure "named" is running.
      [Otherwise there are long waits while timeouts happen.])
   e) If using "NIS" (old yellow pages), check "domainname" and edit
      /etc/defaultdomain to correct.

[Will someone else fill in more here.  I refuse to use this package.]

6) Check disks correct.
   a) cat /etc/fstab
   b) df
   Edit "/etc/fstab" and "umount" and "mount" as necessary.  (See man pages.)
   c) You may want to do NFS partitions later, but you may do them now.
   d) If you are using concatenated disks, edit /etc/ccd.conf and use
      "ccdconfig -U" and "ccdconfig -C" till you have it correct.
      ("umount" and "mount" and edit /etc/fstab as needed.)
   e) Go into the "amd" directory if using this package.

[Will someone else fill in more here.  I do not use this package.]

7) The system should be usable now, but you may with to do more customizing,
   adding of users, etc.  Many sections may be skipped if you are not using
   that package (for example kerberos!).  My suggestions are to go into
   /etc ("cd /etc") and:
   a) Edit motd to make lawyers comfortable and make sure that no mention
      of the word "Welcome" appears.  (Some U.S. lawyers have stated that
      the word "Welcome" is an invitation to come on in.)
   b) Add users.  There is a "adduser" script.
      You can use "vipw", and edit "/etc/group" if you desire.  Make sure to
      put people in "/etc/group", under the "wheel" group if they need root
      access (non-kerberos).  Something like:
	wheel:*:0:root,m4
   c) Check for any local changes needed in /etc/rc.conf, /etc/netstart,
      /etc/rc.local, rc.securelevel..  Turning on something like the
      Network Time Protocol in /etc/rc.local and /etc/rc.securelevel requires:
      A) Making sure the package is installed.
	 (see http://www.openbsd.org under "Ports: a Nice Way to Get
	 Third-Party Software).
      B) Uncommenting the lines in rc.local (delete the # signs).
	 if [ -f /usr/local/etc/httpd/httpd ]; then
	       echo -n ' httpd';       /usr/local/etc/httpd/httpd
	 fi
      C) Uncommenting the lines in rc.securelevel (delete the # signs).
	 if [ -x /usr/local/sbin/xntpd ]; then
	       /usr/local/sbin/tickadj -Aq
	       echo -n ' xntpd';       /usr/local/sbin/xntpd
	 fi
   d) Edit /etc/printcap and /etc/hosts.lpd to get printers set up.
   e) You might want to tighten up security by editing:
	  fbtab           Set security for X -- when you install X ... .
	  inetd.conf      Turn off extra stuff, add that which is really needed.
   f) Go into /etc/kerberosIV and configure kerberos.  Remember to get a srvab.
   g) Edit /etc/aliases.  Set postmaster, etc.  Run newaliases after changes.
   h) If this is a bootp server, edit /etc/bootptab.  You will have to turn
      it on in /etc/inetd.conf, or run "bootpd" in stand-a-lone mode.
   i) If this is an NFS server
      A) make sure /etc/rc.conf has "nfs_server=YES".
      B) Edit /etc/exports and get correct.
      It is probably easier to reboot than get the daemons running, manually,
      but you can get the order correct by looking at /etc/netstart.
   j) Edit /etc/rbootd.config if needed for remote booting (ethernet MAC address
      to IP tranlation).
   k) Look at and possibly edit the /etc/daily, /etc/weekly, and /etc/monthly
      scripts.  Your site specific things should go in /etc/daily.local,
      /etc/weekly.local, and /etc/monthly.local.
   l) Look at the other files in /etc and edit as needed.
      (Do not edit files ending in ".db" -- like aliases.db, pwd.db, spwd.db,
      nor localtime, nor rmt, nor any directories.)

8) Check what is running via crontab "crontab -l".
   Do you need anything else?  Do you wish to change things?  For example:
	30  1  *  *  *   /bin/sh /etc/daily 2>&1 > /var/log/daily.out 
	30  3  *  *  6   /bin/sh /etc/weekly 2>&1 > /var/log/weekly.out 
	30  5  1  *  *   /bin/sh /etc/monthly 2>&1 > /var/log/monthly.out 

9) After the first nights security run, change ownerships and permissions
   on things.  Best bet is to have permissions as in the security list
   (the first of the two listed permissions, and the first group number of
   the two).  Use "chmod" and "chgrp" as needed.

10) Install packages to make the system more useful.
   A) Install your own.  Easiest way is to copy source and compile it.
   B) Copy vendor binaries and install them.  You will need to install any
      shared libraries, etc. (hint: "man -k compat")
   C) Install any of a large number of Third-Party Software that is available
      in source form.  (See http://www.openbsd.org under "Ports: a Nice Way
      to Get Third-Party Software).
   You may have "fun" installing due to various compiling errors.  Don't
   get discouraged easily!  Sometimes checking the mailing lists for past
   problems that people have encountered will result in a fix posted.