Automated post-install service configuration on OpenBSD

OpenBSD is a really nice OS. It is the most secure free operating system I have used. For most people, a default install of OpenBSD present an excellent choice of OS and is probably impenetrable. However, OpenBSD is not perfect and the biggest flaw is the lack of provisioning for reading the administrators mind.

I am afraid I do not possess the skills to rectify the situation, but I can provide a description of my thoughts, and how I made it easier to adapt my thoughts and policies to a new OpenBSD installation. Some might call it hardening, and to some extent it envolves disabling services, but I will go deeper than this.

The following was inspired by Henning Bauer's modified Makefiles that built a stripped down OpenBSD system. I think making such modifications is the wrong way to go about making changes to something as large as OpenBSD. It will require significant effort to sync between every release.

So I have composed a bulletted list of items that I do for most installs. If the bullet item is a link, I have supplied details. If a link exists in brackets, someone else has described how to do it (differently).

You should be able to apply the following approach to any OS, if you know it well enough.

My approach to security is this:

1. Define which user accounts should exist on a system, and establish a method of ensuring only legitimate accounts exist on your system.
2. Ensure only legitimate users can access each accounting by using strong authentication during log on procedures.
3. Define rules and parameters for actions each user is allowed to take. Establish a method of monitoring this, and logging violations.
4. Establish a method of ensuring that system binaries have not been compromised.
5. Remove un-required system binaries, and establish a method of ensuring no known security holes exist in the remaining ones.
6. Determine acceptable operation parameters for network daemons and other processes, and establish a method of verifying the configuration of these.

To achieve these goals while making the system as useful as reasonably possible, I perform the following actions. Some directly improve the security of a system, and others are simply the tools I prefer to work with.

• During installation pick a non-lame disk layout.
• Install ksh, vim & zap.
• Edit /etc/sshd_config and send sshd a SIGHUP
• Create or edit /etc/sudoers
• Remove inetd*, telnetd, ftpd, r-(services)d, uucp,
• Strip suid root bit from untrusted binaries that remain on the system.

(Now the machine is ready to be plugged into an open network.)

• Edit /etc/syslog.conf to be less brain dead
• Configure log file analyser
• Activate mtree snapshots and process accounting
• Customise /etc/skel
• Install mutt, epic, procmail, gnupg, rsync, tidy, screen

(Now the system is ready to have user accounts created.)

• Nightly CVS updates of /usr/ports and /usr/src
• Nightly make clean of /usr/ports
• Read daily insecurity mail for root
• Read daily log file analysis report
• Watch source-changes and ports-changes for security related changes in critical software.