OpenBSD is a really nice OS. It is the most secure free operating system I have used. For most people, a default install of OpenBSD present an excellent choice of OS and is probably impenetrable. However, OpenBSD is not perfect and the biggest flaw is the lack of provisioning for reading the administrators mind.
I am afraid I do not possess the skills to rectify the situation, but I can provide a description of my thoughts, and how I made it easier to adapt my thoughts and policies to a new OpenBSD installation. Some might call it hardening, and to some extent it envolves disabling services, but I will go deeper than this.
The following was inspired by Henning Bauer's modified Makefiles that built a stripped down OpenBSD system. I think making such modifications is the wrong way to go about making changes to something as large as OpenBSD. It will require significant effort to sync between every release.
So I have composed a bulletted list of items that I do for most installs. If the bullet item is a link, I have supplied details. If a link exists in brackets, someone else has described how to do it (differently).
You should be able to apply the following approach to any OS, if you know it well enough.
My approach to security is this:
To achieve these goals while making the system as useful as reasonably possible, I perform the following actions. Some directly improve the security of a system, and others are simply the tools I prefer to work with.
(Now the machine is ready to be plugged into an open network.)
(Now the system is ready to have user accounts created.)